Malicious PDF — malware analysis report

Static analysis result for SHA-256 70f43ed12ff8c481…

MALICIOUS

PDF

317.6 KB Created: 2007-02-21 10:33:49 +01:00 Authoring application: Adobe Illustrator(TM) 7.0 (via Acrobat Distiller 6.0.1 (Windows))
MD5: 7775e7ade13d73919e8dca4695ae7d0a SHA-1: 15c30d25775c537ebf2fccc92ebfb64d8430f168 SHA-256: 70f43ed12ff8c48156f5d1ad9e09f12ecbcff77f64bbc8a2f58566e3e9f3c06f
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains obfuscated JavaScript that leverages CVE-2009-4324 and CVE-2008-2992 vulnerabilities. The script attempts to execute code using `app.eval` and `util.printf`, indicating a likely attempt to download and execute a secondary payload. The presence of an embedded PDF and a `.joboptions` file further suggests a multi-stage attack. The overall confidence is high due to multiple critical heuristic firings related to JavaScript execution and known exploits.

Machine Learning

  • Nyx PDF Classifier clean score 0.0082

Heuristics 11

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (matched in decompressed stream)
  • Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECT
    A PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.color.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
High_Quality.joboptions
dd281453afe121a67725c9e6da7d72c943d19784c6e87660e452ab81e162e97e		 pdf-embedded-file PDF EmbeddedFile object 20 at offset 0x4D846 12230 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 long base64-like blob(s).
javascript_obj0006_000.js
8693bc5f6481ecab86832c853b54a5ae110306f474ba543a0accc706d54efc6c		 pdf-javascript-stream PDF /JS object 6 at offset 0x18B 6603 bytes
font_00_cff_off00019bde.bin
4581849b2bed659d7fb30228c330055cab8d4627bffec8ceabfb9c20deae9a73		 pdf-font-stream PDF embedded font (cff) at offset 0x19BDE 1772 bytes
font_01_sfnt_off0004a9c0.bin
82547cbcce4aec0e64c4b108829d0509b1e34543945029bf606014ef3f84805d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A9C0 13000 bytes
polyglot_child_pdf_off0000acd8.pdf
55d60ff37bc00d9daf3ceb66ac610ca7da528846f26fed60852c71c206dc2754		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xACD8 280958 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.