PDF / .ORG malware analysis — malicious · aad0c5bd1c8005ba

MALICIOUS

PDF / .ORG

17.9 KB

MD5: aaa949cea3c62698f7fffe83b8c09b04 SHA-1: 760a87bf28eb5cd2859e161b7414bebdbed52e43 SHA-256: aad0c5bd1c8005baa118a8a0d341c192caca52593d2dac95fff4131ac152244f

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript T1204.001 Malicious Link or Trusted URL T1059.003 Windows Command Shell

The PDF sample contains heavily obfuscated JavaScript, including multiple eval() and unescape() calls, designed to exploit CVE-2009-4324 via the media.newPlayer object. The deobfuscated JavaScript indicates a multi-stage download and execution process. The primary intent appears to be downloading and executing a second-stage payload from a remote source, leveraging the exploit to bypass security measures.

Heuristics 5

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `c22f96573f8c9586725123242b52d18e30d7906454f4e38a2fbd804af19cf7d6`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	3458 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`javascript_obj111712_001.js` `bd393a8c295bb6344b9316582ab515eb872e3c4030e565de97f04e51b19b53a1`	pdf-javascript-stream	PDF /JS object 111712 at offset 0xF46	11520 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`javascript_obj111713_002.js` `4e9dc22a88a0a57fc465d7654245829946b08698ff465b91f382e069bfec705e`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x3C7C	2738 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `60cffa07ab8bc3f255758198aca1a5acd9294a01f46a3e5ef440d5573919199d`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0xF46	1084 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `a9ea35d9355217e07a5a8020371b3e150a8d36661d254644b9c9899f25a58474`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x3C7C	174 bytes
`legacy_pdfkit_stage_002.js` `c697c96ae47fdea80fb51881cd2d9076ea420e1b69e7f156da7417a0439b8a37`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0xF46	1259 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.