Malicious PDF — malware analysis report

Static analysis result for SHA-256 58634a72e42f2ea3…

MALICIOUS

PDF

9.8 KB
MD5: 50bb2f7fd10864b50c0b70ce64730d6e SHA-1: 2b9a7ce55f7e7b0f310a62b10b70ec55e163e205 SHA-256: 58634a72e42f2ea3de5bbdf5c1059c4e1701ae49f4a4b572ef2fae85caaeb34a
188 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution T1059.001 Command and Scripting Interpreter: PowerShell

The PDF file contains U3D content and embedded JavaScript, triggering critical heuristics for CVE-2011-2462, which involves a U3D parser exploit and JavaScript heap spray. The ML classifier strongly indicates maliciousness. The embedded JavaScript, particularly the unescape() call and the heap-spray JavaScript within the decompressed stream, is designed to exploit this vulnerability. This indicates the document's primary purpose is to leverage this exploit to compromise the user's system, likely by downloading and executing a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 7

  • Adobe Reader U3D parser exploit with JavaScript heap spray critical CVE likely CVE_2011_2462_U3D_HEAPSPRAY
    PDF combines U3D/3D annotation content with JavaScript heap-spray shellcode. Public CVE-2011-2462 exploit chains use a crafted U3D stream and JavaScript heap spray to control memory during Adobe Reader's U3D parser corruption.
  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://twitter.com/feliam

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js
90c70853178b4dfbe5aeb450bc9c83613bf38a945de76ebe1faf0f9fd5312150		 pdf-javascript-stream PDF /JS object 5 at offset 0x178 62 bytes
javascript_obj0010_001.js
6731a2f081381df2ebf060c225d4d3780f99662775ad76bbd937deae76aca1f4		 pdf-javascript-stream PDF /JS object 10 at offset 0x59E 3860 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
u3d_00_off0000025c.bin
f79e8522f672a31bcecc42ffcffba793e3187ecca4888cf754a1d82c3d5516a5		 pdf-3d-stream PDF U3D 3D stream at offset 0x25C 393 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.