Malicious PDF — malware analysis report

Static analysis result for SHA-256 a54f61626b9c65c8…

MALICIOUS

PDF

1.4 KB
MD5: e8bc75c4cc8b93ce4e44838f71f38d60 SHA-1: 04391858edd4ed0c930bbc696e09a7f00dddc977 SHA-256: a54f61626b9c65c8f4d121ec0c6963829943f8eca9f3202c658106f4b977fb86
118 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.001 Malicious Link T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The critical CVE_2009_4324 heuristic specifically points to the exploitation of a vulnerability related to media player functionality. The unescape() call further suggests obfuscation of malicious code. The presence of these indicators strongly suggests the file is designed to exploit this vulnerability to execute arbitrary code, likely downloading a second-stage payload.

Heuristics 5

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj111111_000.js
32c1a0dd39daed11015e8e1ac3fb67bf8616af55b9ee82ae16ca7e2bb95b1146		 pdf-javascript-stream PDF /JS object 111111 at offset 0x160 1265 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
javascript_obj111112_001.js
41a818af668cd59f4dda1332753d9611852708b7011e77c7edc796ec7d672b71		 pdf-javascript-stream PDF /JS object 111112 at offset 0x488 257 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.