PDF malware analysis — malicious · 65059b2baca6ca2a

MALICIOUS

PDF

26.9 KB

MD5: 91c47350849a658b09e9febd2025c9f1 SHA-1: de647fde4ce2eb8f86b3bd2a648c6cad4bf733ff SHA-256: 65059b2baca6ca2af557bb5a2448c24c145851e5314584f00b0276abce102955

352 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that utilizes eval() and unescape() functions, indicative of exploit code. The heuristics strongly suggest exploitation of CVE-2009-4324 via the media.newPlayer method. The JavaScript appears to be designed to download and execute a secondary payload, a common technique for initial stage malware delivery.

Machine Learning

Nyx PDF Classifier malicious score 0.9980

Heuristics 11

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
ClamAV: Pdf.Exploit.Agent-20809 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-20809
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/

Extracted artifacts 7

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0052_000.js` `45fea71ee6347153ec3719ebc3910509cd6fa568f263c29e7474c694308f5c7d`	pdf-javascript-stream	PDF /JS object 52 at offset 0x3F4E	301 bytes
`javascript_obj0059_001.js` `28d6113dc29ef94de179a1345b6983a9d947da00c945e958d0554de4748a5164`	pdf-javascript-stream	PDF /JS object 59 at offset 0x6483	2612 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).
`stream_005_off00000b74.bin` `e4217c167299ac63f64b8b7e903cc0196f0828693d273431b8b793a12ed0fed3`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xB74	1000 bytes
`generic_stage_recovery_000.js` `9386c3619dcf3abffde858874a5e2addc7b978e0fab02276372073d35a49ec7e`	deobfuscated-js	generic stage recovery split-literal-normalize from JavaScript object 59 at offset 0x6483	2603 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).
`generic_stage_recovery_001.js` `41c086683794a69b4cf08a67b67fe1f8532e2dee0f9c252c8ea9af05b45a0043`	deobfuscated-js	generic stage recovery split-literal-normalize from combined JavaScript objects at offset 0x3F4E	2905 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).
`generic_stage_recovery_002.js` `44be16306ab8eb4e46402a04d83620d6ec307426880c37d358161066d31b33bf`	deobfuscated-js	generic stage recovery null-collapse -> split-literal-normalize from combined JavaScript objects at offset 0x3F4E	2607 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).
`objstm_0053_00.bin` `f9797d0fa28384c30d8bf1da89163104ce539753e417fa1f9c5fd135d1eceb39`	pdf-objstm-decoded	PDF /ObjStm 53 0 obj (inflated)	50 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.