Malware Insights
The PDF sample contains obfuscated JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The critical CVE_2009_4324 firing points to the use of the media.newPlayer sink to trigger an exploit. The JavaScript employs string concatenation and encoding techniques, such as 'v'+'ar '+'Gu9Le68bMi'+' ='+' e'+'v'+'a'+'l;', to hide its malicious intent. The reconstructed JavaScript functions `eval()` and `unescape()` are used to deobfuscate and execute code, likely leading to the download and execution of a secondary payload. The presence of multiple deobfuscated JavaScript files further supports this. No specific family could be identified.
Heuristics 5
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj111711_000.js13a5960761dbac93ca3b614e603f81d06ad83b04579fe45e5d80bd2ff2c53ad8 |
pdf-javascript-stream | PDF /JS object 111711 at offset 0x18E | 2968 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
|
|||
javascript_obj111712_001.js012fce5474487e2dca6705b50cf0c8e03709fa594202f52ec8e851429f5ab0dc |
pdf-javascript-stream | PDF /JS object 111712 at offset 0xD5C | 9227 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
|
|||
javascript_obj111713_002.jsfb891fa9b5a4bc5360b4c80e3f7cc88e73cc17a4a943e698e8a2d6214decab0f |
pdf-javascript-stream | PDF /JS object 111713 at offset 0x319D | 2206 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
|
|||
legacy_pdfkit_stage_000.js3cece914b914841a8b17f6d40f0553e78ef8ed60e76aa68605abeae7e560099e |
deobfuscated-js | multi-marker percent-array decoded JavaScript at offset 0xD5C | 1081 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
legacy_pdfkit_stage_001.jscd7088aa0ba5ce42db7faac79c4063dccc339c8953139714658e9cb6b07c91fc |
deobfuscated-js | multi-marker percent-array decoded JavaScript at offset 0x319D | 165 bytes |
legacy_pdfkit_stage_002.js323c6ce3f5bdec0f0b1b46427d81d56be2a318650a0a004998082b9d17c39310 |
deobfuscated-js | multi-marker percent-array combined decoded JavaScript at offset 0xD5C | 1247 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.