Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ea7a724d99fab3f…

MALICIOUS

PDF

703.9 KB Created: 2021-05-06 22:42:29
MD5: df2ea74328ad43c4225cb6c8aa56f340 SHA-1: 6d2676711e19b6f5565f873420fe8e1d9a39d005 SHA-256: 5ea7a724d99fab3f05f50dccd57db59451334ac8640c532d426df319dad55c9e
230 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF sample contains embedded JavaScript that leverages the CVE-2020-9715 vulnerability. The JavaScript code appears to be designed to manipulate memory and potentially load external code, indicated by the use of functions like `unescape()` and `String.fromCharCode()`, and the explicit mention of `kernel32.dll` and `VirtualProtect` in the script. This strongly suggests the PDF is a dropper for a secondary malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9681

Heuristics 11

  • dataObjects ESObject stale-cache trigger — CVE-2020-9715 critical CVE exact CVE_2020_9715
    PDF embeds a file and JavaScript follows the CVE-2020-9715 ESObject use-after-free trigger shape: access this.dataObjects[], clear the dataObjects entry, schedule app.setTimeOut(), then re-access the Data ESObject through toString().
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://adobereview.uservoice.com/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0508_000.js
c4a8060e2a254739a0951ff988785c715482042a379cf09b2a10399e94c85489		 pdf-javascript-stream PDF /JS object 508 at offset 0xA870F 10795 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
javascript_obj0530_001.js
8433dca28e2ce9876e690a6c9e5b9bbec7c8d08198b5135ae6f8b7552dfa63f6		 pdf-javascript-stream PDF /JS object 530 at offset 0xAABB0 6340 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_016_off000070d7.bin
c11cb8cfdf0f17b6f5f697110384d8318aa875573e0209135047cab5cb5dca38		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x70D7 1833651 bytes
stream_020_off000328bf.bin
893a859eca5401895aec6b5e6246124430c51c09df8f8b7ec9aedf153bddbac4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x328BF 1491369 bytes
stream_026_off00068651.bin
517710f00acc02ea3199ee20575c9310eb66683b3ba6e3533125ef3de44bc024		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x68651 1102248 bytes
stream_029_off00077fc9.bin
104d79a0db2565b1a19b2bc4e2f555d6d5f747d810412824404093e84b169adf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x77FC9 154368 bytes
stream_068_off000ae67e.bin
72ea876d00e7a8e23d5d2d0d87a9a94a589bbd26af7df5bc778a42cf2b3a9bb5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xAE67E 15612 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
font_00_cff_off00088e65.bin
48350d8ae3f4c835da67d173692f7f7b37cd7562c161a07612770888056393f5		 pdf-font-stream PDF embedded font (cff) at offset 0x88E65 7926 bytes
font_01_cff_off0008a7ed.bin
7fd9973dee0fb1d775fc88c42aa4d0066f3d843e6d95097419c6e27cae457647		 pdf-font-stream PDF embedded font (cff) at offset 0x8A7ED 2332 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.