PDF malware analysis — malicious · 5bd587a4169e4c51

MALICIOUS

PDF

884 B

MD5: cd303325c700ce0ed45e6e2953f2a32b SHA-1: d9397b5dc54e0cb0f731f2298e676130ce00f400 SHA-256: 5bd587a4169e4c5131b31e11ef83aa10d0e24d5703c8cc8d2b90c622794e0805

106 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF sample contains embedded JavaScript that attempts to exploit the CVE-2009-4324 vulnerability via the media.newPlayer function. This exploit is designed to achieve arbitrary code execution within the context of the PDF viewer. The ML classifier strongly indicates maliciousness, and the critical heuristic confirms the exploitation attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 3

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0005_000.js` `fd48ff6293c7ff4b636a99e30ecc9dd5f0de8801c933f3e4ad45b2156c4991e5`	pdf-javascript-stream	PDF /JS object 5 at offset 0x117	356 bytes
`javascript_obj0005_001.js` `d718cf0009ed5d38549ab8f71fcd15ba7ad0265dee5d3e680ff1e3be58f8f495`	pdf-javascript-stream	PDF /JS object 5 at offset 0x117	43 bytes
`combined_document_js_000.js` `5f66637a80cb8b4f89f8c99dfcf59f82373c2d2b7170ca826c69c46efc37cf5b`	deobfuscated-js	combined document JavaScript streams at offset 0x117	400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.