PDF malware analysis — malicious · 8ac92fca0f85f557

MALICIOUS

PDF

1.49 MB Created: 2009-05-21 11:49:58 -04:00 Authoring application: Acrobat PDFMaker 8.1 for Word (via Acrobat Distiller 8.1.0 (Windows))

MD5: 0a419945772cc8415239bb6dc031ff83 SHA-1: e5be869cdf49763194179d6ee2e35c2214edd1fc SHA-256: 8ac92fca0f85f55755b700668d7ddea0acd7359e0426ed69363cbde5760aab06

196 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious Link T1566.001 Spearphishing Attachment T1204 User Execution

This PDF file exhibits multiple high-severity heuristic firings related to JavaScript execution and potential exploit preparation, specifically indicating CVE-2010-0188 related activity. The presence of embedded JavaScript streams and actions, combined with a high stream count suggestive of obfuscation, points towards a malicious intent. The document also contains lures for fake invoices and callback phishing, further supporting a malicious purpose. While no specific family is identified, the techniques suggest a downloader or exploit delivery mechanism.

Heuristics 13

JBIG2 + active content high CVE related PDF_JBIG2_ACTIVE_CONTENT

JBIG2Decode appears with JavaScript/XFA/RichMedia — a related indicator for JBIG2 parser-exploit families including CVE-2021-30860 and CVE-2009-0658, but not a unique CVE fingerprint.
CCITTFaxDecode + TIFF/XFA exploit prep — LibTIFF CVE-family indicator high CVE related PDF_CCITT_CVE_2010_0188_RELATED

PDF uses /CCITTFaxDecode together with TIFF/XFA exploit-preparation markers such as rawValue image-field assignment, TIFF data, or heap-spray JavaScript. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
JBIG2Decode filter medium PDF_JBIG2

JBIG2 image decoder present — historically used in zero-click exploits
Unusually high stream count medium PDF_MANY_STREAMS

PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
String.fromCharCode low PDF_FROMCHARCODE

String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT

Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
External URI low PDF_URI

PDF contains an external URL action
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/g/img/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://ns.adobe.com/xap/1.0/t/pg/
- http://ns.adobe.com/xap/1.0/sType/Dimensions#
- http://ns.adobe.com/xap/1.0/g/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 32

