PDF malware analysis — malicious · 3e273ce289ea524a

MALICIOUS

PDF

497.9 KB Created: 2021-08-05 11:48:07 +09:00

MD5: 17444da422495c6504d06c91ec068384 SHA-1: 2202bdb2e206635f18af2fd3c5a54333e264a919 SHA-256: 3e273ce289ea524a6dffbf3be51fdbb8eda608aa937d956455faaa1bdd438995

94 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 Command and Scripting Interpreter: PowerShell T1204.002 Malicious File: User Execution: Malicious File

The PDF document contains embedded JavaScript, which is obfuscated and likely intended to exploit CVE-2020-9715. The heuristic firings indicate the presence of JavaScript actions and embedded JS streams, along with a critical alert for a CVE-2020-9715 exploit. The deobfuscated JavaScript is a significant finding, suggesting the execution of a secondary payload.

Heuristics 6

dataObjects ESObject stale-cache trigger — CVE-2020-9715 critical CVE exact CVE_2020_9715

PDF embeds a file and JavaScript follows the CVE-2020-9715 ESObject use-after-free trigger shape: access this.dataObjects[], clear the dataObjects entry, schedule app.setTimeOut(), then re-access the Data ESObject through toString().
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
String.fromCharCode low PDF_FROMCHARCODE

String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 7

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0052_000.js` `3898d0491023322c6c13a4fde3ddec5b1e04a346ecc32f7e2c33af1299e6d8b1`	pdf-javascript-stream	PDF /JS object 52 at offset 0x670FB	341509 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 6 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
`custom_b64_stage_000.js` `abbfcc7c7af618a68f4486e2b7f7f7bce60a18cba7241299b4ccd9b9a2ea8aa4`	deobfuscated-js	custom Base64 decoded JavaScript layer 1 (PDF /JS object 52) at offset 0x675A7	255159 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 4 eval/decoder/string-building token(s).
`font_00_sfnt_off00014f08.bin` `bddfb4c45a81f38bf22f598080c901088e8377b4da89f14aa7337c8ab4ac0f67`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x14F08	101516 bytes
`font_01_sfnt_off0001ce34.bin` `bf072e81b3912b2a70a6dc008de28b5fc2e89b95b2b4bf5922498e0a485762bc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1CE34	87896 bytes
`font_02_sfnt_off00025f7c.bin` `677fbd89c80e49abef805aa545a971968124a0b13c9973dba50e41708e2a27be`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x25F7C	105564 bytes
`font_03_sfnt_off00031d70.bin` `9cde2b39a3c5a504c05d95977b00e3ca865b029dd5c47cf5dab68a7d1c2f8b08`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x31D70	364856 bytes
`font_04_sfnt_off00052f0c.bin` `16a1f372c96d0db355b169b39ebb264afe6a3573ae07338aef0b9a2d23d145d3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x52F0C	299660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.