PDF malware analysis — malicious · 8fcc49b8aeb99f16

MALICIOUS

PDF

17.2 KB

MD5: 7491c4071f5bf1aa58c8732828bc8f96 SHA-1: ae1171166c39a1b23ef5e15e601aaa7b30ed962a SHA-256: 8fcc49b8aeb99f16f59192cc6c26626a8c5979b6ed26f1f4e830ca3d9cc7f004

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.001 Malicious Link

The PDF sample contains obfuscated JavaScript, triggered by the CVE-2009-4324 vulnerability via the media.newPlayer API. The JavaScript utilizes eval() and unescape() functions, indicating a high likelihood of dynamic code execution and payload delivery. Several deobfuscated JavaScript files were extracted, further supporting the presence of malicious scripting. The primary attack vector appears to be exploiting a known PDF vulnerability to achieve arbitrary code execution.

Heuristics 5

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `eca57500bd97d5b02f4773e11e557396b98a533e20e094b89141756e3a243ed8`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	3364 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
`javascript_obj111712_001.js` `c5fbf127d28e6db4f668f6049632afa05aa07927c92f4bc184761036d46e0cca`	pdf-javascript-stream	PDF /JS object 111712 at offset 0xEE8	10997 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
`javascript_obj111713_002.js` `8caf5cf47e575abed40cdb084a2b27a70e4a7124612e67012a231d8158860f8e`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x3A13	2660 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `aa3d09032cb4891a2b09f7f373f7baa6c7f06401823b8a6a6d9c25ddba6bb2e8`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0xEE8	1088 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `fa44c3a6a5df9dd0c4918db03b8a33dc1e24bba8204a13d66510a81c2b2e6f17`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x3A13	166 bytes
`legacy_pdfkit_stage_002.js` `57ce2d33f1e7149765aaefa69f1a6127a05f0237eb6862131676ac3c11fed280`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0xEE8	1255 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.