PDF malware analysis — malicious · 72351493c434e0c6

MALICIOUS

PDF

3.3 KB

MD5: ef67ff25d122e1fa5e7357ffa1a485d5 SHA-1: 2a869aca7ba9f5d841857a1f25a6f7ef3747f8a1 SHA-256: 72351493c434e0c6b16c27cadb8d4261603b2c6bd4f3bbf5185c4bd91dc7c222

216 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains embedded JavaScript that exploits CVE-2009-4324, indicated by the 'media.newPlayer' heuristic and the 'PDF_JS_EXPLOIT_CLUSTER' firing. The JavaScript code, particularly the `unescape` calls within the `spray_heap` function, is designed to prepare for and likely execute a shellcode payload. The presence of multiple obfuscated JavaScript streams and the ML classifier's high confidence score further support the malicious nature of this document.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 7

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Additional-actions dictionary low PDF_AA

PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0005_000.js` `2d199bafb691ad01babb37dbe1d7f2a524093dfa4fc709402bf8e33b3346d76d`	pdf-javascript-stream	PDF /JS object 5 at offset 0x263	2517 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).
`javascript_obj0005_001.js` `3c3baff6b0a9f3109d038b4b59f1c649ba4f8d4abc8ec7fe3fdae31fa8c73abc`	pdf-javascript-stream	PDF /JS object 5 at offset 0x289	2734 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).
`combined_document_js_000.js` `c6a8d692df03e57c000f5845b6320a3f9cd66e4124d4b72efb945bc7daf996cd`	deobfuscated-js	combined document JavaScript streams at offset 0x263	5252 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 4 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.