PDF malware analysis — malicious · 98c1b519c2ddc490

MALICIOUS

PDF

8.4 KB Created: 2009-01-35 62:12:26 Authoring application: Adobe

MD5: 12f2813896196c398963c9c08f4fcd09 SHA-1: cc8841d6b5bb5e7bd155e2918af7e6ebae11b7e6 SHA-256: 98c1b519c2ddc490c6852ce6621a34a3977485988b38b212de99c0962f3197e4

206 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.001 Malicious Link T1204.002 Malicious File

Multiple critical heuristics indicate the exploitation of CVE-2009-4324, CVE-2009-0927, and CVE-2007-5659 via embedded JavaScript within the PDF. The JavaScript is heavily obfuscated but appears to be designed to download and execute a secondary payload. The PDF structure and embedded JavaScript streams are consistent with exploit delivery mechanisms.

Heuristics 7

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
String.fromCharCode low PDF_FROMCHARCODE

String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 8

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0014_000.js` `adaecc046075523ea4a449787b3d373f1fb9110382d647161f80a9c384eec603`	pdf-javascript-stream	PDF /JS object 14 at offset 0x1721	677 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
`javascript_obj0015_001.js` `1d2714a43ca2d473a0ba4245fa47780ddc0a566ad1899c37fdcca0b06ba24e18`	pdf-javascript-stream	PDF /JS object 15 at offset 0x18A7	711 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
`javascript_obj0016_002.js` `18ffa42bebb4c921c138416912b1ae6cea8c6352bb03fb2b502a37591454808c`	pdf-javascript-stream	PDF /JS object 16 at offset 0x1A36	766 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
`javascript_obj0017_003.js` `2ee8812a64ec03e22ba75a6c4957c68c76b2ff5bb1e02d7eedfaa7b4d0cea9e0`	pdf-javascript-stream	PDF /JS object 17 at offset 0x1BA1	843 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
`javascript_obj0018_004.js` `8388be09c32b84c307c2fdd8126c68e480010b768d1171f1fc48010c5be9a4ee`	pdf-javascript-stream	PDF /JS object 18 at offset 0x1D89	400 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_000.js` `c228d3c78b8c8da2bb4d0fa617edd311b5116377305a2de7e1d46980b9fa7a0d`	deobfuscated-js	repeated-marker hex decoded JavaScript at offset 0x1D2	2938 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 6 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
`legacy_pdfkit_stage_001.js` `f971e795dce0571b4538993a6d9de80061ba1c2fa03acb82431345411e3a4f53`	deobfuscated-js	repeated-marker hex decoded JavaScript at offset 0x95E	1634 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_002.js` `9d2674b9fefb02e4cf381ff8d3b12518de82b4d208f8f5cbcfafae36b793e9d4`	deobfuscated-js	repeated-marker hex decoded JavaScript at offset 0xFCC	1800 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.