PDF malware analysis — malicious · 545b5be44080995b

MALICIOUS

PDF

24.9 KB

MD5: f58810a3c28b1279da3ef8c7b760805f SHA-1: cce2528747ea7411552fa7e688e4ee94a51038f4 SHA-256: 545b5be44080995b17732a9c8b6edc7da05be6a21d9e00fa64b960427956066f

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript that utilizes eval() and unescape() functions, indicative of obfuscated malicious code. The critical CVE_2009_0927 heuristic confirms the exploitation of a known Adobe Reader vulnerability. The embedded JavaScript is designed to download and execute a second-stage payload, as suggested by the ML_NYX_PDF_MALICIOUS classification and the presence of multiple extracted JavaScript files. The reconstructed string "javascript:eval(unescape(String.fromCharCode(...)))" highlights the obfuscation technique used to hide the malicious script's execution.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `a75d12c0728e0815fa5469eaf9ea851bd7bbeb9bf069cc548ecf4e10b0f32b30`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	4057 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`javascript_obj111712_001.js` `96caf2ff3412b866159a057a3cc1f1c1af83b46be040a5dfa3bcea2144272fe7`	pdf-javascript-stream	PDF /JS object 111712 at offset 0x119D	19189 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`javascript_obj111713_002.js` `3c74690af75f15150b95137d41d493f8c1a849925bb99dd7436f4af40e1980dd`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x5CC8	1647 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `a7bf9e8f3472d8e456111af54d3cbfd9bd06c7e59489254ed4481e1c4d057ace`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x119D	1520 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `18590bacef82b2e17f0070aa1be37cb8a00ff3e427357c6aa7340a60c6b14b7f`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x5CC8	104 bytes
`legacy_pdfkit_stage_002.js` `4d28bf2227fffbded5e93cfb87f9994cbf7e1eb31ec94a341dbcdbeb58226dd4`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0x119D	1625 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.