Malicious PDF — malware analysis report

Static analysis result for SHA-256 a56ed496347beb9f…

MALICIOUS

PDF

1.95 MB Created: 2006-02-16 15:03:51 -08:00 Authoring application: Acrobat PDFMaker 7.0.5 for PowerPoint (via substr)
MD5: 0a895897b0597c0d31ea966191e4fca5 SHA-1: 15efe03c216ae9b26028b262c8cd1efb9038e301 SHA-256: a56ed496347beb9f6ce1eb4d3e1e080b8bfbd5302c4134c6fe4ac267a0542b93
528 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

This PDF file contains embedded JavaScript that leverages multiple known Adobe Reader vulnerabilities, including CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The JavaScript is designed to decode and execute an exploit stage, likely to download and run a secondary malicious payload. The presence of multiple exploit techniques and a high classifier score indicates a deliberate and sophisticated attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 11

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ClamAV: Pdf.Exploit.Dropped-94 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Dropped-94
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0076_000.js
a5c459930ecbb6c77a9d61c7fbb4ea004126770e77823622f560b6e68b01b9f7		 pdf-javascript-stream PDF /JS object 76 at offset 0x999 45206 bytes
legacy_pdfkit_stage_000.js
f61108e361559dab2b42795b2eea75425b1bea3bd89e56f40e261398b71ef216		 deobfuscated-js Info metadata pair-sum decoded JavaScript at offset 0x999 3642 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
javascript_obj0076_000_1.js
e5c1ef056b5a65845b3ed2593e51a5cb3a8156cdb167f248f4f30c92bf7bfb61		 pdf-javascript-stream PDF /JS object 76 at offset 0x999 45250 bytes
legacy_pdfkit_stage_000_1.js
461450c7d7956c991614da84bcdfb35352da12251d1a661ab8bd42e917fae297		 deobfuscated-js Info metadata pair-sum decoded JavaScript at offset 0x999 3642 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
polyglot_child_pdf_off0000bb58.pdf
cc0ac87b61eac8f43f93f9155c093d2d21190e6adc333cb5d3aeef0e0f92ddc1		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xBB58 2000040 bytes
Detection
ClamAV: Pdf.Exploit.Dropped-94
Obfuscation or payload: unlikely
javascript_obj0076_000_2.js
92fe6973ea6f732aef6fd3a37d538735242e401afbf0c8de0516336a779495fd		 pdf-javascript-stream PDF /JS object 76 at offset 0x999 45308 bytes
legacy_pdfkit_stage_000_2.js
b738e1c54f14c31614b24a74d9c861719e2c7e73dce7d640a056e31d07c22b69		 deobfuscated-js Info metadata pair-sum decoded JavaScript at offset 0x999 3642 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
polyglot_child_pdf_off000176dc.pdf
beb3ea347a769884dccdff0b061ad22288b1124ca3e58ebf95a836a1e079c2ae		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x176DC 1952036 bytes
Detection
ClamAV: Pdf.Exploit.Dropped-94
Obfuscation or payload: unlikely
javascript_obj0076_000_3.js
ae62a2e44fa1b99ec94d6a2f9222af61d3ef807e9c0e8147937920a67065cf3c		 pdf-javascript-stream PDF /JS object 76 at offset 0x999 45265 bytes
legacy_pdfkit_stage_000_3.js
b25b227af2c60510932df5cf20fe931e3185eabfe6d8fdeb24bc0a5ce53233db		 deobfuscated-js Info metadata pair-sum decoded JavaScript at offset 0x999 3642 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
polyglot_child_pdf_off0002329a.pdf
56479c097e03c85314c4b6380a52835d932d7ddf197dfd3d6ec61327ea346556		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x2329A 1903974 bytes
Detection
ClamAV: Pdf.Exploit.Dropped-94
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.