PDF malware analysis — malicious · 9c5726511f0e5155

MALICIOUS

PDF

34.0 KB

MD5: f2535f58afa69d8361f733524e42f9eb SHA-1: 546f513fbc12eb0633a8326171d69632d008571c SHA-256: 9c5726511f0e5155250e6d6dfa422dcb55d60c1f5bf673e9eb1216b64be33a56

94 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution: Malicious Attachment T1059.001 Command and Scripting Interpreter: JavaScript

The PDF file contains embedded JavaScript and a U3D object, which is a known vector for exploiting Adobe Reader vulnerabilities. The ML classifier strongly indicates maliciousness. The embedded JavaScript is likely responsible for executing the exploit and downloading a second-stage payload, although its exact function is obscured by obfuscation. The primary IOC is the file hash.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED

PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN

PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (matched in decompressed stream)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0009_000.js` `13e428efbba6d9f497c253ef53ac3f08561c5f9f3f489b4e0fd8def3952ba1fd`	pdf-javascript-stream	PDF /JS object 9 at offset 0x2443	539 bytes
`deobfuscated.js` `b488b4a4ac3a463a6446e70103e8419db061cebe3bbf5321af59ef175e296954`	deobfuscated-js	PDF JavaScript deobfuscation pass	76362 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.