Malicious PDF — malware analysis report

Static analysis result for SHA-256 6ac5d020dbca5b07…

MALICIOUS

PDF

18.9 KB
MD5: ebf69ef3f12d51b5ff9638ccead4dbc6 SHA-1: 4fd25612f4b31f3f5ea96009782367878c7317b3 SHA-256: 6ac5d020dbca5b07d4a012a4181200576e44b5f7d1f4d454a7ad80bc94701ebc
310 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains obfuscated JavaScript that leverages the CVE-2009-4324 vulnerability. This script is designed to download and execute a secondary payload from the URL http://gospeltube.com/cache/.svn/.p2/.l.php?l=1&spl=pdf_newplayer. The use of eval() and unescape() functions, along with string concatenation for obfuscation, is a common technique for malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gospeltube.com/cache/.svn/.p2/.l.php?l=1&spl=pdf_newplayer

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj111711_000.js
bed200525bdc8fa8ba1b614b37d306023ae6e0088b49092ef56a16d4fd994649		 pdf-javascript-stream PDF /JS object 111711 at offset 0x18E 2470 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
javascript_obj111712_001.js
432d31eb8a289fd7ff5dd81747a3adffb47895a86e71b6ee8b7332d7ec53b373		 pdf-javascript-stream PDF /JS object 111712 at offset 0xB6A 13838 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
javascript_obj111713_002.js
bbee1f406ca9e0605aaeb0c14f619d5e346899b4b3a97f12d4c85a1627974925		 pdf-javascript-stream PDF /JS object 111713 at offset 0x41AE 2416 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
javascript_obj111711_003.js
4439f48a548e35548195f0c3be18431d66b10b1a55ee44e1cb62de2299584328		 pdf-javascript-stream PDF /JS object 111711 at offset 0x1B2 18880 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 15 long base64-like blob(s).
javascript_obj111712_004.js
5f7c49469b8379ac8df2d6adbe1bb9eb90e85c536a2f63036f0d0474a7b21bdc		 pdf-javascript-stream PDF /JS object 111712 at offset 0xB8E 16356 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 10 long base64-like blob(s).
javascript_obj111713_005.js
9d1146a13c296b8c8f636bf0b7057307fc775ed22b8c37c9cd4bddca814631ac		 pdf-javascript-stream PDF /JS object 111713 at offset 0x41D1 2465 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
legacy_pdfkit_stage_000.js
f7aee5f93a560ac50cc77e0b7e80c0eee0a59dd3ce3d366d5e06910b8ec8b795		 deobfuscated-js multi-marker percent-array decoded JavaScript at offset 0xB6A 1088 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
legacy_pdfkit_stage_001.js
fa44c3a6a5df9dd0c4918db03b8a33dc1e24bba8204a13d66510a81c2b2e6f17		 deobfuscated-js multi-marker percent-array decoded JavaScript at offset 0x41AE 166 bytes
legacy_pdfkit_stage_002.js
31eff086876a4c751c01f9dc3405b6a52499ecd93115021964a908550a8a291f		 deobfuscated-js multi-marker percent-array decoded JavaScript at offset 0x1B2 1255 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
legacy_pdfkit_stage_003.js
42c02ecc2c992301879b0842e54e0acabd837ca4ba4c9d44d652462de1366804		 deobfuscated-js multi-marker percent-array combined decoded JavaScript at offset 0xB6A 6446 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.