Malicious PDF — malware analysis report

Static analysis result for SHA-256 64dea4a04bc73b97…

MALICIOUS

PDF

684.2 KB Created: 2011-07-19 17:26:22 +08:00 Authoring application: WPS Office 个人版 (via PDFlib 7.0.3 (C++/Win32))
MD5: 2ab724a3f9ca311bb725a2f2bc1e43fd SHA-1: 8b3f8952578696a96d6f66d95d4713774e364edf SHA-256: 64dea4a04bc73b97338625b922598c8bfc6b5d6fac232ac88192c1ffbfc03dc1
250 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript and exploits known vulnerabilities (CVE-2009-4324 and CVE-2008-2992) related to media player and printf functions. The embedded JavaScript, obfuscated but identifiable as JavaScript, is designed to download and execute a secondary payload. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6468

Heuristics 8

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (matched in decompressed stream)
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
3e4af067ab560c41caa0144d1e37e8b0e99031077a4043e050581c330ac19217		 pdf-javascript-stream PDF /JS object 6 at offset 0x12D 15946 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
font_00_sfnt_off000311ea.bin
57fd48b7f2d33ddf1b5efd4d6b0c2b590e544ab9309b5627d5b94c3f46281d70		 pdf-font-stream PDF embedded font (sfnt) at offset 0x311EA 327132 bytes
font_01_sfnt_off0004a5c1.bin
6332583cd1420bc3a2f89abfe70a059682d8ffb25c96a34fd2fdb383f629fee4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A5C1 10776 bytes
font_02_sfnt_off0004ce20.bin
daac95dde9b9273fa99f1a8de60fd2ab87206cff725fbdd3af633d53956c9e77		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4CE20 320480 bytes
font_03_sfnt_off00060c1e.bin
18c00dbe751f41d79ec7f20774b489786f9003b32bdd831a733a4f35ac0a8499		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60C1E 57688 bytes
font_04_sfnt_off00069890.bin
c538c0d1bd085ecf6f7f6fd65941a1855cde0f01b528539ce070e61d47f71810		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69890 153332 bytes
font_05_sfnt_off000708f7.bin
62d8f97099b2b081a398afd4f07ea1c1179144a4c4bf93b693112715d3835d1b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x708F7 25492 bytes
font_06_sfnt_off000741c2.bin
504fe27aa79b5a5d069cb4ebf7a874f1e548f70e9a7970f9b400d18c10a21bfd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x741C2 286392 bytes
font_07_sfnt_off00083a77.bin
265dbb1a259044fbc7680470c21d014bb05f73ba0b3334f4dd311dd93b5e7f6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83A77 252008 bytes
font_08_sfnt_off000a4652.bin
fe7876637a84b36c7edfbf55e5b4990fabec1213cde30e0a89af93a664ee0829		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA4652 76116 bytes
polyglot_child_pdf_off00017217.pdf
fcbb7a76744832ab8deb5aac6e023f6fe4a0c2eadd06a7eb522acf4363e36338		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x17217 605925 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.