Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd97bb3916632576…

MALICIOUS

PDF

308.6 KB Created: 2009-12-21 16:55:35 +08:00 Authoring application: Acrobat PDFMaker 7.0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿcer(Acrobat Distiller 7.0 (Windows) (via Acrobat Distiller 7.0 (Windows))
MD5: 762fd7a80470ad6ff78fa7303daa668d SHA-1: 0c78633f0495903ccfc51c849367212cd3e1da03 SHA-256: bd97bb3916632576575c8cb41edcdf3c1cdb48216b527f03769bf371624939be
178 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript that exploits CVE-2009-4324 using the media.newPlayer method. This JavaScript is further obfuscated and likely intended to download and execute a secondary malicious payload, as indicated by the critical heuristic firings and the presence of an embedded secondary PDF. The document body does not provide specific lures, but the technical exploitation is clear.

Heuristics 7

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0043_000.js
8ce3a6480802617f09d669334e59524b35c689eab2505bd49c8e62d8a215ee84		 pdf-javascript-stream PDF /JS object 43 at offset 0x2430 2172 bytes
stream_009_off0004b716.js
72a7a81874bc825243697fb1380a9dc969da68bf826f90ff5241fdd360dd07a9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4B716 6463 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 20 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
javascript_obj0043_000_1.js
ca2fd006a36b1a8b13870873fa5709a4707a8a167d66ee7a20c04b335b1fa33e		 pdf-javascript-stream PDF /JS object 43 at offset 0x2430 2116 bytes
polyglot_child_pdf_off000492b1.pdf
9a92832b0e44cdf69122ca7d3818540f162a8455d855283afdd8545ffda376c3		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x492B1 16302 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.