PDF malware analysis — malicious · b25f0940a1916a97

MALICIOUS

PDF

40.4 KB

MD5: a3b2a51fe74fa7e556adf5dca450a71d SHA-1: bcf523dc14f7c1ec6994ec8e674e8a152b745c0a SHA-256: b25f0940a1916a97661535998d8f7252efb245c5a19fae08daf8a73b05832e52

178 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell

The file is a PDF containing embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. A critical heuristic identified CVE-2007-5659, related to the 'Collab.collectEmailInfo' function, which is known to be used for JavaScript execution in PDFs. The presence of U3D content and ClamAV detection further supports its malicious nature. The embedded JavaScript files, legacy_pdfkit_stage_000.js and legacy_pdfkit_stage_001.js, are likely responsible for exploiting the vulnerability and downloading further payloads.

Heuristics 6

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED

PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
ClamAV: Pdf.Exploit.Agent-36062 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-36062
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0007_000.js` `068944f8c011a88ab770b45c6de142b9305a1f515d410204d5eadd9ac2b5bfb3`	pdf-javascript-stream	PDF /JS object 7 at offset 0x1A2	373 bytes
`legacy_pdfkit_stage_000.js` `14372b02c67d83a0a11ad882aee208856727a4f1b7ca5d15d4118af75141798f`	deobfuscated-js	repeated-marker hex decoded JavaScript at offset 0x2FC	13133 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
`legacy_pdfkit_stage_001.js` `c949b882864733b013bfe96c53668a7e97e532a51cb52c206384ec463e2077fc`	deobfuscated-js	repeated-marker hex decoded JavaScript at offset 0x2FC	5457 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 5 eval/decoder/string-building token(s).
`u3d_00_off0000355d.bin` `48816569ab4f370009a917ef6429edbe09e4dfe8a63b00a0a0f75a904c62ba94`	pdf-3d-stream	PDF U3D 3D stream at offset 0x355D	27449 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.