MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
This PDF document contains embedded JavaScript that utilizes the CVE-2014-0496 vulnerability (app.addToolButton/removeToolButton). The script is obfuscated but appears to be designed to download and execute a second-stage payload. The presence of embedded files and JavaScript actions strongly suggests a malicious intent to compromise the user's system.
Heuristics 11
-
app.addToolButton/removeToolButton — CVE-2014-0496 critical CVE exact CVE_2014_0496PDF JavaScript combines app.addToolButton() and app.removeToolButton() with heap-spray shellcode markers — the public Adobe Reader/Acrobat ToolButton use-after-free exploit shape for CVE-2014-0496. (matched in decompressed stream)
-
Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGEPDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
-
unescape() call high PDF_UNESCAPEunescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Remote GoTo action info PDF_GOTO_REMOTEPDF has GoToR/GoToE actions that reference sibling document files — typical of multi-part document bundles
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0003_000.js4732fce79f7a2910688292544fb1616978d9caede22f1f5093911e2f46f7b23d |
pdf-javascript-stream | PDF /JS object 3 at offset 0x9A | 8191 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 13 eval/decoder/string-building token(s).
|
|||
stream_000_off00002449.jsd1dfd457a2fdd3cec4091f689f39b85b35666aa5599ef3a8d5f9a80d1e2ce105 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2449 | 1042 bytes |
font_00_type1_off000028e5.binc6bf78478c9c4dd5b3b86554d34c78f847f70af4118f9ff083c1fccf0e8e932b |
pdf-font-stream | PDF embedded font (type1) at offset 0x28E5 | 97 bytes |
font_01_type1_off00002b6c.binb749644b3e758e7335900ab2e7499eaa64b3a946849f1f8a0948287bdd96763d |
pdf-font-stream | PDF embedded font (type1) at offset 0x2B6C | 144 bytes |
magellanic_venus_657.pdff098877db7743761ae8a3591c73370a75db9c688eea2fbcfb4ae42076662165e |
pdf-embedded-file | PDF EmbeddedFile object 7 at offset 0x36A | 11600 bytes |
magellanic_venus_657_1.pdf48bb87feca1efede6a3e8399a9ff2fb1de82ff7c00d6917450063beede0f87e4 |
pdf-embedded-file | PDF EmbeddedFile object 7 at offset 0x36A | 5098 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.