Malicious PDF — malware analysis report

Static analysis result for SHA-256 bb18a3c284984a7b…

MALICIOUS

PDF

1.8 KB
MD5: dafe390df89ec99bb39ffea35ab8136d SHA-1: f49ddcca67f09fe95e71c907f645be5ead9dd94e SHA-256: bb18a3c284984a7b69e40b459060c5e2f200da34260d5720ab57401e3a5e7406
164 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious File T1059.001 Command and Scripting Interpreter: JavaScript

The PDF file contains embedded JavaScript and utilizes filters like ASCIIHexDecode and ASCII85Decode, indicating obfuscation. The critical heuristic firing for CVE-2008-2992 (util.printf) strongly suggests exploitation of this vulnerability to achieve arbitrary code execution. No document body text was available for analysis, but the presence of exploit indicators and JavaScript points to a malicious PDF designed to deliver a payload.

Heuristics 6

  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (matched in decompressed stream)
  • ClamAV: Pdf.Exploit.Agent-36183 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36183
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
f86b1e5220183f7c7e3ea8cddca0c8beed42f4aca8952f8c95b07b9823f2ed6e		 pdf-javascript-stream PDF /JS object 6 at offset 0x138 1345 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.