Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a4513ad0ffaa2c2…

MALICIOUS

PDF

5.5 KB Created: 8952-67-92 14:81:19 -39:29 Authoring application: Acrobat Editor 8.0 (via Adobe Acrobat 8.1.0)
MD5: 6ee41b39b1fb2602d129ea4865bf39bb SHA-1: 700882b6cdd7a857205bf593cb204a6db7d91cfc SHA-256: 8a4513ad0ffaa2c29f1e634353e3369065f9a6688c5e2282e5fefaabdfe2aeef
104 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript, triggered by the CVE-2007-5659 vulnerability via the Collab.collectEmailInfo function. The heuristic 'EXTRACTED_FILE_STATIC_TRIAGE' flags the JavaScript stream as suspicious due to obfuscation indicators. This suggests the script's purpose is to download and execute a secondary payload, a common technique for malware delivery.

Machine Learning

  • Nyx PDF Classifier clean score 0.1105

Heuristics 4

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off000005be.js
8ad9775515e87c98f8f01c2520e0b67d4a94587faf6ba896b413bdd92063cd6e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5BE 3530 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.