Malicious PDF — malware analysis report

Static analysis result for SHA-256 b4d459b7fe9bca4d…

MALICIOUS

PDF

225.3 KB Created: 2009-07-08 10:53:46 +08:00 Authoring application: Acrobat Distiller 7.0 (Windows)
MD5: 1c40ff67e0bd5dad04f3f0c9f6069ee3 SHA-1: 79b2c5e86193f9b621f3ce2d9906e9457f34b1ae SHA-256: b4d459b7fe9bca4d4815165da6deace790a05e1cb88c61c4f4f4b9b288722d20
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript that leverages the CVE-2009-4324 vulnerability (media.newPlayer). This exploit is designed to execute arbitrary code, which is a common technique for downloading and executing further malicious stages. The heuristic firings strongly indicate the use of JavaScript for exploitation within the PDF structure. No specific family could be identified, but the attack pattern is consistent with PDF-based exploit delivery.

Heuristics 4

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0017_000.js
fec02ac84241a606ddee84042d46f183d5a3e8bc4f3fce27d6a568b328437545		 pdf-javascript-stream PDF /JS object 17 at offset 0x4DD 2944 bytes
js_property_alias_stage_000.js
0a0704461fa8203c43232880ecb4cca3a34501dc5b509982d7b0a154ee6ce5a0		 deobfuscated-js JavaScript hex-escape property alias normalized stage at offset 0x4DD 2821 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.