Malicious PDF — malware analysis report

Static analysis result for SHA-256 c43a1ea92c8c2580…

MALICIOUS

PDF

203.5 KB Created: 2008-01-05 16:25:50 +01:00 Authoring application: LaTeX with hyperref package (via pdfeTeX-1.21a)
MD5: e79ec96cfffcdc2193bd627e94dbf379 SHA-1: 8f1dfc387974e805ef06ca6963bf1f8bacab0977 SHA-256: c43a1ea92c8c25802ec3a41e29f8bc65122993f028344b488ddba42fec75e83c
190 Risk Score

Malware Insights

The PDF sample contains U3D content and triggers a critical heuristic for CVE-2011-2462, indicating a heap spray exploit targeting Adobe Reader's 3D parser. This exploit is designed to execute embedded JavaScript. The presence of JavaScript actions and an unescape() call further supports the execution of malicious code. The ML classifier also flagged this PDF as highly malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9899

Heuristics 8

  • Adobe Reader U3D parser exploit with JavaScript heap spray critical CVE likely CVE_2011_2462_U3D_HEAPSPRAY
    PDF combines U3D/3D annotation content with JavaScript heap-spray shellcode. Public CVE-2011-2462 exploit chains use a crafted U3D stream and JavaScript heap spray to control memory during Adobe Reader's U3D parser corruption.
  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vcg.isti.cnr.it
    • http://meshlab.sourceforge.net

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0048_000.js
a8a1da41d93c5b2586ccafedebe721bda2830940514d2efc99e78f102519dac2		 pdf-javascript-stream PDF /JS object 48 at offset 0x32039 6052 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
stream_000_off000002ad.bin
b1f937b9541d599e1c6000c4c47f7f3f21a4d9b0e1051c8a5580e07bc6106afd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2AD 177792 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.72, consistent with packed or encrypted content.
font_00_type1_off0002ac27.bin
d129a586d7449f3004ab2629e1b01753002037f8ca955d68339aba6fea13d9dd		 pdf-font-stream PDF embedded font (type1) at offset 0x2AC27 6428 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.55, consistent with packed or encrypted content.
font_01_type1_off0002c3ce.bin
6d68a200ddadd677e7031f9795a017ce42b4d7f02b68d39a072ecbc1e20fb5d6		 pdf-font-stream PDF embedded font (type1) at offset 0x2C3CE 7849 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.64, consistent with packed or encrypted content.
font_02_type1_off0002e1fc.bin
f1d06dc0327817e03d778a88f65436557134c269106fbc5438dd4ef0c897a441		 pdf-font-stream PDF embedded font (type1) at offset 0x2E1FC 11287 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.76, consistent with packed or encrypted content.
font_03_type1_off00030c39.bin
cab7a46a0f2b73639fc37aa221b515da6888b096748ee89dec2f4876e25f7f1f		 pdf-font-stream PDF embedded font (type1) at offset 0x30C39 2374 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.