Malicious PDF — malware analysis report

Static analysis result for SHA-256 7900ca98a6fbed74…

MALICIOUS

PDF

685.9 KB Created: 2021-05-06 22:42:29
MD5: de2a8a728f81d44562bfd3e91c95f002 SHA-1: 85fd33ccbc35b4503c13b4f1e87d69efec292780 SHA-256: 7900ca98a6fbed74aa5a393758c43ad7abc9d8c73c3fbab7af93bae681065f4e
222 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF sample contains embedded JavaScript that is obfuscated and attempts to exploit CVE-2020-9715. The script's functions like 'kk', 'jj', and 'ii' suggest memory manipulation and object exploitation. It specifically attempts to load 'kernel32.dll' and execute a function named 'VirtualProtect', indicating a payload execution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9361

Heuristics 10

  • dataObjects ESObject stale-cache trigger — CVE-2020-9715 critical CVE exact CVE_2020_9715
    PDF embeds a file and JavaScript follows the CVE-2020-9715 ESObject use-after-free trigger shape: access this.dataObjects[], clear the dataObjects entry, schedule app.setTimeOut(), then re-access the Data ESObject through toString().
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://adobereview.uservoice.com/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0508_000.js
c4a8060e2a254739a0951ff988785c715482042a379cf09b2a10399e94c85489		 pdf-javascript-stream PDF /JS object 508 at offset 0xA870F 10795 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
javascript_obj0530_001.js
8433dca28e2ce9876e690a6c9e5b9bbec7c8d08198b5135ae6f8b7552dfa63f6		 pdf-javascript-stream PDF /JS object 530 at offset 0xAABB0 6340 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_016_off000070d7.bin
c11cb8cfdf0f17b6f5f697110384d8318aa875573e0209135047cab5cb5dca38		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x70D7 1833651 bytes
stream_020_off000328bf.bin
893a859eca5401895aec6b5e6246124430c51c09df8f8b7ec9aedf153bddbac4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x328BF 1491369 bytes
stream_026_off00068651.bin
517710f00acc02ea3199ee20575c9310eb66683b3ba6e3533125ef3de44bc024		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x68651 1102248 bytes
stream_029_off00077fc9.bin
104d79a0db2565b1a19b2bc4e2f555d6d5f747d810412824404093e84b169adf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x77FC9 154368 bytes
font_00_cff_off00088e65.bin
48350d8ae3f4c835da67d173692f7f7b37cd7562c161a07612770888056393f5		 pdf-font-stream PDF embedded font (cff) at offset 0x88E65 7926 bytes
font_01_cff_off0008a7ed.bin
7fd9973dee0fb1d775fc88c42aa4d0066f3d843e6d95097419c6e27cae457647		 pdf-font-stream PDF embedded font (cff) at offset 0x8A7ED 2332 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.