Malicious PDF — malware analysis report

Static analysis result for SHA-256 3dda3994b1ca33e9…

MALICIOUS

PDF

139.1 KB Created: 2010-01-07 11:07:02 +08:00
MD5: e342c2df47724584350ac0839a2205a3 SHA-1: bd615704e56cbe341de6c7b9ae5a0e75fe0b79ac SHA-256: 3dda3994b1ca33e940074e92a32a43ef4c95d317d26a9f61cc23af7c91fac3fd
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains embedded JavaScript, identified by the PDF_JAVASCRIPT and PDF_JS heuristics. The critical CVE_2009_4324 heuristic indicates that the file exploits a known vulnerability in Adobe Reader related to the media.newPlayer API. This exploit likely leads to the execution of the embedded JavaScript, which is designed to download and execute a second-stage payload. The truncated document body and lack of clear textual lures suggest the primary attack vector is the exploit itself rather than social engineering.

Heuristics 5

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
legacy_pdfkit_stage_000.js
42c3f4df375ff6f58ff655cc4f88b5cc28f0dd33b978390db3538684a6219b74		 deobfuscated-js string-concatenation normalized Acrobat API aliases at offset 0x674 126 bytes
objstm_0026_00.bin
1927301306a8a9b7ed09f153bcb6dbe394efd284902831ca549fbd446c3a8d21		 pdf-objstm-decoded PDF /ObjStm 26 0 obj (inflated) 306 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.