Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7f9b566e72095b4…

MALICIOUS

PDF

5.86 MB Created: 2011-02-11 11:01:01 UTC Authoring application: Writer (via OpenOffice.org 3.1)
MD5: 90097a5cbec8312df6ba73bee9b36a48 SHA-1: cd77b9d5cd7b4267d82cc1da8d5ebcb91080633f SHA-256: c7f9b566e72095b4aabf94f2e33a114b67f64c6de431e8e2b3c0b89c244e2f11
578 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.001 Malicious Link

This PDF file is identified as malicious by ClamAV (Pdf.Exploit.Agent-36391) and exhibits multiple critical heuristic firings related to known PDF exploits, including CVE-2009-4324 (media.newPlayer), CVE-2009-0927 (Collab.getIcon), CVE-2007-5659 (Collab.collectEmailInfo), and CVE-2008-2992 (util.printf). The embedded JavaScript, obfuscated using a character table, is designed to leverage these vulnerabilities. The presence of JPXDecode and CCITTFaxDecode filters further indicates potential exploit activity. The primary function appears to be the execution of this JavaScript, which likely acts as a stager to download and execute a second-stage payload.

Heuristics 15

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • JPXDecode + active content — JPEG2000 CVE-family indicator high CVE related PDF_JPX_CVE_2018_4990_RELATED
    PDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
  • CCITTFaxDecode + active content — LibTIFF CVE-family indicator high CVE related PDF_CCITT_CVE_2010_0188_RELATED
    PDF uses /CCITTFaxDecode together with JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ClamAV: Pdf.Exploit.Agent-36391 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36391
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Character-table JavaScript eval stager high PDF_JS_CHAR_TABLE_EVAL_STAGER
    PDF JavaScript reconstructs an exploit stage by indexing into a small character table, appending hundreds of one-character fragments, joining the array, and evaluating the result. This static fallback fires only after the bounded decoder recovers an exploit-like stage, so it catches this obfuscation even when no single CVE API signature is available.
  • JBIG2Decode filter medium PDF_JBIG2
    JBIG2 image decoder present — historically used in zero-click exploits
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/illustrator/1.0/
    • http://ns.adobe.com/xap/1.0/t/pg/
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#
    • http://ns.adobe.com/xap/1.0/g/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/sType/Font#
    • http://ns.adobe.com/exif/1.0/aux/
    • http://ns.adobe.com/camera-raw-settings/1.0/

