PDF malware analysis — malicious · 6852c7732ccdee4f

MALICIOUS

PDF

22.6 KB

MD5: 446269f12b120e458aa268a00fd62dee SHA-1: 30adfa839ced505e44a0150af38021b5beb5545d SHA-256: 6852c7732ccdee4f4cd0b72500eecc934e39bcfec938998ba6a9aa1aef6b25b4

310 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file exploits the CVE-2009-0927 vulnerability using embedded JavaScript. The JavaScript is heavily obfuscated but ultimately attempts to download a shellcode payload from the URL http://gospeltube.com/cache/.svn/.p/.l.php?l=1&spl=pdf_collab_geticon. This indicates a downloader or dropper functionality.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 9

Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://gospeltube.com/cache/.svn/.p/.l.php?l=1&spl=pdf_collab_geticon

Extracted artifacts 11

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `a05199f8bd3c741df1110197d92cb1678bff33156a36f7dd091e6fd97e241e4a`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	3574 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`javascript_obj111712_001.js` `0da88aeb172b24d1610e492a3b9485ba319ed7ab4264d84f2ba364e89116fca0`	pdf-javascript-stream	PDF /JS object 111712 at offset 0xFBA	17163 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`javascript_obj111713_002.js` `75d6dab3fbe2bc237c85739d9ac1b82a7ef56b158cc540a75290e61f22890fdf`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x52FB	1768 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`javascript_obj111711_003.js` `dc61822e1814e71d47fdc68c190eb90c23aaea2dee81647bde154afe6f523590`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x1B2	22660 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 17 long base64-like blob(s).
`javascript_obj111712_004.js` `1a2c150b49614a25bfefa7989481d82eee2370fec4d8aea5babd8f837d08c76b`	pdf-javascript-stream	PDF /JS object 111712 at offset 0xFDE	19032 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 11 long base64-like blob(s).
`javascript_obj111713_005.js` `36d05eec9e005e76b67cd9fa7ef6f61318e5574240cb416ddf8989514cefb324`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x531D	1817 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `ad7f6e56bb83c96408f70ad3c7b6dcb8ef44d3a72f43177c703f7fe519a223e2`	deobfuscated-js	double percent-decoded annotation JavaScript at offset 0xFBA	16579 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 50 long base64-like blob(s).
`legacy_pdfkit_stage_001.js` `1be7d9024ecc36e034a1e711418ed691a42197a80fe0bfbba69122eea23e6a1d`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0xFBA	1525 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_002.js` `407624ceb11bdfcccd03817d5cc6229f3a3f8dfc15051e1567d07f2b81bcede8`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x52FB	100 bytes
`legacy_pdfkit_stage_003.js` `7f0572e35a095dd726fd564fe641a14223807cc9876b5e663d00f1e993fcd919`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x1B2	1626 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_004.js` `930e3095f06690e68588bc5f3f69f97442bda00620cdffe233ee2a0f330201ea`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0xFBA	8235 bytes
Detection ClamAV: Js.Exploit.Shellcode-18 Obfuscation or payload: likely Carved artifact contains 15 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.