PDF malware analysis — malicious · b6208b18fbe61ce4

MALICIOUS

PDF

373.2 KB Created: 2010-08-30 13:49:52 UTC Authoring application: Mac OS X 10.5.8 Quartz PDFContext

MD5: 7ecb339ec57557ed98453e0de3a9b26a SHA-1: cff2b2ff964a2284d64f316f4e92274eeb0cf83a SHA-256: b6208b18fbe61ce48fa4afee603057a155b8624d5c95008c7675781465fa575f

126 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript that utilizes the media.newPlayer object, indicating an exploitation attempt for CVE-2009-4324. The JavaScript is obfuscated using unescape() and String.fromCharCode(), common techniques for hiding malicious code. The primary intent appears to be the download and execution of a secondary payload, as suggested by the heuristic firings and the nature of the exploit.

Heuristics 6

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
String.fromCharCode low PDF_FROMCHARCODE

String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 9

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0137_000.js` `a45e66e188f2d79667c01905e3ecdc33322564184c6250d2fe7847b03bdd7ad8`	pdf-javascript-stream	PDF /JS object 137 at offset 0x5C641	5625 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 5 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
`stream_019_off0003d20a.bin` `70f2aebc27172eb37f90366e11c3d6762a9d83b9ca92ae724e619287efc2604b`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x3D20A	37248 bytes
`icc_00_off0000c052.icc` `2a18161bb96fd584d19e737ce294732789e0e8e6ae8c8e4e5f09f1b138232a63`	pdf-icc-profile	PDF ICC profile at offset 0xC052	1456 bytes
`font_00_sfnt_off00035d8f.bin` `a6369a0ecdfebfbd7ed524d09953436b1abb1b30534886f677d90dcef861873c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x35D8F	8024 bytes
`font_01_sfnt_off00037658.bin` `1d31b7cb0cc87c83dd261cdf640cec2def4d4950b0673296a1b6513629600d49`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x37658	31380 bytes
`font_02_cff_off0003c088.bin` `07436f596da5e4cace48a2bdd076f67b4a08f22df1f12412a441cd1d396ac953`	pdf-font-stream	PDF embedded font (cff) at offset 0x3C088	185 bytes
`font_03_sfnt_off0003c357.bin` `d31f6e3800ffddbd441dddfe16f205cfce7f25cbdbd35f7659e29f3ead7511ce`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3C357	4152 bytes
`font_05_sfnt_off00042af3.bin` `1664d4103ce3a903636577258661388155cd89f5a806b12b0df83920f854687c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x42AF3	22512 bytes
`font_06_sfnt_off00046286.bin` `d26e8aa54b007d0ca66a3b581e932c6a63e2f681c28684f8f383d8f68f17d4f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x46286	5184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.