Malicious PDF — malware analysis report

Static analysis result for SHA-256 88f4ec1a2d4f1649…

MALICIOUS

PDF

1.2 KB
MD5: e0289c171642f6d9fdb3d213132ca68b SHA-1: 80cf603d1ca4b2301d01125a89ba60dc687873b2 SHA-256: 88f4ec1a2d4f1649b5e1ff884c9321f13ac44410744d1c289464cc5021de6b63
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains embedded JavaScript that leverages the 'Collab.getIcon' method to exploit CVE-2009-0927, a known vulnerability in Adobe Reader. The JavaScript uses 'unescape' and concatenates strings, indicating an attempt to obfuscate malicious code. This exploit allows for arbitrary code execution, likely to download and run a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
7913f7a9a9a742ab3460e1e0c2f7fee22d904d215c183d5de9265cc88bf68d30		 pdf-javascript-stream PDF /JS object 7 at offset 0x2B4 302 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0007_001.js
e12aa958a279c4ec8d077820657b0dcbcf54e6697b3bb9a6fa717b63964eeaea		 pdf-javascript-stream PDF /JS object 7 at offset 0x2B4 40 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
combined_document_js_000.js
526dc1b3e361c9bbe6a903d25d06455af9a27a7654f4ddd6cab63332176661e6		 deobfuscated-js combined document JavaScript streams at offset 0x2B4 343 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.