PDF malware analysis — malicious · 8ea9f5a1df075211

MALICIOUS

PDF

20.8 KB

MD5: 5f0849d55916aa68f3458518d0bd5d48 SHA-1: e44625a3e9b788e547c161759d277a9e8e22815f SHA-256: 8ea9f5a1df07521147d78a6c08167bfd29157748ccbc23b137bc016c13055e83

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.001 Malicious Link

The PDF sample contains obfuscated JavaScript that leverages the 'eval()' function and the 'Collab.collectEmailInfo' method, indicating exploitation of CVE-2007-5659. The script is designed to download and execute a second-stage payload. The high confidence is due to the direct identification of a known CVE trigger and the presence of multiple JavaScript streams.

Heuristics 5

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `cba0f364cdfe4c6f31aadf3165ea807f775f1c0ef8c8255f9e831ad586c0e5b6`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	3396 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`javascript_obj111712_001.js` `be81f8a846f6501b6a5d028d5d6b5eb11fc1f07f3f5db5da146b6b969b6503ac`	pdf-javascript-stream	PDF /JS object 111712 at offset 0xF08	15943 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`javascript_obj111713_002.js` `bb8688b72c954bddf3edeeacb9a02216d58b4ce8af66cab0b46205242aea26d5`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x4D85	1413 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_000.js` `268f505a2e91a3e28e37c70c2458f6506735c0def386533aec9bcdd19bf37734`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0xF08	1477 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `66201566cb7b94b96d78c07e61c80e11578b5125ea85cc864e3cc788698af3dd`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x4D85	79 bytes
`legacy_pdfkit_stage_002.js` `c436d6ef52ab7d9f107dd028837a47419a89b437a3df48bc21a3b71d752de9a7`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0xF08	1557 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.