PDF malware analysis — malicious · 529427115bb66016

MALICIOUS

PDF

1.8 KB

MD5: 2b8944a1ffd5ce13e0415e663a81f114 SHA-1: 9e00228b86dc91dc8df41530137628a1b9d241bb SHA-256: 529427115bb66016e4cd25310f616328b749e7693f6062f103d18467e7930e2a

106 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.007 JavaScript

The PDF file contains embedded JavaScript and utilizes ASCIIHexDecode and ASCII85Decode filters, indicating an attempt to obfuscate malicious content. The critical heuristic firing for CVE-2008-2992 (util.printf) strongly suggests exploitation of this vulnerability. The embedded JavaScript is likely responsible for executing the exploit payload.

Heuristics 5

util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (matched in decompressed stream)
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85

ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0006_000.js` `83c8a5ec6859407c31b39b3125bcbb28518ebf6aab42b4fa693ae02f089c80b5`	pdf-javascript-stream	PDF /JS object 6 at offset 0x138	1333 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.