PDF malware analysis — malicious · 54ac57013a09265d

MALICIOUS

PDF

2.3 KB

MD5: e1a5aefa239f2e697e4eef5cb4cfa506 SHA-1: dcce2b90448d63f28a7a56f953e3694ce962ef12 SHA-256: 54ac57013a09265df41bccafc633277dfac6c39fa8a2f5912040ad5b72100f1d

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript/JScript T1204.002 Malicious File

The PDF file contains embedded JavaScript triggered by the OpenAction, exploiting CVE-2009-0927 and CVE-2008-2992. The JavaScript is obfuscated and uses eval(), indicating an attempt to download and execute a secondary payload. No specific family is identifiable from the available evidence.

Heuristics 7

Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
OpenAction trigger high PDF_OPENACTION

PDF has an /OpenAction — code runs automatically when opened
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0009_000.js` `fec7583c390fe2f5fc16629f2b75daf6e1885e118598207d44d552a02daad831`	pdf-javascript-stream	PDF /JS object 9 at offset 0xBC	20690 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_000.js` `96f2aea0e524e647b287b8963e803a687be75b7694423b0a0c219de9bb4bfbb0`	deobfuscated-js	split-join delimiter stripped JavaScript at offset 0x101	5657 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.