MALICIOUS
118
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.001 Malicious Link
T1027 Obfuscated Files or Information
The PDF sample contains multiple embedded JavaScript streams, with a critical heuristic firing for CVE-2009-4324 related to media.newPlayer. The JavaScript utilizes eval() and unescape() functions, indicating obfuscation to hide malicious code. The primary intent appears to be the execution of a second-stage payload, likely downloaded from a remote source, leveraging the identified CVE.
Heuristics 5
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj111711_000.js11a3e049f6515da3cfbde897b08296a7456ba80994b853eb0fe402f87d513e70 |
pdf-javascript-stream | PDF /JS object 111711 at offset 0x18E | 3161 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
|
|||
javascript_obj111712_001.jsb9f7007c57281996e204f7e5a8c59f466ddf7aad733bdb768136ea07478c9b3d |
pdf-javascript-stream | PDF /JS object 111712 at offset 0xE1D | 11987 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
|
|||
javascript_obj111713_002.jsc987a17251da37a15741cded103900c57f0b4de6c7c3c24b15cb773ad081eb71 |
pdf-javascript-stream | PDF /JS object 111713 at offset 0x3D26 | 2229 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
|
|||
legacy_pdfkit_stage_000.js14d9d23d619682a659b666d1537fbe47a8cc4db49b0c37d63714847d39b24a42 |
deobfuscated-js | multi-marker percent-array decoded JavaScript at offset 0xE1D | 1080 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
legacy_pdfkit_stage_001.jse8f2b210c6dfbb81018e11f8655e9196095c1a3bf2e67c36e34b5dea911d1afe |
deobfuscated-js | multi-marker percent-array decoded JavaScript at offset 0x3D26 | 170 bytes |
legacy_pdfkit_stage_002.js830bcc229eb8abaf4dca1d887900bd7e35f4161db6fc5fa573d7f24055a8b47e |
deobfuscated-js | multi-marker percent-array combined decoded JavaScript at offset 0xE1D | 1251 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.