PDF malware analysis — malicious · 6aa4449e681d6a87

MALICIOUS

PDF

100.1 KB Created: 2009-06-10 22:07:05 +08:00 Authoring application: Acrobat PDFMaker 8.1 for Word (via Acrobat Distiller 8.1.0 (Windows))

MD5: 0584edcb81609812770e8dcf6f6194cb SHA-1: 794295af97997a60e81584bf6b043d12eea72e16 SHA-256: 6aa4449e681d6a876c5a09fd3654ca905daf2744b2a1d4cbe3054471bd04b71e

338 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that leverages the CVE-2009-0927 vulnerability, specifically targeting the Collab.getIcon function. The JavaScript is heavily obfuscated using URL encoding and string concatenation, but the presence of exploit cluster heuristics and ClamAV detection strongly indicates malicious intent. The script's primary function is to download and execute a secondary payload, as suggested by the 'shellcode' variable and the overall exploit pattern.

Machine Learning

Nyx PDF Classifier malicious score 0.9993

Heuristics 10

Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (matched in decompressed stream)
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
ClamAV: Pdf.Exploit.Agent-35646 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-35646
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
String.fromCharCode low PDF_FROMCHARCODE

String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/pdfx/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0023_000.js` `f3145d5ed2585dacda391e89775873b9de155ec4cbf8f90017bc2eb135c32cd9`	pdf-javascript-stream	PDF /JS object 23 at offset 0x7F3	10840 bytes
Detection ClamAV: Pdf.Exploit.Agent-35646 Obfuscation or payload: likely Carved artifact contains 7 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.