Malicious PDF — malware analysis report

Static analysis result for SHA-256 7c25f4279c396837…

MALICIOUS

PDF

6.5 KB Created: 2009-05-06 20:45:24 +08:00 Authoring application: DocuCom PDF Core Library
MD5: d45ffc4ec0dae182f604dd07f568ccb3 SHA-1: 497c3532aff54f186da6489032a8af4fd7e77b81 SHA-256: 7c25f4279c396837ef82c1719b1070fe1f7c32a3ac85f738c1c4ef239a91c32e
370 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file exploits the CVE-2009-0927 vulnerability using embedded JavaScript. The JavaScript, after being deobfuscated, appears to download and execute a second-stage payload. The critical heuristic firings and ClamAV detection strongly indicate malicious intent, likely for delivering further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 10

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (matched in decompressed stream)
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV: Pdf.Exploit.Agent-35646 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35646
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js
9d96470c14cb3777ea796d998c7e5b89fd2ee5331f762cf60a9164db7b7ffbde		 pdf-javascript-stream PDF /JS object 4 at offset 0x891 14600 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: unlikely
stream_003_off00000891.bin
786bf592b8a8846674d419e34e5d22236b4a2d9bd25565839a074f57b182c618		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x891 7299 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
generic_stage_recovery_000.js
56eb4fc0a8b021a56bca31460e8cdee67c09ee17e3097760b1caa7b6092297f0		 deobfuscated-js generic stage recovery split-literal-normalize from decompressed stream at 0x891 at offset 0x891 5781 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
generic_stage_recovery_001.js
56e375e06f71c51473be8330e72000596f0bb6c7cea9c995ad81ba80d02c056c		 deobfuscated-js generic stage recovery null-collapse -> split-literal-normalize from JavaScript object 4 at offset 0x891 5783 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
generic_stage_recovery_002.js
3c2717fd035a79baecb3dcdacfade7cdbd175e297fb552dc8ace5602bc83005f		 deobfuscated-js generic stage recovery split-literal-normalize -> split-literal-normalize from decompressed stream at 0x891 at offset 0x891 5778 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
generic_stage_recovery_003.js
38c7ff191ef98bfa5cdcffd4ac5c979b0c43a547ae2ffd218280fdb341a1c80f		 deobfuscated-js generic stage recovery split-literal-normalize -> percent-decode from decompressed stream at 0x891 at offset 0x891 5773 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
generic_stage_recovery_004.js
b30836b8a02a62bc98784db4c342729d4e4093ae189ecb01c41b055627dc1119		 deobfuscated-js generic stage recovery null-collapse -> split-literal-normalize -> split-literal-normalize from JavaScript object 4 at offset 0x891 5780 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
generic_stage_recovery_005.js
b4aa5fd72a34d909191e43864b87e7645ad59c03de6d85a2b3cc09eabb1d49e1		 deobfuscated-js generic stage recovery null-collapse -> split-literal-normalize -> percent-decode from JavaScript object 4 at offset 0x891 5775 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
generic_stage_recovery_006.js
309448cc1caa8c7b97f71387df34f40d5d75c57e1d071e3ba3b81c5822f928d9		 deobfuscated-js generic stage recovery split-literal-normalize -> split-literal-normalize -> percent-decode from decompressed stream at 0x891 at offset 0x891 5770 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.