PDF malware analysis — malicious · 5a6403256c8a804b

MALICIOUS

PDF

2.0 KB

MD5: e48ef340ec01e552f85316443398e0ae SHA-1: 9746d8ecc0ec51172185de049c536a7427e0443d SHA-256: 5a6403256c8a804bbe9ba93e8034f054252a2d0c9419f5a14c8ec0b43ae49c24

106 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that attempts to exploit CVE-2009-4324 by calling the media.newPlayer function. The script performs a heap spray with a large, obfuscated payload, which is a common technique to prepare for arbitrary code execution. While the exact second-stage payload is not visible, the exploit and heap spray strongly indicate malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0005_000.js` `d5d66266962a415decc9de3315c181918edf46e115ce49621c16ede4e58210e5`	pdf-javascript-stream	PDF /JS object 5 at offset 0x124	1465 bytes
`javascript_obj0005_001.js` `f9898f8ab3eba9360b2888a645558f481a98544675d74a62198ecea8f433a9f4`	pdf-javascript-stream	PDF /JS object 5 at offset 0x124	88 bytes
`combined_document_js_000.js` `ad3edebb2709ff0e18fae5a28ce3fbdf856da5b74f883c5b8a9a8eebaf70d4b6`	deobfuscated-js	combined document JavaScript streams at offset 0x124	1554 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.