Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1ae1aa0207948df…

MALICIOUS

PDF

584.5 KB
MD5: 177e4243f3ba722b64c4b630fa4017af SHA-1: 03287d600ecc5af6daf0d35513aa408f1e972d8e SHA-256: b1ae1aa0207948dfef2b1c625aa29833992bda7c8c46b530398fa21e65ff0a77
178 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains embedded JavaScript and triggers a critical heuristic related to CVE-2007-5659, specifically using the 'collab.collectEmailInfo' function. This function is known to be used to launch arbitrary code execution. The presence of deobfuscated JavaScript files ('legacy_pdfkit_stage_000.js', 'legacy_pdfkit_stage_001.js') indicates that the script is likely designed to download and execute a second-stage payload. The U3D content also suggests a potential exploit vector.

Heuristics 6

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0031_000.js
068944f8c011a88ab770b45c6de142b9305a1f515d410204d5eadd9ac2b5bfb3		 pdf-javascript-stream PDF /JS object 31 at offset 0x2CAEA 373 bytes
legacy_pdfkit_stage_000.js
31f8c95e1dd8b29929b7d367ec693402e596175afe222226e60aaf3f286604e3		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x28063 13354 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
legacy_pdfkit_stage_001.js
65a00ede8f2ff835598360d28c4d825c61048536a0319bf4f818aa249b989f58		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x28063 5633 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
icc_00_off0007d698.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x7D698 3144 bytes
font_00_sfnt_off00000e5a.bin
afeb9e1e920aae3aca3f295f1bbccba46b16423dac14b1b5fde4b661de9198cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5A 46764 bytes
font_01_sfnt_off00008483.bin
5f96e1e90c4ef56487c91d02c05141dca0967f8e2bbd5d67be6c4f381f0afa79		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8483 62160 bytes
font_02_sfnt_off00011b6b.bin
d375c22ace40f0b973d7308d85023b2e0e49d40dc51da45552d116868346475e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B6B 37232 bytes
font_03_sfnt_off000166cd.bin
b661c2e877dd6b7625208ae148d736aedb24eda2d4f014262cbb7f958f538ca0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x166CD 71216 bytes
font_11_sfnt_off0006dc7e.bin
8b62f203a4ab5c2ac76368029c584b4fa12fffc17f3b6e4e43a9997416807d21		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DC7E 11156 bytes
font_12_sfnt_off00072f31.bin
6cf6df6beee88aa138f821122d0c1969b348cebe09cafe5b5f6a7eb8c27107a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72F31 32640 bytes
font_13_sfnt_off00087781.bin
95592346b00d039686aa3d7e22eae3d52b011e7e842a5c123f73e89ea766cd35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87781 22628 bytes
u3d_00_off000214e6.bin
48816569ab4f370009a917ef6429edbe09e4dfe8a63b00a0a0f75a904c62ba94		 pdf-3d-stream PDF U3D 3D stream at offset 0x214E6 27449 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.