PDF malware analysis — malicious · 56591b171a11f8cd

MALICIOUS

PDF

23.2 KB

MD5: 361a6cb2007eadd02b28768aad29df3b SHA-1: ff01955e4e1b97bbd129fecd52f88cef553038b2 SHA-256: 56591b171a11f8cd63c37bf2493690791602c0f03f3824ad4951848c620008ec

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.001 Malicious Link

The PDF file contains embedded JavaScript that utilizes the `eval()` function and `unescape()` to deobfuscate and execute malicious code. The critical heuristic firing for CVE-2007-5659 indicates the exploitation of a known vulnerability in Adobe Reader via the `Collab.collectEmailInfo` function. The deobfuscated JavaScript likely downloads and executes a second-stage payload, a common technique for initial access.

Heuristics 5

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 8

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `475f7677f1d65e2d7d8199903753a347230ed3ab0f8155cf3744cfd2c28592fe`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	3073 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
`javascript_obj111712_001.js` `d89b842c9d3f2c5796ecca1206710d1a5e673f949a12fef765bf807cb48fa38e`	pdf-javascript-stream	PDF /JS object 111712 at offset 0xDC5	18610 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
`javascript_obj111713_002.js` `f007ae027502b68c5ce24bcbf72bd3031c1c9b5e34b66602f080e922eeea50c1`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x56AD	1521 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `1937ba5e78213cfaa802fe00c9296f70e730f0fee8b9d952bd304b4b0465130b`	deobfuscated-js	double percent-decoded annotation JavaScript at offset 0xDC5	17840 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
`legacy_pdfkit_stage_001.js` `f7aca580e9a8d6e8ef2249337e9bb47ea1e9157c8ee2416c4f55e952016e6c75`	deobfuscated-js	double percent-decoded annotation JavaScript at offset 0xDC5	17884 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 44 long base64-like blob(s).
`legacy_pdfkit_stage_002.js` `381db211f6bec3f7241bab9fd2124d77e4e18706806b1ac44cb861e1d29e1fa5`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0xDC5	1477 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_003.js` `76289ec7b9380ae26dabb02610580f30568c10f0b194fbe3d4d3fdc4fc7ed47c`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x56AD	84 bytes
`legacy_pdfkit_stage_004.js` `3a07167725e0a9b7dec4434bcb31c5a1fac0b701b18fbf7f1ca9ae50086106c1`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0xDC5	1562 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.