PDF malware analysis — malicious · 4e14c14d91b01e52

MALICIOUS

PDF

18.7 KB

MD5: 00b4c80b523ea3ed8b7ab6a634111d34 SHA-1: f6286269270c843d450f77896af992bdd55071fc SHA-256: 4e14c14d91b01e5283aca79271b7a287226286c01627a19d8b2cc66afbe6e725

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.001 Malicious Link

The PDF file contains embedded JavaScript that leverages the CVE-2007-5659 vulnerability through the Collab.collectEmailInfo function. The JavaScript is heavily obfuscated but appears to be designed to download and execute a secondary payload. The presence of multiple obfuscated JavaScript streams and the specific exploit trigger strongly indicate a malicious intent to compromise the user's system.

Heuristics 5

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `7026f629ec4c3b8ec2f1e4910873376a79623e372887aa75ec411bfae29f601e`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	3830 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`javascript_obj111712_001.js` `ec7d9f5ddac5d0fcceafb88e791efe9209f72e1a3a4d7f1c1731d58fb2ca715e`	pdf-javascript-stream	PDF /JS object 111712 at offset 0x10BA	13280 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`javascript_obj111713_002.js` `a12115eed1bbe16709773da3f771fb2ee0ea62d3479f86996bfb42c4d1bcbc1b`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x44D0	1451 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `36bd87ebc950b1b70243646bfd5fc2624732265d7f43485a1eff7e0874eea475`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x10BA	1471 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `45f33a2b6011dbedaffbca7d7ed47c6f494a02676d7ebb603cee90d70a37c9b2`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x44D0	79 bytes
`legacy_pdfkit_stage_002.js` `dfa784b97260b5711fe9d2467851642c224c5f51165e886e518cd87f34e8a9ab`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0x10BA	1551 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.