Malicious PDF — malware analysis report

Static analysis result for SHA-256 8c572db8b920d649…

MALICIOUS

PDF

1.62 MB
MD5: 006dca6a6be401879cf0087af18984bc SHA-1: 441ad151f1cf5909187b136ffa13deac757d28ba SHA-256: 8c572db8b920d6499ae7bf5b09a7f1d8addd47a1b1029107d1fcc36564544891
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript T1204.002 Malicious Link

The PDF file contains embedded JavaScript, which is triggered by the CVE-2009-4324 vulnerability related to media.newPlayer. The JavaScript is obfuscated but appears to be designed to download and execute a second-stage payload. The critical heuristic firing directly indicates the exploit used.

Heuristics 3

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0017_000.js
7fc90138dd759812a899a73e2e48f59e59405a49038d58f7d2e30c45f79528e9		 pdf-javascript-stream PDF /JS object 17 at offset 0x4DA 3098 bytes
js_property_alias_stage_000.js
f2a1ec7e2a971c61cb902cce3430b1d8ff12153f0b7f9fc8b19c9798d5b57aff		 deobfuscated-js JavaScript hex-escape property alias normalized stage at offset 0x4DA 2921 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.