Malicious PDF — malware analysis report

Static analysis result for SHA-256 473f46da86e2fc83…

MALICIOUS

PDF

615.8 KB Created: 2009-11-12 18:22:04 +00:00 Authoring application: 376377000P000D000F000C000r000e000a000t000o000r000 000V000e000r000s000i000o000n000 0000000.0009000.0003 (via GPL Ghostscript 8.54)
MD5: e374f0625e05ae0ba01fb994a2027f92 SHA-1: d660ae437aa0224e0b6e0b64911072a4fabafd85 SHA-256: 473f46da86e2fc832a1e84f744f9077c334ad47343c8d4912fc99f55755f3cce
136 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.001 Malicious Link

The PDF file contains embedded JavaScript and triggers a critical heuristic for CVE-2009-0927, indicating an exploit targeting the Collab.getIcon function. This suggests the document is designed to deliver a malicious payload via JavaScript execution, likely leading to further compromise. No specific malware family was identified, but the exploit method is clear.

Heuristics 5

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution.
  • ClamAV: Pdf.Exploit.CVE_2009_0927-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.CVE_2009_0927-1
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000947ea.bin
20b24b840ff8f91a9e960755ffb715b579bc51ad7f224b8587045bfbcbce8c97		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x947EA 22784 bytes
font_00_sfnt_off0008eb6a.bin
9981f77b5fb79b73130c5bf66f6441c465ead6202453844ebf22511eb64d3ae7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8EB6A 12728 bytes
font_01_sfnt_off000903da.bin
3999bca22b6206c0edba2626f8cc4979dc30cf7f2e79e8a86f78abb8d02afcc3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x903DA 38840 bytes
font_03_sfnt_off000970dd.bin
5bf6a29c2c1f6ac1627483ef4c4e51eb23216c30a9c88b2d265ecb879d04816b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x970DD 19996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.