Malicious PDF / .TMP — malware analysis report

Static analysis result for SHA-256 7de5ca05380afd0d…

MALICIOUS

PDF / .TMP

1.95 MB Created: 2007-12-35 21:45:26 Authoring application: Adobe (via Fhgifuo u)
MD5: af36dd15798ac68593b673d9e6902c63 SHA-1: 41f2a8dd5cc4bcdf6877c5cf876fc3a6c1aa01c1 SHA-256: 7de5ca05380afd0df102e912026e893beea6f8c28c91f5200f340feff8485c52
238 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.001 Malicious Link

The PDF sample contains multiple embedded JavaScript streams and exploits known Adobe Reader vulnerabilities (CVE-2008-2992 and CVE-2009-4324) via util.printf and media.newPlayer functions. The JavaScript is heavily obfuscated but appears to use eval() to execute code, a common technique for downloading and executing further stages. The presence of multiple embedded PDFs and JavaScript files suggests a multi-stage attack. The specific exploits identified point to a delivery mechanism targeting unpatched Adobe Reader installations.

Heuristics 7

  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
dcd2a3db7443d2d4c463fbde7a2179a4690b72ed0d60409606531c69f0e49ab9		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 2345 bytes
javascript_obj0028_001.js
bd936ddcde37fc9b29e8ee4e192d07ec2089810ea67664a13e17ea95cb32303f		 pdf-javascript-stream PDF /JS object 28 at offset 0x3164B 81919 bytes
javascript_obj0032_002.js
114922f79b1563ea5458b86f22a6fd02373c98b9bbf2342010bae74cb998e470		 pdf-javascript-stream PDF /JS object 32 at offset 0x2A08F 1666537 bytes
javascript_obj0034_003.js
d72c9fb29c217a430981a605abd8d054df1ffd27591a769ba52c85a4a0223f9e		 pdf-javascript-stream PDF /JS object 34 at offset 0x2DB53 1028 bytes
javascript_obj0036_004.js
26eb0b0696a56f8a17c2140d898067edf9d0afda49bc9f7ba1d5047d30ded466		 pdf-javascript-stream PDF /JS object 36 at offset 0x29CE1 1354 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
legacy_pdfkit_stage_000.js
eda51904788f03f9d1e9f0757d00f0a2bcd40ec48fe75994786ee94219de1f25		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0xB44 4318 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
javascript_obj0008_000_1.js
895b8685340ac4336e51a471aa379222694e906a8c49bbdb4c1ce67d60e8d842		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 2461 bytes
legacy_pdfkit_stage_000_1.js
ef0e35cb8c5457ba19227b4344632e10b51e16ad1533b2cc631fe6a3c319a18a		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0xBB8 2546 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
legacy_pdfkit_stage_001.js
42025b552c7960b53abcd8cd732b01c8d109eccfdfefc352b9826c4d5807d414		 deobfuscated-js cross-stage annotation API aliases at offset 0x1E7 81 bytes
polyglot_child_pdf_off00010000.pdf
262075bca490902b594b49ea4433f6599afa264b3969bcbd966f6e11952384e9		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x10000 1982464 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
polyglot_child_pdf_off00029c61.pdf
c19e135c1463b7423722d19f998b4f36c44e94bdf84b3986c27095bfe7a1688d		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x29C61 1876895 bytes
polyglot_child_pdf_off0002de93.pdf
75ecb90bef88d5d8df4fc3e0917daec50f8e8681d225cef11684af995304e726		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x2DE93 1859949 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.