PDF malware analysis — malicious · 915a0875f713d3a5

MALICIOUS

PDF

23.7 KB

MD5: 52f7c9795a219fc745175191446ea020 SHA-1: 78690c2eae39f4843cb0330b4f6602d9eba97d4a SHA-256: 915a0875f713d3a51d63eed4658f5ccbc0a97087e588fa4bad001e3aebbadd28

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.001 Malicious Link

The PDF sample contains obfuscated JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The critical CVE_2008_2992 firing specifically mentions the use of util.printf and encoded JavaScript, pointing to an exploit for this vulnerability. The embedded JavaScript streams and deobfuscated stages suggest the script's purpose is to download and execute a secondary payload. The reconstructed string 'v'+'ar '+'d0Ro4Gdg'+' ='+' e'+'v'+'a'+'l; v'+'ar'+' W56Mg96P3F9 '+'= u'+'nes'+'cap'+'e;'+'va'+'r '+'CTD5PAHtj2 '+'= S'+'tr'+'in'+'g;' confirms the use of eval and unescape for obfuscation.

Heuristics 5

util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `da0aaeab59780b84b97a983a2e980fbf4043ce8ecd006054b3e21eb13da004e8`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	3364 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
`javascript_obj111712_001.js` `52388d1fbfb7f0bba48669652d9de67332ae7648b0095ab2b8ce73a7a1969a51`	pdf-javascript-stream	PDF /JS object 111712 at offset 0xEE8	15365 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`javascript_obj111713_002.js` `48b12e85541df29580856887f017edb59dec497015f4d19330e81638d2e24549`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x4B23	4913 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `a63d87f2b143513c65d1743d1dc1458eace0797e16ff17319fa0a362817b3dff`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0xEE8	1413 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `774af3d2df8dba3025f29ff3672ead0e9ac42c2c20cd40ffdb35158d622eb1fd`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x4B23	392 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
`legacy_pdfkit_stage_002.js` `ca1cceae8e4b3a5893d9ab6acea3cffee3ec0f2dbfbd2f120d494907a17070d3`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0xEE8	1806 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.