Malicious PDF — malware analysis report

Static analysis result for SHA-256 8988e33ff1ed06eb…

MALICIOUS

PDF

137.3 KB
MD5: 16b204ecc7be2f439ad0bd5b8b6afbfd SHA-1: 5476635cc6d74e84862599517f2ed301f3cc6635 SHA-256: 8988e33ff1ed06ebe99b26e54597024932e6a46f3a56537e00a7e0a760e14f96
194 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution T1059.001 Command and Scripting Interpreter: JavaScript

This PDF file is flagged as malicious by multiple high-severity heuristics, including a critical indicator for the CVE-2009-3953 exploit targeting Adobe Reader's 3D parsing. The presence of embedded JavaScript, combined with the exploit, strongly suggests the document is designed to download and execute a secondary payload. The ML classifier output of 0.999992 further reinforces the malicious nature of this file.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 7

  • Adobe Reader U3D CLODProgressiveMeshDeclaration exploit critical CVE likely CVE_2009_3953
    PDF combines malformed U3D 3D content with JavaScript/action activation. CVE-2009-3953 is an Adobe Reader/Acrobat U3D CLODProgressiveMeshDeclaration array-boundary vulnerability triggered by malformed U3D data in a PDF.
  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.microsoft.org/schema/xci/2.6/
    • http://www.microsoft.org/schema/xffdsa-template/2f/
    • http://ns.adobe.com/xdp/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js
9a76f9ad116c02f07f5fc40fc67f93e268ac464902ecde4571bdafe2731b2e20		 pdf-javascript-stream PDF /JS object 12 at offset 0xC8D 8144 bytes
javascript_obj0012_001.js
e3101b75ee6bd1d8f0e77186a1f1bf3d65a34a4de62aa32ee75307c7ad1c8749		 pdf-javascript-stream PDF /JS object 12 at offset 0xCB0 137396 bytes
u3d_00_off00000739.bin
9987a20b56ce3355d60095d528241ea7b6d70eb26b602f52e84f8ba4b09d58d1		 pdf-3d-stream PDF U3D 3D stream at offset 0x739 1296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.