Malicious PDF — malware analysis report

Static analysis result for SHA-256 6e67cf915cf2b56a…

MALICIOUS

PDF

3.6 KB Created: ÏÉ ´ ÇR?¡Ï,D'È0 Authoring application: ؐàí_Š& Ö-X>Ê; (via ؐàí_Š&Á¼XVdy™{_®×dB›™<Å)
MD5: fcbaa9de82e9aa42add191e4003ef297 SHA-1: 90b1f386d579e4afb39625209ac0dd86421e0796 SHA-256: 6e67cf915cf2b56aa399395e00d8795387cd3c971a33be0489153de33b8d6a3e
208 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file is heavily obfuscated and uses JavaScript to hide its malicious payload, exploiting CVE-2007-5659. The embedded JavaScript, when deobfuscated, appears to download and execute a second-stage payload, as indicated by ClamAV detection of 'Win.Trojan.Agent-34667'. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0014_001.js
60f14a30a6d827d62cdca01cf93d4a17c11673cbf7cad72f43c876283e27ca7c		 pdf-javascript-stream PDF /JS object 14 at offset 0x47B 5406 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
legacy_pdfkit_stage_000.js
c8d0715db41a7cb9556de082d0d62600f777e08ee7c39ed4f67f1a2a57d6ddb4		 deobfuscated-js interleaved hex-pair decoded JavaScript at offset 0x47B 2512 bytes
Detection
ClamAV: Win.Trojan.Agent-34667
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.