Malicious PDF — malware analysis report

Static analysis result for SHA-256 695908ecf4ab84d5…

MALICIOUS

PDF

317.8 KB Created: 2011-03-13 18:16:30 -05:00 Authoring application: TeX (via pdfTeX-1.40.10) First seen: 2026-05-07
MD5: 184513fcc83be29243f55e1504ad1a2c SHA-1: 13a20a0a8b59c500abd98ddaad5039851b8c7ae7 SHA-256: 695908ecf4ab84d53d51d72e5843410a0c6292eedb697dd8693153250541f1d7
132 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 5

  • Adobe Reader JavaScript heap-spray exploit (known CVE family) critical CVE related PDF_JS_KNOWN_CVE_HEAPSPRAY_FAMILY
    PDF JavaScript combines heap-spray staging (NOP-sled / shellcode nybble sled or a multi-kilobyte setTimeOut/setInterval launcher) with the removed Adobe Reader sink media.newPlayer, associated with CVE-2009-4324. Benign documents never pair heap-spray with these long-removed APIs. The exact malformed argument is assembled at run time, so this attributes the exploit to a known pre-2011 Reader CVE family rather than the exact primitive.
  • Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY
    PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.malwaretracker.com/shellcode.php In PDF document text
    • http://jsunpack.jeek.org/dec/goIn PDF document text
    • https://www.issa.org/Library/Journals/2010/July/Stevens-Malicious%20PDF%In PDF document text
    • http://blog.didierstevens.com/programs/pdf-tools/In PDF document text
    • http://web17.webbpro.de/index.php?page=analysing-the-pdf-exploitIn PDF document text
    • http://www.hexblog.com/?p=110In PDF document text
    • http://www.malwaretracker.com/pdfthreat.phpIn PDF document text
    • http://http://dsecrg.com/files/pub/pdf/HITB%20-%20JIT-Spray%20Attacks%20and%In PDF document text
    • http://jsunpack-n.googlecode.com/svn/trunk/In PDF document text
    • http://www.symantec.com/connect/blogs/adobe-patches-vulnerabilitiesIn PDF document text
    • http://www.sans.org/security-resources/malwarefaq/pidief.phpIn PDF document text
    • http://threatinfo.trendmicro.com/vinfo/articles/securityarticles.asp?xmlfile=In PDF document text
    • http://contagiodump.blogspot.com/In PDF document text
    • http://contagiodump.blogspot.com/2010/08/malicious-documents-archive-for.htmlIn PDF document text
    • http://en.wikipedia.org/wiki/Heap_sprayingIn PDF document text
    • http://www.ams.orgIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0002d953.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2D953 2369 bytes
SHA-256: 5297c533ea95edffef02e5079729f2bf1503c1701957138e0973813fa92cda7d
stream_023_off00041751.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x41751 25286 bytes
SHA-256: e77d167308d21529a743dd87320d4c0362d2eb7bbe76ed4002101bf8dab17524
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.
font_00_type1_off0003d489.bin pdf-font-stream PDF embedded font (type1) at offset 0x3D489 17505 bytes
SHA-256: 764fc19b8d1aaa251e84a0f57d252b439f05b61fa55aecb72d3a288ff73ed598
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.91, consistent with packed or encrypted content.
font_02_type1_off0004780c.bin pdf-font-stream PDF embedded font (type1) at offset 0x4780C 7432 bytes
SHA-256: 4fe7537bfe726907a10d06933f1f6dfdc5b9be3eacbef4c7a2f0b8c31ab420f2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.84, consistent with packed or encrypted content.
font_03_type1_off000494b0.bin pdf-font-stream PDF embedded font (type1) at offset 0x494B0 22416 bytes
SHA-256: dac357c771432c350a7f3c37f71a554a3ffa5a6ea6fc8a886088fbebfc0bbe98
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.91, consistent with packed or encrypted content.