Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bb5dc726581a233…

MALICIOUS

PDF

3.4 KB
MD5: 7fbd9af4000b2ef386bd7a3c37bad1ad SHA-1: 14a130f8b66c4847bd3f48f0230f53330c69e53b SHA-256: 9bb5dc726581a233c18644c9d71abf72d437c7112d0d34847ae2db72d064fe2c
244 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File Execution: Malicious File

The PDF file contains embedded JavaScript and triggers multiple high-severity heuristics related to known PDF exploits, specifically CVE-2008-2992 (util.printf) and CVE-2009-1492 (getAnnots). The deobfuscated JavaScript stream indicates attempts to exploit these vulnerabilities, likely to download and execute a secondary payload. The ClamAV detection further confirms its malicious nature as a dropper.

Heuristics 8

  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure.
  • getAnnots — CVE-2009-1492 high CVE exact CVE_2009_1492
    PDF JavaScript calls getAnnots() with an exploit-shaped argument (integer-overflow numeric or long string) — CVE-2009-1492 affects Adobe Reader's annotation handling and allows memory corruption. (identified after static deobfuscation)
  • ClamAV: Pdf.Dropper.Agent-7165870-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7165870-0
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN
    PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
65e6cc05a19eb53c2156c3d9f65721f01f3c6472dfb42e9210850a28d9f6f257		 pdf-javascript-stream PDF /JS object 7 at offset 0x280 120 bytes
deobfuscated.js
a559a1e8f7b174eb8578678dbcb1d362961b72f87f7203fb45cef43332a1285c		 deobfuscated-js PDF JavaScript deobfuscation pass 1785 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.