PDF malware analysis — malicious · 48ace107ba03dc85

MALICIOUS

PDF

17.2 KB

MD5: 7844406a5541a50007277898b21224a7 SHA-1: 79113292e8939453998150702a78b6e73faec1ec SHA-256: 48ace107ba03dc851fb028f3a52db478d9e3d97e1a48e1775db8a35592ffd34c

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.001 Malicious Link

The PDF sample exploits CVE-2009-4324 using obfuscated JavaScript. The JavaScript utilizes eval() and unescape() functions, indicating an attempt to hide malicious code. The primary intent appears to be downloading and executing a second-stage payload, as suggested by the heuristic firings and the presence of multiple deobfuscated JavaScript stages. No specific malware family could be confidently identified.

Heuristics 5

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `c4426d4cc177fc7fd929e95e0e45f1e00da4899aacd6f9d87c0eed05f45eda54`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	2967 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`javascript_obj111712_001.js` `e0160c52ee34d29fd6ba7d0abb00f81654242d82b15beec5a5747ba06e30e94d`	pdf-javascript-stream	PDF /JS object 111712 at offset 0xD5B	11393 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`javascript_obj111713_002.js` `d59102c2006bf11b327f6da0b82836d2c682399ffb40c0d4bf84778d293c6057`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x3A12	2692 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `14d9d23d619682a659b666d1537fbe47a8cc4db49b0c37d63714847d39b24a42`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0xD5B	1080 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `19c1ad89754b041ff8343d8d17651f5a5bf2f078d8ae8d7f721af33032d317f4`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x3A12	174 bytes
`legacy_pdfkit_stage_002.js` `9929d65c8cc36b3c1dd8936a058ab78dff909dcc43f6741ca5032a4ec68e331e`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0xD5B	1255 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.