Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc3cef58a0861740…

MALICIOUS

PDF

7.3 KB Created: 2009-01-35 62:12:26 Authoring application: Adobe
MD5: 5a6fbb60ed282c3597a8befed25f1caa SHA-1: 9422e3190925df58e0382fa796b4b5807c78f208 SHA-256: cc3cef58a0861740124985a6fe88d4d537832d9c02ee7190c6ffe4e010789e8f
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1204.002 Malicious File

This PDF exploits multiple known vulnerabilities (CVE-2009-4324, CVE-2009-0927, CVE-2007-5659) by leveraging embedded JavaScript. The JavaScript uses functions like eval() and unescape() to deobfuscate and execute malicious code. The primary intent appears to be the execution of arbitrary code, likely to download and run a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 8

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0032_000.js
16f06b21cc37b7303bbfc4187e44eee6a7d17040b0ed434bfb550a1a5bcad330		 pdf-javascript-stream PDF /JS object 32 at offset 0x417 129 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0034_001.js
446d7151da60bc322fd903dc6ff8ea07397e858eb1d24c475effdf2041594495		 pdf-javascript-stream PDF /JS object 34 at offset 0x4D2 124 bytes
javascript_obj0036_002.js
40303c1e78a90a2f5a78bc988bf4eb41b7e357d10343106716d569798931beff		 pdf-javascript-stream PDF /JS object 36 at offset 0xFF 133 bytes
javascript_obj0038_003.js
626164afe8063cc6d66923cd739af5ee8979965f4c65be851815285a36450c76		 pdf-javascript-stream PDF /JS object 38 at offset 0xC32 158 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0078_004.js
cb43d3898650d9fa28e90e218e4f3118db16f42c812e3e031a84e6e92503d5ad		 pdf-javascript-stream PDF /JS object 78 at offset 0x7C 37 bytes
legacy_pdfkit_stage_000.js
e3cae6abdeaa0e9a10d7a8b785480f141ac65d11328eac2a557f7c6d703ef19d		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x5BE 1634 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
legacy_pdfkit_stage_001.js
051fc16bec19ecc0064abb65d0dd4330559bae8af624c220631304180e993f80		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0xD5B 1800 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
legacy_pdfkit_stage_002.js
03475f753ce491e0d93cbbfa54e178dc4788105f3c1021b0dda24f62a737c756		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x13C5 2938 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.