PDF malware analysis — malicious · 5c1289514a08a8e9

MALICIOUS

PDF

25.9 KB

MD5: 0df04b2557607e65446ec198257bf0eb SHA-1: 847c8bddbef9fc2ec2d30241b3ceaae0704559fb SHA-256: 5c1289514a08a8e9105f31fe5fa20c56d23029dcd19e0e05a517b22f788a3def

250 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file exploits CVE-2008-2992 using obfuscated JavaScript. The script contains a URL that is used to download a second-stage payload. The ML classifier strongly indicates maliciousness, and the presence of exploit-related heuristics confirms the attack pattern.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 8

util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://gospeltube.com/cache/.svn/.p/.l.php?l=1&spl=pdf_util_printf

Extracted artifacts 10

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `2499de5f87b8eb0770749ab4311aa4153f302aa88a9f4a236ff758ed658291a0`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	4277 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`javascript_obj111712_001.js` `08ba1525a4bca4fb933ba62c8a0491fd01272fcc255b116014494a29a7d481e8`	pdf-javascript-stream	PDF /JS object 111712 at offset 0x1279	17236 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
`javascript_obj111713_002.js` `78b80e37f761038a507f7f8d8564667d14a2a031198d150edf23906fc2d0355c`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x5603	4422 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`javascript_obj111711_003.js` `4f927b98d21b75eca4d8045c413f4341be49b47b46ad5601e763b6a741b8ae6e`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x1B2	26091 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 16 long base64-like blob(s).
`javascript_obj111712_004.js` `89f51c410d021538f55fb87d14b41db1a9394b9134a2d8fdce389a19d7687f3f`	pdf-javascript-stream	PDF /JS object 111712 at offset 0x129D	21760 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 10 long base64-like blob(s).
`javascript_obj111713_005.js` `e48ca7721e86e877ae15b17195f36fa7d3d018d0e1e71dcff5b6fea8aca46142`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x5626	4471 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `104562b3ae8b2cc97dc13cceaa94dc1f4be03380ca5fdb0a0d6fad76e92661f5`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x1279	1418 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `2acf6e419a5818c5bf05954cbf30158ddefe2798283cc8f027cb9b7c43e26281`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x5603	385 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
`legacy_pdfkit_stage_002.js` `9da07732d619af0c1cd288fb345ad66076413b93f02879f7a1b94e5293bbbf67`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x1B2	1804 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
`legacy_pdfkit_stage_003.js` `dadb362aa7f676620504fa496537efa63f88c58013f49433a5dd9be8456c4d53`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0x1279	9410 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 15 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.