Malicious PDF — malware analysis report

Static analysis result for SHA-256 c9cdcc39c2b854c1…

MALICIOUS

PDF

278.5 KB
MD5: 78bd7d44766c38911a482d22cb4ba955 SHA-1: 666fee7cc2fc88e9fec9ac885e290207911fe038 SHA-256: c9cdcc39c2b854c184fd6e179df8e3dd8efe199ba457624de02eaefcf7f96c4b
238 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious Link T1059.001 Command and Scripting Interpreter: JavaScript

This PDF file contains a critical vulnerability exploit for CVE-2009-0658, targeting Adobe Reader's JBIG2Decode heap-spray mechanism. The embedded JavaScript is used for the heap-spray stage, indicating an attempt to download and execute a second-stage payload. The presence of a secondary embedded PDF with similar suspicious findings further supports the malicious intent.

Heuristics 9

  • Adobe Reader JBIG2Decode heap-spray exploit critical CVE likely CVE_2009_0658
    PDF combines JBIG2Decode image streams with a Reader 9 JavaScript heap-spray stage. This is the in-the-wild Adobe Reader/Acrobat JBIG2Decode exploit shape associated with CVE-2009-0658.
  • JBIG2 + active content high CVE related PDF_JBIG2_ACTIVE_CONTENT
    JBIG2Decode appears with JavaScript/XFA/RichMedia — a related indicator for JBIG2 parser-exploit families including CVE-2021-30860 and CVE-2009-0658, but not a unique CVE fingerprint.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JBIG2Decode filter medium PDF_JBIG2
    JBIG2 image decoder present — historically used in zero-click exploits
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00000310.js
a0c0de2e1bdb6b678dbe7cf719fb7d9b13ab2bc07f8552e835bea2054a38c5fd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x310 1809 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_005_off00002a45.bin
6a71966cad617bfb05c2fc57e09517130f7abf80fb7d2cd8d6f9a72dd0ff8cc6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2A45 8958 bytes
objstm_0029_00.bin
f8eb65864fd50b29cfa71dd142b8bbf6494c65d9fbb58bcb2b7b2c3ac3227298		 pdf-objstm-decoded PDF /ObjStm 29 0 obj (inflated) 88 bytes
jbig2_00_off000006b7.bin
f85c9692081b4579a8c12600c9f760bf995b9decf0e0d93a6bcf4e068ea26a3c		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x6B7 4945 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.
jbig2_01_off0004021a.bin
4fc5fd9bdd46c763dfaa373b14504131baf03f9314d69c0f1a6c1bf156c9676f		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x4021A 4945 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
polyglot_child_pdf_off0003fb63.pdf
e5d7fe1421f6f598477ab69756d439673452b8baa9e8717d9b53c70d3ceb4e89		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x3FB63 24210 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.