Malicious PDF — malware analysis report

Static analysis result for SHA-256 62c7cbc735231d8d…

MALICIOUS

PDF

734.1 KB Created: 2010-06-29 10:30:35 +08:00 Authoring application: Adobe InDesign CS4 (6.0.3) (via Adobe PDF Library 9.0)
MD5: 2d3fb7ff25d04b8649caaf8be90639fb SHA-1: aa92e344334ce5d8c8d55063544cc8543abf30eb SHA-256: 62c7cbc735231d8d5ec72d94a8873028ca3eca629b02aa0e4710c4a5370e1c43
310 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that leverages the CVE-2009-4324 vulnerability through the media.newPlayer API. This JavaScript is obfuscated and likely intended to download and execute a secondary payload from a remote source. The presence of an external URI in the PDF further supports this, suggesting a download or redirection attempt.

Machine Learning

  • Nyx PDF Classifier clean score 0.0423

Heuristics 12

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.snm.org/index.cfm?PageID=8803&RPID=8729
    • http://www.kaiserhealthnews.org/Daily-Reports/2006/May/26/dr00037551.aspx?referrer=search
    • http://www.examiner.com/x-9303-Miami-Health-Care-Examiner~y2009m7d9-Critical-US-medical-radioisotope-shortage-sparks-Obama-administration-response
    • http://www.google.com/hostednews/canadianpress/article/ALeqM5ggxmsgnWbgGP_3RehY2sPHCSB15g
    • http://seekingalpha.com/article/71375-10-pharmaceutical-stocks-and-their-patent-expiration-drugs
    • http://www.theglobeandmail.com/news/politics/isotope-reactor-to-stay-idle-until-late-in-year/article1209745/
    • http://fsi.stanford.edu/events/a_costbenefit_analysis_of_the_use_of_radiofrequency_identification_rfid_technology_in_preventing_retention_of_surgical_sponges/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/illustrator/1.0/
    • http://ns.adobe.com/xap/1.0/t/pg/
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#
    • http://ns.adobe.com/xap/1.0/g/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#
    • http://ns.adobe.com/xmp/InDesign/private

Extracted artifacts 20

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00000392.bin
e700b55600fca7789c7fdd6e2727cad8644262a50e2d5da53526e3e06e5d68ff		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x392 4264 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s). Carved artifact contains 1 long hex-escaped blob(s).
stream_047_off0008701c.bin
0a89e325b39923b954f485ab4d1a686b603ca2a86145d016598edd8b133e68fd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8701C 10481 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.44, consistent with packed or encrypted content.
stream_065_off000971f4.bin
51f984a3741ce03c5d7b88f4d418b97d4eb7587e26552c96a4d798c7bed4042d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x971F4 5947 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
legacy_pdfkit_stage_000.js
42c3f4df375ff6f58ff655cc4f88b5cc28f0dd33b978390db3538684a6219b74		 deobfuscated-js string-concatenation normalized Acrobat API aliases at offset 0x392 126 bytes
objstm_0017_00.bin
dd7918c182d6e2b8d996a6b8ee81663c49a0cb297efe1e1fa3c5af0c987bde84		 pdf-objstm-decoded PDF /ObjStm 17 0 obj (inflated) 871 bytes
font_00_cff_off0001b8ae.bin
18c8fb16fcfb3fcaf30109ab6df393c82c7694530fc0f79efa9388723141d3ce		 pdf-font-stream PDF embedded font (cff) at offset 0x1B8AE 2904 bytes
font_01_cff_off0001dee5.bin
a7370bb32989f48529a99b08f0aee05c1db3d588d5d8e5dee782b4c48d41a643		 pdf-font-stream PDF embedded font (cff) at offset 0x1DEE5 4841 bytes
font_02_sfnt_off00083fe3.bin
81d5586a58c636cb5cacb27df08b409d58aa6026613d5396643502eb5a5cb75a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83FE3 4515 bytes
font_03_cff_off00084cc5.bin
cf75c71cd8131db3975d668067cbc4aa3a482099011e55655ec109469c6cc535		 pdf-font-stream PDF embedded font (cff) at offset 0x84CC5 3989 bytes
font_04_cff_off00085cec.bin
a4ec982ea93e715728aa841d5b1377273917b6bba9b4b8d839a5811388546032		 pdf-font-stream PDF embedded font (cff) at offset 0x85CEC 4448 bytes
font_06_sfnt_off000904b8.bin
3551c6f9593ecc949bae6d0cbe999149b3268c9081e4c5332d21ae0590ed16c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x904B8 6140 bytes
font_07_cff_off00091939.bin
55946183a2c3ceecaecc2cea3960457bb5c667a823d88580a039b9a8d8509094		 pdf-font-stream PDF embedded font (cff) at offset 0x91939 1946 bytes
font_08_cff_off00091ffd.bin
d97d16b9216f41c3aa2f8609dee86c4f3cc898e9ea77355049298ffb9a464ee0		 pdf-font-stream PDF embedded font (cff) at offset 0x91FFD 4535 bytes
font_09_cff_off00093405.bin
fd7c438f0c1c136d60e3dad41e60027bf755125e3fb4d7d618daae07221e21ac		 pdf-font-stream PDF embedded font (cff) at offset 0x93405 551 bytes
font_10_cff_off00093636.bin
e6b32840905bbd6e8ca4ef48a09c19c8669082b6a52fe281ac8983904af36574		 pdf-font-stream PDF embedded font (cff) at offset 0x93636 3109 bytes
font_11_cff_off00094e90.bin
240bb80c62d75199cca42a43043879c85d2c53b320d6ffe0d87aff47b29f039e		 pdf-font-stream PDF embedded font (cff) at offset 0x94E90 6587 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.44, consistent with packed or encrypted content.
font_13_cff_off00098cda.bin
537756ffe89ae4143f748cd83f12a0b142ebfa991dda1d172fc410e927a3cc0c		 pdf-font-stream PDF embedded font (cff) at offset 0x98CDA 538 bytes
font_14_cff_off000990fb.bin
33293a4b1b0d6508862ee33d62f120d9acf32c87ee751873dd74b79ac52db32d		 pdf-font-stream PDF embedded font (cff) at offset 0x990FB 2359 bytes
polyglot_child_pdf_off0001a493.pdf
2e2f4ece0fcb0e8420b8e9571f76b4a08a84125a3a881d78dd7929796f836720		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x1A493 644039 bytes
polyglot_child_pdf_off000b606d.pdf
0b1c923c8a0028794f3a3244dc498786746334f394e41678cc58ffbeb707d0a8		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xB606D 6125 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.