MALICIOUS
172
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The PDF file contains embedded SWF content that triggers a critical vulnerability, CVE-2009-1862, related to Adobe Flash Player. This exploit is designed to execute arbitrary code on the victim's system, likely as part of a spearphishing attack. The embedded SWF files, named 'a.swf' and 'b.swf', are the primary artifacts facilitating this exploit.
Machine Learning
- Nyx PDF Classifier suspicious score 0.4437
Heuristics 6
-
Adobe Flash/authplay SWF exploit in PDF — CVE-2009-1862 critical CVE likely CVE_2009_1862_FLASH_RICHMEDIAPDF combines RichMedia Flash activation with an embedded crafted SWF carrying Run_Sploit/HeapSpray/ByteArray markers. This is the static delivery shape associated with the July 2009 authplay.dll Flash-in-PDF vulnerability CVE-2009-1862.
-
Suspicious extracted artifact critical EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
RichMedia (Flash) high PDF_RICHMEDIAPDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/pdfx/1.3/In PDF document text
- http://adobe.com/AS3/2006/builtinIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
b.swf |
pdf-embedded-file | PDF EmbeddedFile object 2 at offset 0x29205 | 781 bytes |
SHA-256: 70e6dbce3b11aaece2d38f1d315dee7736c7ab9138a74cdadc8126393c857018 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
actual_type=SWF; declared_or_context_type=PDF; filename=b.swf; kind=pdf-embedded-file
|
|||
a.swf |
pdf-embedded-file | PDF EmbeddedFile object 3 at offset 0x29542 | 8038 bytes |
SHA-256: 257b38b73bb7bcfdd2a38ddeda0673fef573372a42e34e3d1f33e49435d5ef32 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
actual_type=SWF; declared_or_context_type=PDF; filename=a.swf; kind=pdf-embedded-file Carved SWF contains Run_Sploit, HeapSpray, and ByteArray markers consistent with an Adobe Reader RichMedia Authplay exploit stage.
|
|||
icc_00_off0002619f.icc |
pdf-icc-profile | PDF ICC profile at offset 0x2619F | 408 bytes |
SHA-256: 653b586c4707574ffcd648ba35494daed2c76ceafcf4c07d315ed961b1dc347f |
|||
font_00_sfnt_off000262cc.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x262CC | 26096 bytes |
SHA-256: 5bae21d6090f59a30136388865be4af1db24de6e621999b893f7c87caa7c43c4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.