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0076_000.js
77b08b6c9224c246cb4394b2459ee6131146c6afb6d99714756973d3e3bbc46f		 pdf-javascript-stream PDF /JS object 76 at offset 0xB04A 92677 bytes
stream_009_off000465d0.bin
13208066c4183e3916703cca943ec37f8332b227fe235d30ec43427601aaf347		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x465D0 70647 bytes
stream_011_off0004ec8a.bin
6be4e08c3836aa4e5dd4e48a2ce38c51655383b0ebf2e061eb49472e6d3cef14		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4EC8A 64009 bytes
stream_046_off0017f9b4.bin
d9200ed7ea794568c3e1cb0e9a6e8a2b1abb9cb2e4946781d4dd14a3d39de1fc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x17F9B4 94117 bytes
stream_067_off0021a690.bin
dc425657174248ea1b58d1e0b3ad4a1c236933c9466678fc6b615e8d35d28bcc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x21A690 21576 bytes
stream_071_off00224cd2.bin
1193f7641539ae50d048b167bd505ccef0d51be38c808c0997c55023b64d858c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x224CD2 23495 bytes
stream_075_off0022d5df.bin
a2fbd72b2c9f22904c88361e890cb4da8034b2d0a490811795fabee853bd7a29		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x22D5DF 17592 bytes
stream_077_off002302f5.bin
99722edb28126506ed299a5d2917ea26258db9c1f91326c2275129f80735ca4f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2302F5 17804 bytes
char_table_stage_000.js
960e4fbed5786c153a83b115ea849141d29280987d5a22ff251d55f3f89d5f46		 deobfuscated-js char-table indexed JavaScript (PDF /JS object 76) at offset 0xB06A 3870 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
char_table_stage_001.js
c5bb9cb1fb40aeb956882720c39f845414f4a190c6534a19f1cbd6e64bb9d159		 deobfuscated-js char-table indexed JavaScript (raw) at offset 0x23C50 7740 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
jbig2_00_off003ee144.bin
f436cffb2675e0fe3ebeec417eb0698ea60bdcc2f31211ad370904e0a1dc138a		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3EE144 665 bytes
jbig2_01_off003ee4ab.bin
11f033ce001e8d58d27650dcd511827c32d5f347713f69278f3f098ca08f35bb		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3EE4AB 1574 bytes
jbig2_02_off003eeb9e.bin
e4b9d6aa989bc2020795664e6a86462292be07f28c5903d1a8f88fd5c3ab5f89		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3EEB9E 961 bytes
jbig2_03_off003f1aef.bin
4235e82fc8ab21152f870e7f3b71a122d5aac816acfef85899096e1d83e9031f		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3F1AEF 595 bytes
jbig2_04_off003f1e10.bin
e8fbdec21b8b189847a5e2579d3a8b5ba50222254cb3a961a5cc49475bc1501f		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3F1E10 1631 bytes
jbig2_05_off003f253c.bin
613f375b265f2eb4e53fcf2967b6e731203063d020e40bfae9024d9c5a81502b		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3F253C 983 bytes
jbig2_06_off003f69ea.bin
45e390fa3a16e362c109486c2afb1541a18c062abd9f4d26a7856e0527639096		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3F69EA 2761 bytes
jbig2_07_off003f7581.bin
47e0c4bc0c033929c75035007e2bf0241f24e8d192570ac9ad01849ef1ee664e		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3F7581 2954 bytes
jbig2_08_off003fbfe2.bin
a1798278f6d738491da64e2c782b1e4af22c615362df4c8f92ebffbf1bf7da7d		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3FBFE2 2946 bytes
jbig2_09_off003fcc32.bin
5bfd3aa4624af4befbbc2eaf33c948564a36dfe917c81fb179d0178c60a68e12		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3FCC32 3070 bytes
font_02_sfnt_off0017075a.bin
8264c403be6ab21d01eb8fbc7e260fab39b78991c730599e2795eb1f0cc61c95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17075A 74000 bytes
font_03_sfnt_off00179afb.bin
b06ce776ad6074ff0f9c90a0c9b202c11624c68d540459e8461bb8a42482ec16		 pdf-font-stream PDF embedded font (sfnt) at offset 0x179AFB 55798 bytes
font_05_sfnt_off0018c284.bin
20ac57e050ef633bb3586e351d731a71be22448663a9833bbed48962fffd8481		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18C284 39407 bytes
font_06_sfnt_off00191e5e.bin
143a14e654c21ca9747ab20ece3a10fb65aa2052dd7391c6041664f77dee0082		 pdf-font-stream PDF embedded font (sfnt) at offset 0x191E5E 76012 bytes
font_07_sfnt_off0019ba6c.bin
0c9597213c5c18c51952e322ff2075e8ca71eef2e91e8df7af0b0848f94ebe09		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19BA6C 54673 bytes
font_08_sfnt_off001a3a1d.bin
665de1b7c0f7889ce3c5fcb652ee30beb628261484127df121f57da70f0dd54d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A3A1D 55060 bytes
font_11_sfnt_off00232d8a.bin
e768ed72d6f4ac90de2f59f5c4f9a779f3b52f990ea1b1e46f0375ae24253701		 pdf-font-stream PDF embedded font (sfnt) at offset 0x232D8A 22152 bytes
font_12_cff_off004938e7.bin
5d754a13b9015630176eb6650336b32f37a310ed28b259665575993a584af6a7		 pdf-font-stream PDF embedded font (cff) at offset 0x4938E7 2346 bytes
font_13_cff_off0049640b.bin
9a68cf989b3b316e1f58763447a6f6d53d3389c23fc2292d9cee31cd6a86ab10		 pdf-font-stream PDF embedded font (cff) at offset 0x49640B 438 bytes
polyglot_child_pdf_off0000a426.pdf
6991320f9f7087196515675a1cc9a3fcfd0e59170d4c71d6997984f040dfeb0d		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xA426 6101978 bytes
Detection
ClamAV: Pdf.Exploit.Agent-36391
Obfuscation or payload: unlikely
polyglot_child_pdf_off0000ad88.pdf
03fd42b6b7aa145677264ca450e32fa5fe2d3fb212a340970ca560408d4b50ce		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xAD88 6099576 bytes
Detection
ClamAV: Pdf.Exploit.Agent-36391
Obfuscation or payload: unlikely
javascript_obj0076_000_1.js
805bd5f3a72c493394de810643312eb27b3eca0907518694802d8685f89418cb		 pdf-javascript-stream PDF /JS object 76 at offset 0x2C2 92394 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.