PDF malware analysis — malicious · 923acdb22884a400

MALICIOUS

PDF

7.3 KB Created: 2009-01-35 62:12:26 Authoring application: Adobe

MD5: e73241a6660374316927af82d65083cf SHA-1: 0eeda8fde14a78cd78d2045651ff2bd4485def42 SHA-256: 923acdb22884a400394bdb0688e648e8a7816666375fe396f9d55d59ba105b81

340 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious Link

This PDF file is identified as malicious by ClamAV (Pdf.Dropper.Agent-7283220-0) and exhibits multiple critical heuristic firings related to known PDF exploits. The embedded JavaScript, particularly within the legacy_pdfkit_stage files, utilizes `eval()` and `unescape()` functions, indicating an attempt to obfuscate and execute malicious code. The exploits targeted are CVE-2009-4324 (media.newPlayer), CVE-2009-0927 (Collab.getIcon), and CVE-2007-5659 (Collab.collectEmailInfo), which are commonly used to achieve arbitrary code execution.

Heuristics 9

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
ClamAV: Pdf.Dropper.Agent-7283220-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7283220-0
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 8

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0032_000.js` `65bae695c6f600d0cf6f40dc70cf0c2a43bad4a0d582fcd27fe444a8047fb2a1`	pdf-javascript-stream	PDF /JS object 32 at offset 0x41A	130 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
`javascript_obj0034_001.js` `a060a758aea4f5575f19fb267944d6c19a0f182677961ed71952b47725e2914e`	pdf-javascript-stream	PDF /JS object 34 at offset 0x4D6	127 bytes
`javascript_obj0036_002.js` `579ad2c065da3df0c4d5d061392f5aecfe744ff45b639baad9710e2f38c0dc6c`	pdf-javascript-stream	PDF /JS object 36 at offset 0x101	138 bytes
`javascript_obj0038_003.js` `a562514b1b2d22502e56e9f333b27f9376d26a47c92780d865b58be652535d1f`	pdf-javascript-stream	PDF /JS object 38 at offset 0xC38	162 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
`javascript_obj0078_004.js` `fa8ef3f0da25e7e222638c255caf61b3f27557b940f5876020e62119bbcfd229`	pdf-javascript-stream	PDF /JS object 78 at offset 0x7C	39 bytes
`legacy_pdfkit_stage_000.js` `387cfa3a61277af32b5d66faf0aeb31669b9eb980b5b31f2284f11944b6f0438`	deobfuscated-js	repeated-marker hex decoded JavaScript at offset 0x5C4	1634 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `4b473a1a3f3e2dab06c5f7b69375d51e58c03bc990d02d6b8e7b3c6c365451a2`	deobfuscated-js	repeated-marker hex decoded JavaScript at offset 0xD65	1800 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_002.js` `5e576ff154f9d67a0042cffb8b2cb1e6186dc50152faca13c0e891a562f68759`	deobfuscated-js	repeated-marker hex decoded JavaScript at offset 0x13D0	2938 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 6 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.