Malicious PDF — malware analysis report

Static analysis result for SHA-256 989971485e81bad9…

MALICIOUS

PDF

65.3 KB Created: 2009-07-08 10:53:46 +08:00 Authoring application: Acrobat Distiller 7.0 (Windows)
MD5: 3cc70bd2f6059cceb9b7bd14db40d9d2 SHA-1: 085c43943a4a2865e2a61375724caeacbe54ab3a SHA-256: 989971485e81bad91e5d23cca7b0525a58b52f052f6f7b85f0237bb4a9891564
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF document contains embedded JavaScript that leverages the CVE-2009-4324 vulnerability. The heuristic 'CVE_2009_4324: media.newPlayer' indicates that the PDF launcher concatenates info fields, extracts characters at a fixed stride, and evaluates the result. This suggests the script is designed to exploit this known vulnerability to achieve arbitrary code execution. No specific malware family could be identified, and no malicious URLs were extracted.

Heuristics 4

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0017_000.js
828ebb87163ecaf16d413e543f080da83ca41597d02b835da55542898af11cb3		 pdf-javascript-stream PDF /JS object 17 at offset 0x4DA 3089 bytes
js_property_alias_stage_000.js
f2a1ec7e2a971c61cb902cce3430b1d8ff12153f0b7f9fc8b19c9798d5b57aff		 deobfuscated-js JavaScript hex-escape property alias normalized stage at offset 0x4DA 2921 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.