Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c60d1c79ddcbc44…

MALICIOUS

PDF

58.7 KB
MD5: 1f2cc9238129512c6f118ffdfec79189 SHA-1: 31d658a871d3974c55ec310742ad7a07310bd0ba SHA-256: 9c60d1c79ddcbc446c41fbc523e8818ace5624dbbe38a9fa6da092f2a582a498
76 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution T1059.001 Command and Scripting Interpreter: JavaScript

The PDF file contains embedded JavaScript, identified by the PDF_JAVASCRIPT and PDF_JS heuristics. The critical CVE_2009_4324 heuristic indicates that the file exploits a known vulnerability in Adobe Reader related to the media.newPlayer API. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload, a common technique for initial access and further infection.

Heuristics 3

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
bc080f1a1dc5e06de140f5efef899b9bc9314e685776e1cc02bc69db3815a6ea		 pdf-javascript-stream PDF /JS object 8 at offset 0x210 3125 bytes
legacy_pdfkit_stage_000.js
42c3f4df375ff6f58ff655cc4f88b5cc28f0dd33b978390db3538684a6219b74		 deobfuscated-js string-concatenation normalized Acrobat API aliases at offset 0x210 126 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.