Malicious PDF — malware analysis report

Static analysis result for SHA-256 9f889157cf8e3441…

MALICIOUS

PDF

21.9 KB
MD5: 8cf5ab5e0db15d436cb0cef3656ee4d3 SHA-1: 12ec1982839cb4dd827d2625a488d436d178a8d5 SHA-256: 9f889157cf8e3441d2dd87c9b421baaa532ad92de8fab8ee29bc517cf748c82e
118 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript, which is executed using eval() and a call to Collab.getIcon, indicating exploitation of CVE-2009-0927. The JavaScript is heavily obfuscated but appears to be designed to download and execute a secondary payload. The presence of multiple deobfuscated JavaScript files further supports this. The exact nature of the payload cannot be determined from the provided evidence.

Heuristics 5

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj111711_000.js
7cde3577731b2df860e7a7d4eacc1927b4aeff819c4a06d5ef1a085fbf2187c0		 pdf-javascript-stream PDF /JS object 111711 at offset 0x18E 3801 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
javascript_obj111712_001.js
bebe3d6229b92321213a7e1f8ef6e2ff47092e164a4ff137a2a76de6be393311		 pdf-javascript-stream PDF /JS object 111712 at offset 0x109D 16396 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
javascript_obj111713_002.js
539e5ea53842788d1f6700b3fd0f196bb94f84039552effbbc7bef0876e78c29		 pdf-javascript-stream PDF /JS object 111713 at offset 0x50DF 1619 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
legacy_pdfkit_stage_000.js
7b3e1cf4f7f5a0118403adc43c0182ab0da1517e2d25f0ce076f00207b0acc9e		 deobfuscated-js marker-prefix array decoded JavaScript at offset 0x0 1883 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
legacy_pdfkit_stage_001.js
1d7fea9cb5c75452a093469a13861ce687fba8e2453d7beec096c19d0feee8e4		 deobfuscated-js marker-prefix array decoded JavaScript at offset 0x0 1519 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
legacy_pdfkit_stage_002.js
015e065191ece7dc186cfeaeb2a3897c7cf8615f9ce4b4c557ffa3463afbab20		 deobfuscated-js marker-prefix array decoded JavaScript at offset 0x0 98 bytes
legacy_pdfkit_stage_003.js
1412a09b263e0a64c28cc7f184247102cbe88e4b5ed6b84ed0c0c83087aaa08b		 deobfuscated-js multi-marker percent-array decoded JavaScript at offset 0x109D 1521 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
legacy_pdfkit_stage_004.js
1397a77c63e5e8be02a059fd3c671fb708b92cb64d00ded4f2045e71093dec16		 deobfuscated-js multi-marker percent-array decoded JavaScript at offset 0x50DF 99 bytes
legacy_pdfkit_stage_005.js
304d67ac207b77af4308fc097efd95ccd42eb93a9afaa0a93566636fc003e284		 deobfuscated-js multi-marker percent-array combined decoded JavaScript at offset 0x109D 1621 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.