Malicious PDF — malware analysis report

Static analysis result for SHA-256 5624136af2e61519…

MALICIOUS

PDF

173.1 KB
MD5: b80c7432ffffe62b78e598bce5e24c67 SHA-1: 745231add892b467e9dddb7dd0885573404831f6 SHA-256: 5624136af2e61519703682ffdc1cf593685da02f98a647194cb69714054a3f6a
136 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The PDF sample contains embedded JavaScript that is obfuscated and uses the unescape() function, indicating an attempt to hide malicious code. The critical heuristic firing for CVE-2009-4324 confirms the exploitation of a known vulnerability in Adobe Reader. The JavaScript likely serves as a downloader for a second-stage payload, although the exact download URL or payload could not be reconstructed due to obfuscation.

Heuristics 5

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
104abfa089469e7333010a314b0b4e3d0e0ad037208c5e11ccf22f27256e0fc9		 pdf-javascript-stream PDF /JS object 8 at offset 0x210 2960 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 3 long hex-escaped blob(s).
legacy_pdfkit_stage_000.js
42c3f4df375ff6f58ff655cc4f88b5cc28f0dd33b978390db3538684a6219b74		 deobfuscated-js string-concatenation normalized Acrobat API aliases at offset 0x210 126 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.