PDF malware analysis — malicious · b9e4fed54ceeff52

MALICIOUS

PDF

24.5 KB

MD5: 3d57ed493548443c491a4537cbeba21b SHA-1: a83aaeff0a94436456ec2dfcdd42c676e853e28b SHA-256: b9e4fed54ceeff5289938f609cb6a328d7ed6c2d7038a4eb742dbb0d67bbbd81

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.001 Malicious Link T1027 Obfuscated Files or Information T1140 Deobfuscate/Decode Files or Information

The PDF sample contains embedded JavaScript that utilizes eval() and unescape() functions, indicating an attempt to obfuscate malicious code. The critical CVE_2008_2992 heuristic firing confirms the exploitation of this specific vulnerability via printf-like JavaScript calls. The embedded JavaScript is designed to decode and execute a second-stage payload, likely for further system compromise. The presence of multiple obfuscated JavaScript streams and deobfuscated stages points to a multi-stage attack.

Heuristics 5

util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `85670d511728f3d056c7c11eb5991fc1bb83c59229533894dba3b7152109424e`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	3686 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
`javascript_obj111712_001.js` `0de6222362610a22948452d77573a4adb88298ed3840ea02a21da0f223dc6a92`	pdf-javascript-stream	PDF /JS object 111712 at offset 0x102A	15869 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`javascript_obj111713_002.js` `a459caf828dd27e67ad9baa25196e6ac4295bb6e73389acde003eedc796fbb40`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x4E5D	4947 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `a5d88421f4d70da0e4046e7a52b83cb467687ed79504256159250edb7631bb28`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x102A	1415 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `2f39b61831fe3ce75b3cae0451b4ff5e79209fe93c734a12c888478b4d5d0caf`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x4E5D	390 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
`legacy_pdfkit_stage_002.js` `3318108e8d7ec6466dda4aa858354f03a5e0d73ec6c16ca667a6900477e9b909`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0x102A	1806 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.