MALICIOUS
106
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The sample is a PDF file that contains embedded JavaScript. Heuristics indicate the exploitation of CVE-2008-2992, which is a known vulnerability in Adobe Reader that allows for arbitrary code execution. The JavaScript code appears to be obfuscated but reconstructs a URL: http://www.wvsks.com/slb/afed.rx5, which is likely the location of a second-stage payload. The ML classifier also strongly flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 3
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0006_000.js38c0ca580c0b6d2f7c9fb1f3380044571cff251146872fb7bce8f41515a39ff2 |
pdf-javascript-stream | PDF /JS object 6 at offset 0x138 | 1303 bytes |
javascript_obj0006_001.jsf5150433ed450e1b4dad224391a1b8f6c4cc9f275b3803d9cf160fd174646a0d |
pdf-javascript-stream | PDF /JS object 6 at offset 0x164 | 1532 bytes |
combined_document_js_000.js961c92b005d4d77eaf8f2171b1b905786e70761f1948abf277acdcc8ecfd1981 |
deobfuscated-js | combined document JavaScript streams at offset 0x138 | 2836 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.