PDF malware analysis — malicious · b409607293e0d9a7

MALICIOUS

PDF

8.7 KB

MD5: 45cffa5609500d7240bf23a0fa8ae10e SHA-1: 54bcdeb46602aa1a6e46c7f3f96098c715e9724c SHA-256: b409607293e0d9a7e9802b53af42dbf3857b90f38ef19266cfbb2c76b04fc8b9

78 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript, triggered by the CVE-2007-5659 vulnerability. Static analysis indicates that this JavaScript is responsible for executing a second-stage payload. The heuristics suggest a complex obfuscation and decoding process, typical of downloaders aiming to evade detection. No specific family could be identified, but the attack pattern is consistent with exploit-laced documents.

Heuristics 4

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0001_000.js` `57668d82d9ba0f6249415c860cf5448c5a3a29fcb6be69b913faadf02fed69ad`	pdf-javascript-stream	PDF /JS object 1 at offset 0xF	53 bytes
`javascript_obj0013_001.js` `c61c1cde3c35275ab87531e1220158f352b228fef25661748113e6945637d875`	pdf-javascript-stream	PDF /JS object 13 at offset 0x381	17319 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 5 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `d75912f969a7aa7871f2b38c5e3ce6eb68deb2667998a6a454afcc49e95258f1`	deobfuscated-js	reverse-string concatenation decoded JavaScript at offset 0x381	543 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `6d75e4465c4cbada5568fda43287165de01fe8ec967016c106f27bbf7d29a239`	deobfuscated-js	reverse-string concatenation decoded JavaScript at offset 0x381	553 bytes
`legacy_pdfkit_stage_002.js` `0c207e9a9316533c9e24d5959dc44cd50fb1ac16242dd9ccdc78c9338f063eb6`	deobfuscated-js	reverse-string concatenation decoded JavaScript at offset 0x381	549 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_003.js` `65c046296edde48ee9e5851b6474db33e22eb5f2d229d1825c4aa4fdf1a44aae`	deobfuscated-js	reverse-string concatenation decoded JavaScript at offset 0x381	398 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.