PDF malware analysis — malicious · 8b7d5f1c285739e3

MALICIOUS

PDF

17.0 KB

MD5: c38bdae527c2fb05af74e4bcc7509258 SHA-1: c6ece6bde489ad43f3a1c1697f21d0ffe2c98d4c SHA-256: 8b7d5f1c285739e34338c803a21b523c27d60ab0013dd8288378cb70d0f09b31

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF sample contains heavily obfuscated JavaScript, including multiple calls to eval() and unescape(). Static analysis identified the use of CVE-2009-4324, indicating an exploit targeting a known vulnerability in Adobe Reader. The embedded JavaScript is designed to deobfuscate and execute further stages, likely leading to the download of a malicious payload. The obfuscation techniques and exploit vector suggest a downloader or initial access stage of a broader attack.

Heuristics 5

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `96b78bc24a2e96ee9ac9281085fcf635d5700114ef8f33011bb0eabba01e96bb`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	2893 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`javascript_obj111712_001.js` `0cc54a5bd330de27fbb086efb034da3246171d556529a7cb01670ff3df5bc58a`	pdf-javascript-stream	PDF /JS object 111712 at offset 0xD11	11616 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`javascript_obj111713_002.js` `4d530b12c9895d1a5b9665a7fee25c036b6864507dcb23bae390fc92bb660e5c`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x3AA7	2268 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `1cd508c94452943df4055f909500433641f33ae337d845a4ffbf0c83f2fd1027`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0xD11	1081 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `5091795dc7dfd1e269d30a5ab394f1536cab6157b0cb74b7e26a9fdc9129a46f`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x3AA7	165 bytes
`legacy_pdfkit_stage_002.js` `898196acecb48e4e480008b67a684c0165247f6a98473f53eaf652cf4a37020f`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0xD11	1247 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.