Malicious PDF — malware analysis report

Static analysis result for SHA-256 bfc2177f5503b9fe…

MALICIOUS

PDF

584.1 KB
MD5: 1eb7c2c88bf5bc8b2647f7f2cb755340 SHA-1: 1ad2c4bc4d4dd86b3aaff471832b3b7b0986c812 SHA-256: bfc2177f5503b9feaae7c57fe882c34d0a07fda265bec0b3c1a5ee21bb119e06
178 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.001 Malicious Link T1204.002 Malicious File

The PDF file contains embedded JavaScript and is flagged for exploiting CVE-2007-5659, which involves the `Collab.collectEmailInfo` function. This indicates an attempt to execute malicious code upon opening. The presence of multiple JavaScript files and a U3D-related artifact suggests a multi-stage attack designed to download and execute further payloads.

Heuristics 6

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0031_000.js
9c67560e8c63b720885d3efc1627b844b86a6ec08e99e5b65a22eae832045756		 pdf-javascript-stream PDF /JS object 31 at offset 0x2C939 431 bytes
legacy_pdfkit_stage_000.js
6b40fb1457415fa054c26e7db3cacb471728859c2745b2e3f03daeb2934d2ba7		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x2805E 13560 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
legacy_pdfkit_stage_001.js
3231766995ec5688ccbd8ed4dd1930b55e240cde2d4e48ed3edc271a3a28c6e5		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x2805E 5723 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
icc_00_off0007d506.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x7D506 3144 bytes
font_00_sfnt_off00000e5a.bin
afeb9e1e920aae3aca3f295f1bbccba46b16423dac14b1b5fde4b661de9198cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5A 46764 bytes
font_01_sfnt_off00008483.bin
5f96e1e90c4ef56487c91d02c05141dca0967f8e2bbd5d67be6c4f381f0afa79		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8483 62160 bytes
font_02_sfnt_off00011b6b.bin
d375c22ace40f0b973d7308d85023b2e0e49d40dc51da45552d116868346475e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B6B 37232 bytes
font_03_sfnt_off000166cd.bin
b661c2e877dd6b7625208ae148d736aedb24eda2d4f014262cbb7f958f538ca0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x166CD 71216 bytes
font_11_sfnt_off0006daec.bin
8b62f203a4ab5c2ac76368029c584b4fa12fffc17f3b6e4e43a9997416807d21		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DAEC 11156 bytes
font_12_sfnt_off00072d9f.bin
6cf6df6beee88aa138f821122d0c1969b348cebe09cafe5b5f6a7eb8c27107a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72D9F 32640 bytes
font_13_sfnt_off000875ef.bin
95592346b00d039686aa3d7e22eae3d52b011e7e842a5c123f73e89ea766cd35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x875EF 22628 bytes
u3d_00_off000214e6.bin
be9b6f51ccc10ed67099a2e70bdc0d7433f445b059ca7dff9f11d5199e632bb6		 pdf-3d-stream PDF U3D 3D stream at offset 0x214E6 27444 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.