MALICIOUS
132
Risk Score
Machine Learning
- Nyx PDF Classifier clean score 0.0001
Heuristics 5
-
Adobe Reader JavaScript heap-spray exploit (known CVE family) critical PDF_JS_KNOWN_CVE_HEAPSPRAY_FAMILYPDF JavaScript combines heap-spray staging (NOP-sled / shellcode nybble sled or a multi-kilobyte setTimeOut/setInterval launcher) with the removed Adobe Reader sink media.newPlayer, associated with CVE-2009-4324. Benign documents never pair heap-spray with these long-removed APIs. The exact malformed argument is assembled at run time, so this attributes the exploit to a known pre-2011 Reader CVE family rather than the exact primitive.
-
Obfuscated multi-stage PDF JavaScript heap-spray exploit critical PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAYPDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.malwaretracker.com/shellcode.php In PDF document text
- http://jsunpack.jeek.org/dec/goIn PDF document text
- https://www.issa.org/Library/Journals/2010/July/Stevens-Malicious%20PDF%In PDF document text
- http://blog.didierstevens.com/programs/pdf-tools/In PDF document text
- http://web17.webbpro.de/index.php?page=analysing-the-pdf-exploitIn PDF document text
- http://www.hexblog.com/?p=110In PDF document text
- http://www.malwaretracker.com/pdfthreat.phpIn PDF document text
- http://http://dsecrg.com/files/pub/pdf/HITB%20-%20JIT-Spray%20Attacks%20and%In PDF document text
- http://jsunpack-n.googlecode.com/svn/trunk/In PDF document text
- http://www.symantec.com/connect/blogs/adobe-patches-vulnerabilitiesIn PDF document text
- http://www.sans.org/security-resources/malwarefaq/pidief.phpIn PDF document text
- http://threatinfo.trendmicro.com/vinfo/articles/securityarticles.asp?xmlfile=In PDF document text
- http://contagiodump.blogspot.com/In PDF document text
- http://contagiodump.blogspot.com/2010/08/malicious-documents-archive-for.htmlIn PDF document text
- http://en.wikipedia.org/wiki/Heap_sprayingIn PDF document text
- http://www.ams.orgIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_006_off0002d953.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2D953 | 2369 bytes |
SHA-256: 5297c533ea95edffef02e5079729f2bf1503c1701957138e0973813fa92cda7d |
|||
stream_023_off00041751.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x41751 | 25286 bytes |
SHA-256: e77d167308d21529a743dd87320d4c0362d2eb7bbe76ed4002101bf8dab17524 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.
|
|||
font_00_type1_off0003d489.bin |
pdf-font-stream | PDF embedded font (type1) at offset 0x3D489 | 17505 bytes |
SHA-256: 764fc19b8d1aaa251e84a0f57d252b439f05b61fa55aecb72d3a288ff73ed598 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.91, consistent with packed or encrypted content.
|
|||
font_02_type1_off0004780c.bin |
pdf-font-stream | PDF embedded font (type1) at offset 0x4780C | 7432 bytes |
SHA-256: 4fe7537bfe726907a10d06933f1f6dfdc5b9be3eacbef4c7a2f0b8c31ab420f2 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.84, consistent with packed or encrypted content.
|
|||
font_03_type1_off000494b0.bin |
pdf-font-stream | PDF embedded font (type1) at offset 0x494B0 | 22416 bytes |
SHA-256: dac357c771432c350a7f3c37f71a554a3ffa5a6ea6fc8a886088fbebfc0bbe98 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.91, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.