PDF malware analysis — malicious · 9f7451faddf3f7df

MALICIOUS

PDF

689.4 KB Created: 2010-06-11 15:34:24 +08:00

MD5: 189aac02af90ad89917473400ed977e3 SHA-1: 3af0b02eec1c83c125145b3d7723ed69cd9735bc SHA-256: 9f7451faddf3f7df29af4a5e10fbcaf61f0a0edabd46dbda032e8f871dc860d9

600 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell T1190 Exploit Public-Facing Application

This PDF file is malicious, containing multiple exploit attempts targeting Adobe Reader and Flash Player, specifically CVE-2010-1297, CVE-2011-2462, and CVE-2009-4324. It embeds JavaScript and Flash content, including an SWF file named 'AES-PHP.swf', which likely serves as a downloader for a second-stage payload. The extracted JavaScript code, though obfuscated, indicates attempts to download and execute further malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9952

Heuristics 16

Adobe Flash authplay SWF exploit in PDF — CVE-2010-1297 critical CVE likely CVE_2010_1297_FLASH_RICHMEDIA

PDF combines RichMedia Flash activation, a crafted SWF with ActionScript prototype/AVM-era markers or the AES-PHP/authplay variant markers, and PDF-side shellcode heap-spray staging. This is the static delivery shape associated with CVE-2010-1297 in Adobe Reader's bundled authplay.dll.
Adobe Reader U3D/RichMedia parser exploit critical CVE likely CVE_2011_2462_RICHMEDIA_U3D

PDF combines U3D stream markers with RichMedia and JavaScript/XFA activation surfaces. This is the U3D RichMedia exploit document shape associated with CVE-2011-2462, even though the U3D marker is not exposed through the canonical /Subtype /U3D dictionary.
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE

A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
ClamAV: Pdf.Exploit.Agent-35955 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-35955
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
RichMedia (Flash) high PDF_RICHMEDIA

PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 8

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`AES-PHP.swf` `3717e671d23c561cfd9c7f930f85e60340a08899311807a62139d7a8326708f9`	pdf-embedded-file	PDF EmbeddedFile object 31 at offset 0x17FD	27313 bytes
Detection ClamAV: Pdf.Exploit.Agent-35955 Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`javascript_obj0039_000.js` `a7b7d9f122fb4ba1a43217c39e2f32d09fdb8c8df0af8200c825cae7e0315993`	pdf-javascript-stream	PDF /JS object 39 at offset 0x889F	40884 bytes
`stream_020_off0000889f.js` `760d7e6b589c595f09e01c8fb176812bcb2095ac53f17c3aa99c0799e684fa78`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x889F	20459 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 19 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
`generic_stage_recovery_000.js` `f11e152ae5c1334ad8b204a727a35d951bdc97a8a1e8a03ca2fa821fbbd41d24`	deobfuscated-js	generic stage recovery null-collapse from JavaScript object 39 at offset 0x889F	20452 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 19 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
`generic_stage_recovery_001.js` `ed767d275f1ccbd6e19f2f1e28ef3e310b04ad44611fcacd90b0d706e0944a69`	deobfuscated-js	generic stage recovery marker-XX-to-%u from decompressed stream at 0x889F at offset 0x889F	10290 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 19 eval/decoder/string-building token(s).
`generic_stage_recovery_002.js` `c87ee5521de0f4111db9a798b7635434cd6f0008839e984d3ff0a65d36708fd1`	deobfuscated-js	generic stage recovery null-collapse -> marker-XX-to-%u from JavaScript object 39 at offset 0x889F	10281 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 19 eval/decoder/string-building token(s).
`objstm_0045_00.bin` `d8c7b61038fd49faf55e6884815ed621f8c669b068e77aeeb41693dbc7c0e321`	pdf-objstm-decoded	PDF /ObjStm 45 0 obj (inflated)	455 bytes
`polyglot_child_pdf_off000a1d16.pdf` `73b5c2297d54ff4e7fe340e2f94c9cad65ef470766eea082d937c8597a7e0e7f`	polyglot-child-pdf	Secondary PDF body inside pdf container at offset 0xA1D16	43181 bytes
Detection ClamAV: Pdf.Exploit.Agent-35955 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.