Malicious PDF — malware analysis report

Static analysis result for SHA-256 ce3369516503cee6…

MALICIOUS

PDF

161.2 KB Created: 2009-03-12 16:00:29 -04:00 Authoring application: PScript5.dll Version 5.2.2 (via Acrobat Distiller 8.1.0 (Windows))
MD5: e5b5553fb51c1d7d8d135b5a5703db93 SHA-1: 77e7c032f615a3898566a6b0b52e8c9e6be22e18 SHA-256: ce3369516503cee6632c44253ca945db0c6f012b8945c0754b0dfc7967b94d5a
178 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The file is a PDF document that contains embedded JavaScript and triggers a critical heuristic for CVE-2009-0927, indicating an exploit targeting this vulnerability. The presence of JavaScript and the specific CVE exploit strongly suggest the document is designed to execute malicious code upon opening. No specific family could be identified, but the exploit mechanism is clear.

Heuristics 6

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution.
  • ClamAV: Pdf.Exploit.CVE_2009_0927-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.CVE_2009_0927-1
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off00002fd3.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x2FD3 3144 bytes
font_00_sfnt_off000265e8.bin
e57d1b37811cd7f02a6a526812c0917d7fa1a15c55956626d9f15a0b5740d1db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x265E8 6168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.