PDF malware analysis — malicious · 773afdbd5a52aa26

MALICIOUS

PDF

43.0 KB Created: 2011-04-19 14:23:41 +08:00 Authoring application: Acrobat PDFMaker 9.0 Word 版 (via Acrobat Distiller 9.0.0 (Windows))

MD5: 0d3584985627fa1c7b39c8cc8a870e58 SHA-1: 3a29e57930bbfe4467b037c12e1f11a032e43420 SHA-256: 773afdbd5a52aa2685857ccece94c2920e3bd9b74b2a2cfed86befc61b3b9dec

478 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File Execution: Malicious File T1059.001 Command and Scripting Interpreter: PowerShell T1059.003 Command and Scripting Interpreter: Windows Command Shell

This PDF document contains embedded JavaScript and a Flash RichMedia object that exploits CVE-2010-1297. The JavaScript is designed to decode and execute a second-stage payload, which is an embedded Windows executable. The embedded executable was detected by ClamAV as Win.Trojan.Agent-878827, indicating a malicious dropper. The primary attack vector is the exploitation of a Flash vulnerability within the PDF.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 13

Adobe Flash authplay SWF exploit in PDF — CVE-2010-1297 critical CVE likely CVE_2010_1297_FLASH_RICHMEDIA

PDF combines RichMedia Flash activation, a crafted SWF with ActionScript prototype/AVM-era markers or the AES-PHP/authplay variant markers, and PDF-side shellcode heap-spray staging. This is the static delivery shape associated with CVE-2010-1297 in Adobe Reader's bundled authplay.dll.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD

PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
ClamAV: Pdf.Dropper.Agent-6040890-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-6040890-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
RichMedia (Flash) high PDF_RICHMEDIA

PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0027_000.js` `81f46e747c81eea62f11ca378e00447cd50a619b5fc05b8bb769ff094dd1cbc5`	pdf-javascript-stream	PDF /JS object 27 at offset 0x74C5	5145 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
`embedded_pdf_0000033e.exe` `2d2c7f32d353aeaff9fe18a16fb733d3d2f99b74d5d256827636cf049ad4c5f3`	embedded-pe	PDF raw stream PE payload at offset 0x33E	22581 bytes
Detection ClamAV: Win.Trojan.Agent-878827 Obfuscation or payload: unlikely
`generic_stage_recovery_000.js` `36eaafdd95f50b3a663a562048c1aaf5e55797fa8ce27db76bcc8f205a666ca9`	deobfuscated-js	generic stage recovery marker-NAXX-to-%u from JavaScript object 27 at offset 0x74C5	3924 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`generic_stage_recovery_001.js` `c21d985b6f47356917775f2bf033a64ecc0495992e62e23a28d6b1f32c657103`	deobfuscated-js	generic stage recovery split-literal-normalize -> marker-NAXX-to-%u from JavaScript object 27 at offset 0x74C5	3919 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.