PDF malware analysis — malicious · 77fc9968494e04b6

MALICIOUS

PDF

4.8 KB

MD5: 4d989535c51acd691de51df09f3e5ac6 SHA-1: c6c0f45b00f319f28e7a236852a4fdb43fe1b9eb SHA-256: 77fc9968494e04b64bc7bf9a173cbdfd2db1a1b79bcaa8e271ad4f263e396767

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript, which is triggered by a CVE-2008-2992 exploit. The JavaScript is obfuscated and likely intended to download and execute a second-stage payload. The presence of the unescape() function and the specific CVE firing indicate a malicious intent to exploit a known vulnerability.

Heuristics 5

util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (matched in decompressed stream)
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0006_000.js` `6511521e64c895bab14895a92bf857f5fc9ea1d367d6abed7d33d9d4b10ffd82`	pdf-javascript-stream	PDF /JS object 6 at offset 0x14C	80 bytes
`javascript_obj0010_001.js` `481f3b61af5ecdabaff7dd95670a44871ba347dfd05b1d6d59466dd516c6a957`	pdf-javascript-stream	PDF /JS object 10 at offset 0x2E0	3104 bytes
`javascript_obj0011_002.js` `39648949939bbe635c2acda48fba2ef425a0f2ae31345b332080c186f7639e95`	pdf-javascript-stream	PDF /JS object 11 at offset 0xF3C	77 bytes
`javascript_obj0012_003.js` `6dc77f6cbaa34208b2dbe9e148a838d1c81182170909a266993c20428838a51d`	pdf-javascript-stream	PDF /JS object 12 at offset 0xFC5	109 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.