PDF malware analysis — malicious · a2c27f506f1396ea

MALICIOUS

PDF

23.1 KB

MD5: 8de051e780e1fcfe6afe60c84fe17713 SHA-1: 4f9142cf70150497adeb639a415e70c6c1531e70 SHA-256: a2c27f506f1396eaa516120ca8cf789e5a46c1231d787a8cc7bf1cb21a0ce3a1

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.001 Malicious Link

The PDF file contains embedded JavaScript that utilizes the 'eval()' function and the 'unescape()' function, indicating obfuscation. The heuristic 'CVE_2009_0927: Collab.getIcon' specifically points to an exploit targeting this CVE. The JavaScript is designed to download and execute a second-stage payload, as suggested by the presence of multiple JavaScript streams and deobfuscated JS files. The attack pattern is consistent with a PDF-based exploit kit.

Heuristics 5

Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `24f3b9b5cd546bf0e1b1fd7f37449b5961c7984ffac148de511c9afca4f6b9a6`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	3490 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`javascript_obj111712_001.js` `5611d0861bfef008e2a2bbcde8b711397f8b97ce296707e55773cfe4f68afddc`	pdf-javascript-stream	PDF /JS object 111712 at offset 0xF66	17818 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`javascript_obj111713_002.js` `dff0cd6111efa79c176bc8f1739d7d77d1d9518fa4e3fd38ea019d1457b41a63`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x5536	1753 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `7a70e85a37704ffbb8a7c04bef4c4f4f8298b4fbf9a25e701e70a828721e5ae1`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0xF66	1527 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `1397a77c63e5e8be02a059fd3c671fb708b92cb64d00ded4f2045e71093dec16`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x5536	99 bytes
`legacy_pdfkit_stage_002.js` `a4eac9c85a74af07c0d97bc4ff073eabbc5c584dd96cf546fa2db527ad6ad375`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0xF66	1627 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.