PDF malware analysis — malicious · 89c60ead3f6f65fa

MALICIOUS

PDF

23.7 KB

MD5: 9b0c93a957525ede59a9f713d5f9f2a5 SHA-1: a661ccbc2dbf579f4d302a49fd845c2d93ef5b7f SHA-256: 89c60ead3f6f65fa0be3de578be38dc26f8cdd95ebc564b50135c405835368db

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.001 Malicious Link T1059.007 JavaScript

The PDF file contains embedded JavaScript that utilizes the `eval()` function and `unescape()` to deobfuscate and execute malicious code. The critical CVE-2008-2992 heuristic indicates the exploitation of a known vulnerability in Adobe Reader via `util.printf` to achieve code execution. The embedded JavaScript is designed to download and execute a second-stage payload, as evidenced by the deobfuscated JavaScript files and the ML classifier's high confidence score. The attack pattern is consistent with a PDF-based exploit kit.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `aec0e8fee11845e61afa6a936f0aedeb870e08e0f5965a3b83887ced31125f35`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	3896 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`javascript_obj111712_001.js` `f18930a270b3bc296fad263d2a80e15f7e0c41dc7a0c78fc79b82b4d84f44b43`	pdf-javascript-stream	PDF /JS object 111712 at offset 0x10FC	15051 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`javascript_obj111713_002.js` `73094c54a474e6d7447ba3332da88f41def95993f13e80104666b0f5423af044`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x4BFD	4744 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `50ffaf5424a50f3e20e7a5013c045c68941fcc5c6a22f83c591180ee703414e7`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x10FC	1418 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `df2e8f38acbcede11c3621c62802a425613ee3b105933e1debbf6452a55bb89f`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x4BFD	384 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
`legacy_pdfkit_stage_002.js` `66b20c2af2aebdb61a67813dcf80f0d600528bac9a246cae32504da3ce0aac8e`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0x10FC	1803 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.