Malicious PDF — malware analysis report

Static analysis result for SHA-256 4aefb57741071ab9…

MALICIOUS

PDF

132.5 KB
MD5: c368389e9749860824a6a36a4624b4d0 SHA-1: 969c08589bc7fdadab7492bdd60d11321d151a68 SHA-256: 4aefb57741071ab9074c5759d9eb43aecf32b968418a8c5e79b3c451feec6950
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.001 Malicious Link

The PDF file contains embedded JavaScript and exploits known vulnerabilities (CVE-2009-4324 and CVE-2007-5659) via its media.newPlayer and Collab.collectEmailInfo actions. The embedded JavaScript stream, named 'javascript_obj0022_000.js', is obfuscated and likely responsible for further malicious activity, such as downloading a second-stage payload. The presence of these exploits and obfuscated script strongly suggests a malicious intent.

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
  • Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
    PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Remote GoTo action info PDF_GOTO_REMOTE
    PDF has GoToR/GoToE actions that reference sibling document files — typical of multi-part document bundles
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0022_000.js
6595307c8f01bd0ae97c3d887de3d4dfcc3707dc2ded2dfd159354891a844121		 pdf-javascript-stream PDF /JS object 22 at offset 0x1791 4821 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 17 eval/decoder/string-building token(s).
font_00_cff_off00000761.bin
e49c7bfbfc818e2f3954d4ce70a2bc6318ccf9c1ef2ef63ca76cf26462f5efaf		 pdf-font-stream PDF embedded font (cff) at offset 0x761 321 bytes
font_01_cff_off00000949.bin
0db45283fafc3c1e8370dd30f58eb4eb6464083cb54cb4ab4ab9214e7e8b6dd7		 pdf-font-stream PDF embedded font (cff) at offset 0x949 2955 bytes
embedded_file_obj0005.bin
c5b524897e6777818b6a8927b8dcd671bdf33558aa82647c1e94f072fb5653c0		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0x1E1 164019 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.