Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ff709fcadd32482…

MALICIOUS

PDF

7.1 KB
MD5: e000af94a5dda6c5bbe335bfa242a6a9 SHA-1: 80880d0bbc106e0ce767eba6ee46424afc51ad2d SHA-256: 7ff709fcadd32482741d9be39b9056d8343a499eae7c43273fd1c95000a547ea
190 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell

This PDF file contains embedded JavaScript and U3D content, which is indicative of exploitation. Specifically, the CVE-2009-3953 heuristic firing points to a known vulnerability in Adobe Reader's 3D parser. The ML classifier also strongly suggests maliciousness. The embedded JavaScript, though obfuscated, likely contributes to the exploitation chain by preparing the environment for the U3D exploit.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Adobe Reader U3D CLODProgressiveMeshDeclaration exploit critical CVE likely CVE_2009_3953
    PDF combines malformed U3D 3D content with JavaScript/action activation. CVE-2009-3953 is an Adobe Reader/Acrobat U3D CLODProgressiveMeshDeclaration array-boundary vulnerability triggered by malformed U3D data in a PDF.
  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js
6ce6080c3d4dbc0f95fde0f93d123a1fc64b73d35c0ba0e7480535ca2c73c542		 pdf-javascript-stream PDF /JS object 1 at offset 0xA 1818 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
u3d_00_off0000106b.bin
b9afc8ad15267598141c464a37579565a6d1b6960b8269171fe7aa5bf74a3a11		 pdf-3d-stream PDF U3D 3D stream at offset 0x106B 1452 bytes
u3d_01_off0000177c.bin
18185385e691e60e6225daec96737ba3dc73afbfd4d1f36f05921d0e656e2767		 pdf-3d-stream PDF U3D 3D stream at offset 0x177C 501 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.