PDF malware analysis — malicious · 7de56e7ec89abe17

MALICIOUS

PDF

16.5 KB

MD5: 233d1ab1c8c0650bf9ed5ccbbe310b41 SHA-1: 25079e915b33915d77fea7d959dc2695fd9007d5 SHA-256: 7de56e7ec89abe177d0f7242f21677fa92c62eb473ab993b92ae4537ef46572d

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.001 Malicious Link

This PDF sample leverages CVE-2009-4324 by using embedded JavaScript, specifically calling eval() and unescape() functions, to execute malicious code. The JavaScript appears to be heavily obfuscated, but the presence of these functions and the exploit trigger indicate an attempt to download and execute a secondary payload. The attack pattern is consistent with exploit kit delivery mechanisms.

Heuristics 5

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `8f2cf98d5e3e87c0d979b350ef862aac978688ce50101c90622f5a1cbaa80fea`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	3051 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
`javascript_obj111712_001.js` `ac624ee09918eb65c7254b1329f9d7e71dfd8e8776b03319979d7bc8f2c56b48`	pdf-javascript-stream	PDF /JS object 111712 at offset 0xDAF	10738 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`javascript_obj111713_002.js` `c50792a056ab5ce710d4b19e66e929ef392fff74871b63eb4a476e4240c8191d`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x37D7	2541 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `14d9d23d619682a659b666d1537fbe47a8cc4db49b0c37d63714847d39b24a42`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0xDAF	1080 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `fa44c3a6a5df9dd0c4918db03b8a33dc1e24bba8204a13d66510a81c2b2e6f17`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x37D7	166 bytes
`legacy_pdfkit_stage_002.js` `1c96ee696ace6892c53355b89b1ea96f52cca8e3a6b5b4fe55099399bf524996`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0xDAF	1247 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.