MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.001 Malicious Link
The PDF file contains obfuscated JavaScript, including multiple eval() calls and string concatenations, which is a common technique for exploiting vulnerabilities and delivering secondary payloads. The critical CVE_2009_4324 heuristic indicates a specific exploit targeting the media.newPlayer functionality. The embedded JavaScript streams and deobfuscated JS files suggest the primary goal is to execute malicious code, likely downloading further stages from a remote source. The ML classifier strongly supports the malicious nature of this PDF.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj111711_000.js34431d7b4d3deae982c9f641bb65249659db1f8d249cd551232319f5f8777273 |
pdf-javascript-stream | PDF /JS object 111711 at offset 0x18E | 3045 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
|
|||
javascript_obj111712_001.jsc2e25f24ca6a5030f90b5bdd7960e37b29fe7c8c87fd9c349273a697fb2f9cc3 |
pdf-javascript-stream | PDF /JS object 111712 at offset 0xDA9 | 13799 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
|
|||
javascript_obj111713_002.jsbdaa1d080f75123e65a4ff16564371eac8a0fb77ff3fd2848941e46a5a5ef42f |
pdf-javascript-stream | PDF /JS object 111713 at offset 0x43C6 | 2470 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
|
|||
legacy_pdfkit_stage_000.js3cece914b914841a8b17f6d40f0553e78ef8ed60e76aa68605abeae7e560099e |
deobfuscated-js | multi-marker percent-array decoded JavaScript at offset 0xDA9 | 1081 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
legacy_pdfkit_stage_001.js30eb0520fb531f2388f6456aa1cb9929d85b500523231fa1f134d9f294f13e12 |
deobfuscated-js | multi-marker percent-array decoded JavaScript at offset 0x43C6 | 174 bytes |
legacy_pdfkit_stage_002.jse7b0983d4a07a8d1675ea3d7438b0d9712a27debf1877a3e9aa6cf98c13c2af6 |
deobfuscated-js | multi-marker percent-array combined decoded JavaScript at offset 0xDA9 | 1256 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.