PDF malware analysis — malicious · 649d78f918d8ff99

MALICIOUS

PDF

67.4 KB Created: 2010-06-29 10:14:47 +08:00 Authoring application: Acrobat 编辑器 8.0 (via Adobe Acrobat 8.0)

MD5: e20587249ae6daa327ab421658b3d9f3 SHA-1: 41b3427a8198b8755c2ae9cc93bccabc4f346fe7 SHA-256: 649d78f918d8ff99d809a5a3fcfd0a18b52460cc4d7ecca5292318038943c654

290 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

The critical heuristic 'CVE_2009_4324' indicates the sample exploits a specific vulnerability in Adobe Reader related to the media.newPlayer API. The embedded JavaScript, though obfuscated, contains calls that are consistent with exploiting this vulnerability. The script's primary function appears to be downloading and executing a secondary payload, as suggested by the deobfuscated code snippet 'media.newPlayer(null);' and the overall exploit cluster findings.

Machine Learning

Nyx PDF Classifier malicious score 0.9986

Heuristics 9

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE

A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0021_000.js` `dd957791cf3ea91d9aa5ef655b3a1d6c4a92036e875c2437657f276955dab674`	pdf-javascript-stream	PDF /JS object 21 at offset 0x514	2371 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s). Carved artifact contains 1 long hex-escaped blob(s).
`stream_009_off0000cc74.bin` `9d7e19ac218e6f8728365073f89e3d1f12b424f876a74ba4ef022cb2a54a74ce`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xCC74	341 bytes
`legacy_pdfkit_stage_000.js` `42c3f4df375ff6f58ff655cc4f88b5cc28f0dd33b978390db3538684a6219b74`	deobfuscated-js	string-concatenation normalized Acrobat API aliases at offset 0x514	126 bytes
`polyglot_child_pdf_off0000b506.pdf` `b2dbf1b70f29b41da569667ecb933901cca9d7cf6129dc94ac8dfe455737ff8f`	polyglot-child-pdf	Secondary PDF body inside pdf container at offset 0xB506	22634 bytes
`polyglot_child_pdf_off0000f583.pdf` `0b1c923c8a0028794f3a3244dc498786746334f394e41678cc58ffbeb707d0a8`	polyglot-child-pdf	Secondary PDF body inside pdf container at offset 0xF583	6125 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.