Malicious PDF — malware analysis report

Static analysis result for SHA-256 4fc753180ef418da…

MALICIOUS

PDF

5.4 KB Created: 2008-09-24 19:47:56 Authoring application: Adobe (via Notepad)
MD5: f40567f5d9365684056eacafd36d61d3 SHA-1: 5a658e8206764feb6b78ecb8fab6e41489e61c4a SHA-256: 4fc753180ef418dab02775418ba12a69b2657464dfeb15fc40bc970c3a80b9a6
328 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious File T1059.001 PowerShell

The PDF file contains embedded JavaScript that leverages multiple known Adobe Reader vulnerabilities, specifically CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The JavaScript is obfuscated and uses percent-placeholder decoding within the PDF's Info/Trailer object, a common technique for exploit kits targeting older PDF readers. The primary intent is to execute arbitrary code on the victim's system by exploiting these vulnerabilities.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
ab0352f0157faa5136a7eca8c69c7cfb50435238cb17f13ab9b2bd470bf28ab4		 pdf-javascript-stream PDF /JS object 6 at offset 0x12F3 147 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
info_trailer_percent_stage_000.js
78f5e8881f6a20f6249663bc2af6076b01921893919ffef4b75bc63646f361a8		 deobfuscated-js Info /Trailer percent-placeholder decoded JavaScript (object 5, info object 9) at offset 0x136 2634 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.