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj4352_000.js` `02763d0b97f3b488fc3a30dd82817accf5fdfff6e3fe5e008636626ae4c3003f`	pdf-javascript-stream	PDF /JS object 4352 at offset 0x25D3	178 bytes
`javascript_obj4370_001.js` `b81c69b1f10d6373625583e9bf50ce17cb3d0b89d1de94e8939b137c2a574be3`	pdf-javascript-stream	PDF /JS object 4370 at offset 0x29F5	102 bytes
`javascript_obj4375_002.js` `3308320d248e15f4247255ac71c51c1093417e81c0c9de702acea883b7fb99ea`	pdf-javascript-stream	PDF /JS object 4375 at offset 0x2B50	83 bytes
`javascript_obj4383_003.js` `9b160d19334bd56892170b86188c49574febdcb9ac509210fcaccee51ca3d16d`	pdf-javascript-stream	PDF /JS object 4383 at offset 0x2D26	187 bytes
`javascript_obj2181_004.js` `86548049d82be4d96b83581cc76ce7a2115efe2f5a25ba97b2ed9b7011876514`	pdf-javascript-stream	PDF /JS object 2181 at offset 0x11D7B7	44 bytes
`javascript_obj2182_005.js` `52071427b82ab987bf3c3cc49290490c66d15eb5d6d0b1c6d352b90a8dd6d98c`	pdf-javascript-stream	PDF /JS object 2182 at offset 0x11D80F	47 bytes
`javascript_obj2210_006.js` `1bfd22ecd64d85c4c83389f5c321fa1df2cc7e0ada42ea8450a29bb193369ff2`	pdf-javascript-stream	PDF /JS object 2210 at offset 0x11F090	56 bytes
`javascript_obj2213_007.js` `a7f5988067f8847b449a97d207d3b1c478f0dd2de9586cdde4846991ab2adc9c`	pdf-javascript-stream	PDF /JS object 2213 at offset 0x11F1A8	64 bytes
`javascript_obj2277_008.js` `997963c4f8fccb6e92e4b3d8910426cbe6564e35ab8ee6c435c2449a60ed7c40`	pdf-javascript-stream	PDF /JS object 2277 at offset 0x122A58	56 bytes
`javascript_obj2280_009.js` `2702e0503a83182f578137dee30abefb6a6f66416c2c0e29694239d1797d12d5`	pdf-javascript-stream	PDF /JS object 2280 at offset 0x122B70	56 bytes
`javascript_obj2283_010.js` `b37af67e1acb4037f6b73959ab0ae7b2bfecdef887d4dc7cea3f00458b77eef6`	pdf-javascript-stream	PDF /JS object 2283 at offset 0x122C88	65 bytes
`javascript_obj2294_011.js` `c812fa1f7d0804ae8135a933fd602dbf40b2a354bd7768f9a0362abc4405970f`	pdf-javascript-stream	PDF /JS object 2294 at offset 0x1236A3	90 bytes
`javascript_obj2297_013.js` `91798ecd92e2f43f96a8c14669a5c168ae5a8d35171751b6a7acca9f8c50f0e6`	pdf-javascript-stream	PDF /JS object 2297 at offset 0x123913	94 bytes
`javascript_obj2299_014.js` `ac085ba32f5bb169e82a77ad2098d0ec1d3d229aafb8828b23183b62d69055dd`	pdf-javascript-stream	PDF /JS object 2299 at offset 0x123B1D	164 bytes
`javascript_obj2331_015.js` `b21c81b444ed9d387bb3e6d106a772f560ef2836ab0c7b5fa9abd85b4fa6b93f`	pdf-javascript-stream	PDF /JS object 2331 at offset 0x125D3F	91 bytes
`javascript_obj2334_016.js` `86271fc741187a75e412a476fca5f2634e8196d231b8179c97ae8cf04b9656ca`	pdf-javascript-stream	PDF /JS object 2334 at offset 0x125F9A	90 bytes
`javascript_obj2360_017.js` `504189b07839845a0b0a6b2fec209b98ef2ce785b9c387ad4ea61078bb8b5fbc`	pdf-javascript-stream	PDF /JS object 2360 at offset 0x1276C9	49 bytes
`javascript_obj2361_018.js` `a88f3ebed05f024d40c36ba90dcf67fad6e570a7de6c7711873d14d9f07821a0`	pdf-javascript-stream	PDF /JS object 2361 at offset 0x12772B	100 bytes
`javascript_obj2364_019.js` `70bdf25ffc7ab416662e0bdf374e264c499c7df49ba0e2f2a627b89ecb45d6d1`	pdf-javascript-stream	PDF /JS object 2364 at offset 0x1278A4	96 bytes
`javascript_obj2409_020.js` `4a11062ce06fdbdf909e26403564cc72f6ea751064561e09fe6d680daa579c4b`	pdf-javascript-stream	PDF /JS object 2409 at offset 0x12A196	91 bytes
`javascript_obj2494_021.js` `a56c28cb40ebf3b49cc5189ac4f9c4a92f69e96703ff4a13e97a2dae640f2aef`	pdf-javascript-stream	PDF /JS object 2494 at offset 0x12F827	91 bytes
`javascript_obj2497_022.js` `acbe5c98bf7357251066e74cab0cb6de5b52176b52c12738dd81d9726e1c2737`	pdf-javascript-stream	PDF /JS object 2497 at offset 0x12FA97	90 bytes
`javascript_obj2630_023.js` `781be7cd12751af7b7c26920e3c6172f0e5b4e8848e9636dec195b34d1ceb852`	pdf-javascript-stream	PDF /JS object 2630 at offset 0x138D28	148 bytes
`javascript_obj2650_024.js` `22a8d36c78278d1275f42b32c1b29d33017804950f86420201a1dea2d59bc639`	pdf-javascript-stream	PDF /JS object 2650 at offset 0x139B8F	47 bytes
`javascript_obj2668_025.js` `f8cbc95388aa6e8c4a785734390d3b178051fe4ef4753eed3bea7e510b074ca4`	pdf-javascript-stream	PDF /JS object 2668 at offset 0x13AAE1	97 bytes
`javascript_obj2816_026.js` `e0ed9548de396d6e016081b2ea298f1fd9f002856f57eb29de833ef16f1ab696`	pdf-javascript-stream	PDF /JS object 2816 at offset 0x141778	172 bytes
`javascript_obj2821_027.js` `caa170e76c2e8a0c908fcc40e088f18b684501e5e118f9ab0501f33a033b4efb`	pdf-javascript-stream	PDF /JS object 2821 at offset 0x141A0B	105 bytes
`javascript_obj2827_028.js` `aefa64db7ad230470a96a35db96b8b432480b005d52c5dc6d7f8d06c06f8e36b`	pdf-javascript-stream	PDF /JS object 2827 at offset 0x141E72	170 bytes
`javascript_obj2833_029.js` `2ec0dfca0217784805ac5f7f489111af0a656dc272cccc4c3c936cb02b90e624`	pdf-javascript-stream	PDF /JS object 2833 at offset 0x142148	103 bytes
`javascript_obj2855_030.js` `809a445cfe2ce6f5e248717d46587743f0fd9e257e02c02b36cb40329972c078`	pdf-javascript-stream	PDF /JS object 2855 at offset 0x1435BF	164 bytes
`javascript_obj2937_031.js` `4b0668787e790e8793c4a21ae1e1eae8d410b45b7ee4216b68e81a2be34fe6d5`	pdf-javascript-stream	PDF /JS object 2937 at offset 0x1493C0	164 bytes
`javascript_obj2938_032.js` `b204e6d9c037ce32d10d4b8d1b64ce99ab2c8dd376c069a4989e593ea902de1c`	pdf-javascript-stream	PDF /JS object 2938 at offset 0x1494A1	164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.