PDF malware analysis — malicious · 41232d5b265919b3

MALICIOUS

PDF

18.6 KB

MD5: 9311e03a0d27577472811a718a7a3612 SHA-1: 2453fe49b8b9254c9c9d082374c63d9d658f9cc8 SHA-256: 41232d5b265919b36a6672a6281a7101d8b074c4afb16226e0a7dc7467c42567

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.001 Malicious Link

The PDF contains obfuscated JavaScript that leverages the CVE-2009-0927 vulnerability (Collab.getIcon) to execute a second-stage payload. The JavaScript uses eval() and unescape() functions, indicating an attempt to hide malicious code. The extracted JavaScript streams and the critical heuristic firing confirm the exploit attempt.

Heuristics 5

Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `942e64a8fc0deb648b6b71c99048a5a68491178a87c86e6d357af7d3505ef137`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	3548 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`javascript_obj111712_001.js` `4ecbd6d460a8a0fa1ba29ac121eef78e32ae75fee7d06d06dd043c7fdf97a0cd`	pdf-javascript-stream	PDF /JS object 111712 at offset 0xFA0	13452 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`javascript_obj111713_002.js` `056b8993f5c18ee74a4ee82bff02be4763a29887ddf1d2f39b3135b1aa46caf2`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x4462	1501 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `9f6816d68d7172a2e1d33c9422652c23e96e2b5a8977aecd9d2446478e1dac70`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0xFA0	1526 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `1397a77c63e5e8be02a059fd3c671fb708b92cb64d00ded4f2045e71093dec16`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x4462	99 bytes
`legacy_pdfkit_stage_002.js` `8c3e73564fa39e16dd224b63df5e3d539c5b767124d831c4568762905b7ba1ff`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0xFA0	1626 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.