Malicious PDF — malware analysis report

Static analysis result for SHA-256 cacd02a1d9f23a53…

MALICIOUS

PDF

22.9 KB
MD5: e874b243a47dd23890340ce808625e94 SHA-1: fc38966d70f7a2f9d95c22347ffd2438e5369dc2 SHA-256: cacd02a1d9f23a5359383c4b17d91221e40b3be6d9b5db2a5c0f3b3cdaacbf5b
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.001 Malicious Link

The PDF contains obfuscated JavaScript that leverages the CVE-2007-5659 vulnerability (Collab.collectEmailInfo) to execute arbitrary code. The script is designed to download and execute a second-stage payload. The high confidence is due to the critical heuristic firing for CVE-2007-5659 and the ML classifier flagging the PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj111711_000.js
79af06639ac8434bd26ffdb43385215234e0ac50495b3cd748b790e8b6fc35fc		 pdf-javascript-stream PDF /JS object 111711 at offset 0x18E 3658 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
javascript_obj111712_001.js
72f5386485a93931b10534a536b2b352aa6dd79c34aaed382b0272b01e6cebe7		 pdf-javascript-stream PDF /JS object 111712 at offset 0x100E 17664 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
javascript_obj111713_002.js
680e76bdf81c6d8eebd27921506d97c5f318dcf5dc7cf3b3d03242f65619d42e		 pdf-javascript-stream PDF /JS object 111713 at offset 0x5544 1532 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
legacy_pdfkit_stage_000.js
e1ef57e355b39268ad264cc25028a9a0e38b4699b467c94913104d44e9e6dafc		 deobfuscated-js multi-marker percent-array decoded JavaScript at offset 0x100E 1470 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
legacy_pdfkit_stage_001.js
66201566cb7b94b96d78c07e61c80e11578b5125ea85cc864e3cc788698af3dd		 deobfuscated-js multi-marker percent-array decoded JavaScript at offset 0x5544 79 bytes
legacy_pdfkit_stage_002.js
1395244c01d08e50ff89759a95cc372890850a63b5ec1b0dc2521a8b2b5a4098		 deobfuscated-js multi-marker percent-array combined decoded JavaScript at offset 0x100E 1550 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.