PDF malware analysis — malicious · 65dfec586271f1da

MALICIOUS

PDF

1.5 KB

MD5: 5586993db7a80c71a86124c6b07f8e89 SHA-1: 0f98f507beae65348a99d033d7f309b4632b63d4 SHA-256: 65dfec586271f1da02bd7bda295bb844bd7a1b2dce210eaea094c56ea6a756a5

248 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF file contains embedded JavaScript that exploits CVE-2009-4324 via the media.newPlayer method. The JavaScript is obfuscated and appears to be designed to download and execute a secondary payload. The critical heuristics for PDF JavaScript exploit and CVE-2009-4324 confirm this malicious behavior.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 7

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj1179811_000.js` `ffe744de31144afeb3266c99242f34e8c1e3fa18cd2563c7c4ff083cf8bc07d7`	pdf-javascript-stream	PDF /JS object 1179811 at offset 0x19A	187 bytes
`javascript_obj1179812_001.js` `420ed469631e35b0b3447743e1a37e364054761b69c30a2743d0034d68af0476`	pdf-javascript-stream	PDF /JS object 1179812 at offset 0x279	1960 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
`javascript_obj1179813_002.js` `2bd4d6829523f475a8633132c13798c25af61ce85d07aefcf0c4b54be8b9a10a`	pdf-javascript-stream	PDF /JS object 1179813 at offset 0x512	244 bytes
`generic_stage_recovery_000.js` `5a0eacd46cc1f353475e90992c11ff91c616411c0c552d0c46e8273a028b5a0e`	deobfuscated-js	generic stage recovery split-literal-normalize from combined JavaScript objects at offset 0x19A	2387 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
`combined_document_js_000.js` `b447357fece4efbcbd8563a67214fc94753ad5f242db6434604c7d4ff4f4218d`	deobfuscated-js	combined document JavaScript streams at offset 0x19A	2393 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.