PDF malware analysis — malicious · b00b096064d1a671

MALICIOUS

PDF

21.7 KB

MD5: cdf60398de9a6dfd8a8f951f61236cbc SHA-1: cfcdb96822516e889f8a4cef3016962c1516f6f4 SHA-256: b00b096064d1a671a0244f495be322f0d492c47c04f7627c81e9cdf7f0dc2fce

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.001 Malicious Link

The PDF file contains obfuscated JavaScript that leverages the 'Collab.getIcon' sink to trigger CVE-2009-0927. The JavaScript is heavily encoded and uses eval() calls, indicating an attempt to hide malicious functionality. The deobfuscated scripts suggest the primary goal is to download and execute a secondary payload. The presence of multiple embedded JavaScript objects and the specific exploit trigger point to a downloader or initial access stage.

Heuristics 5

Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `05f9e62ac19ae9db1af4e1c7c5497a1f0a37dc518ca9c839bf6f619fc2515638`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	2878 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`javascript_obj111712_001.js` `5e2502fd40aeb7bd642b05bbc93a3cf11c6523bd3a188028e7d51f225ffa84bd`	pdf-javascript-stream	PDF /JS object 111712 at offset 0xD02	17056 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
`javascript_obj111713_002.js` `80bea257594f133e8b5f75076b9a574f30c306745dc19c3b93cc9d15ac713bd6`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x4FD8	1722 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `1412a09b263e0a64c28cc7f184247102cbe88e4b5ed6b84ed0c0c83087aaa08b`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0xD02	1521 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `95d52c265d60ffad372da99bb3db5c3f0b48fc84b1aaa90902895f12786cdc82`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x4FD8	99 bytes
`legacy_pdfkit_stage_002.js` `54ba57b65354a0463ff5a6ed207cbce0485d94c1eb6e78f662c34e48afd848fc`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0xD02	1621 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.