Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2530d181a7e162f…

MALICIOUS

PDF

350.8 KB
MD5: d56e60a0cddae6813337713e31d08317 SHA-1: d0e345308e2a9f7e32dc24499c5ce96f2805c1af SHA-256: a2530d181a7e162f23ddde8653a661fcda0bc891f86bbaea1d7ba5cb55d490ed
412 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript that utilizes `eval()` and `unescape()` functions, indicative of obfuscation and exploit execution. Specifically, the `media.newPlayer(null)` call is associated with CVE-2009-4324. The JavaScript is designed to download and execute a secondary payload, as suggested by the generic stage recovery findings. The ML classifier and ClamAV detection strongly support the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 12

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ClamAV: Pdf.Exploit.Agent-21043 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-21043
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0052_000.js
45fea71ee6347153ec3719ebc3910509cd6fa568f263c29e7474c694308f5c7d		 pdf-javascript-stream PDF /JS object 52 at offset 0x3F4E 301 bytes
javascript_obj0059_001.js
28d6113dc29ef94de179a1345b6983a9d947da00c945e958d0554de4748a5164		 pdf-javascript-stream PDF /JS object 59 at offset 0x6483 2612 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).
stream_005_off00000b74.bin
e4217c167299ac63f64b8b7e903cc0196f0828693d273431b8b793a12ed0fed3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB74 1000 bytes
generic_stage_recovery_000.js
9386c3619dcf3abffde858874a5e2addc7b978e0fab02276372073d35a49ec7e		 deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 59 at offset 0x6483 2603 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).
generic_stage_recovery_001.js
62f4a84d348a420fc4b48f414738b4fd41d98489a85772d27fa213bc38a65240		 deobfuscated-js generic stage recovery marker-XX-to-%u from JavaScript object 59 at offset 0x6483 1801 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
generic_stage_recovery_002.js
c98e5d5c6978a8436869c766df67ad7f3c5b444455dd5b7235fa945bbcddbe6d		 deobfuscated-js generic stage recovery marker-XX-to-%u from JavaScript object 59 at offset 0x6483 1365 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
generic_stage_recovery_003.js
f794d147fe21cdced2642a43d59ce19e96211c79e1866fcfb6a0da7a2be9584e		 deobfuscated-js generic stage recovery null-collapse from combined JavaScript objects at offset 0x3F4E 2616 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).
generic_stage_recovery_004.js
41c086683794a69b4cf08a67b67fe1f8532e2dee0f9c252c8ea9af05b45a0043		 deobfuscated-js generic stage recovery split-literal-normalize from combined JavaScript objects at offset 0x3F4E 2905 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).
generic_stage_recovery_005.js
44be16306ab8eb4e46402a04d83620d6ec307426880c37d358161066d31b33bf		 deobfuscated-js generic stage recovery null-collapse -> split-literal-normalize from combined JavaScript objects at offset 0x3F4E 2607 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).
objstm_0053_00.bin
f9797d0fa28384c30d8bf1da89163104ce539753e417fa1f9c5fd135d1eceb39		 pdf-objstm-decoded PDF /ObjStm 53 0 obj (inflated) 50 bytes
polyglot_child_pdf_off00050f61.pdf
fb2b52d852722f9b426665a5f60047fc463cd643a8f13b317d15efab7307f861		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x50F61 27574 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.