Malicious PDF — malware analysis report

Static analysis result for SHA-256 73b72096d7551ee3…

MALICIOUS

PDF

1.6 KB
MD5: c8ddc56f7bad0140963c1352e230c0b4 SHA-1: 51cfc3e259276d33c9ab827c0545619f6cc58d3b SHA-256: 73b72096d7551ee3940a66af88a393f2b862c1ee6d11b0230c00485e5b5c9e67
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF file contains embedded JavaScript that utilizes eval() and attempts to exploit CVE-2009-4324 via media.newPlayer. The script constructs strings and arrays in a complex manner, likely to obfuscate its true purpose of triggering an exploit. The primary function of the script is to execute arbitrary code by leveraging the media player vulnerability.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 7

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js
3ee104ef337deeb5bb9026f28eeccd43adb81f66ff79786d8b535957d58e8df2		 pdf-javascript-stream PDF /JS object 5 at offset 0x117 1112 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
javascript_obj0005_001.js
ca02d2d29a61a078e86fe8f9e778118a5673ba00c5c069052a707663f3351299		 pdf-javascript-stream PDF /JS object 5 at offset 0x117 33 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
generic_stage_recovery_000.js
59c4a6f1c30bdac695995e79f192523cf1bb2b6b150aeeb499e94c9d3420d73d		 deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 5 at offset 0x117 1109 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
generic_stage_recovery_001.js
a51d3a3af4c272d3614da3278662d2bf4585e7afea5df8f6e95a328af9c81c74		 deobfuscated-js generic stage recovery split-literal-normalize from combined JavaScript objects at offset 0x117 1143 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
combined_document_js_000.js
0093b9be0d7b336e51dfc2f9a21485a6dc690ca70174256b083df6125c7b20f1		 deobfuscated-js combined document JavaScript streams at offset 0x117 1146 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.