Malicious PDF — malware analysis report

Static analysis result for SHA-256 60bb483be19410f1…

MALICIOUS

PDF

51.2 KB
MD5: 683120b21057cc6d8c42fb9ec09301fe SHA-1: 28e014c2bc36d2adcf1758eca8203ac019672b46 SHA-256: 60bb483be19410f1f7ebf6ee56ebb9e66a426c51269d0a2ce61a20e2a2e09a09
252 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF contains embedded JavaScript that exploits CVE-2009-4324, specifically targeting the 'media.newPlayer' functionality. The JavaScript is heavily obfuscated and appears to be a downloader or exploit stage, indicated by the 'generic stage recovery' heuristic. The primary goal is to execute arbitrary code via the exploit.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0057_000.js
eae10c2d1846ed108dbd322fa8001738199732b4fe8b3355e360a1f3532eb5fd		 pdf-javascript-stream PDF /JS object 57 at offset 0x551F 2102 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
stream_005_off00000b74.bin
e4217c167299ac63f64b8b7e903cc0196f0828693d273431b8b793a12ed0fed3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB74 1000 bytes
generic_stage_recovery_000.js
b93e8ecdf0788df91556b0fbf10c3e0d25f9728455da3a58133cd8dd2ff231ec		 deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 57 at offset 0x551F 2099 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
generic_stage_recovery_001.js
baa9e2c3862a7c99c7c545f4aea2ffda085566084afc904dc097ec99e78103f0		 deobfuscated-js generic stage recovery percent-decode from JavaScript object 57 at offset 0x551F 2098 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
generic_stage_recovery_002.js
6d7bd4a28343765f1a9af16b92e3902188564512a1e8a50df6c699f1af8d2c52		 deobfuscated-js generic stage recovery marker-XX-to-%u from JavaScript object 57 at offset 0x551F 1788 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
generic_stage_recovery_003.js
71fe503a96798dac812f6388728918a3fcdd0ce1abeea34bbe81fa4a153ba77a		 deobfuscated-js generic stage recovery percent-decode from JavaScript object 57 at offset 0x551F 1784 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
generic_stage_recovery_004.js
8791ba85121d7081f904c2e03c71c3403f45306ee69748bd581b9c6bc77898d3		 deobfuscated-js generic stage recovery split-literal-normalize -> percent-decode from JavaScript object 57 at offset 0x551F 2095 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
generic_stage_recovery_005.js
3f4144e71a12a073af4d0726cd63c0d7d6767839057693c02b2f0f5594ba341b		 deobfuscated-js generic stage recovery split-literal-normalize -> marker-XX-to-%u from JavaScript object 57 at offset 0x551F 1785 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
generic_stage_recovery_006.js
03dc9d848c40bd19d32af29ef00174f71f1df723e153060b1a8e0befe2b6370b		 deobfuscated-js generic stage recovery split-literal-normalize -> percent-decode from JavaScript object 57 at offset 0x551F 1781 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
objstm_0053_00.bin
f9797d0fa28384c30d8bf1da89163104ce539753e417fa1f9c5fd135d1eceb39		 pdf-objstm-decoded PDF /ObjStm 53 0 obj (inflated) 50 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.