MALICIOUS
118
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.001 Malicious Link
The PDF file contains embedded JavaScript that leverages the CVE-2009-0927 vulnerability through the Collab.getIcon method. This technique is used to download and execute a second-stage payload. The obfuscated JavaScript and the use of eval() indicate a deliberate attempt to hide malicious activity.
Heuristics 5
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 7
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj111711_000.jsca669566034c0d4496eedb167dcc4b0cc564404230d902074fa5007f36e0a26f |
pdf-javascript-stream | PDF /JS object 111711 at offset 0x18E | 3564 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
|
|||
javascript_obj111712_001.js6594152d2215835fcc5e5cb23bfae2f0d2f1241711f3e76e9ebeb85f3c17528d |
pdf-javascript-stream | PDF /JS object 111712 at offset 0xFB0 | 16549 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
|
|||
javascript_obj111713_002.jsfa496dcee300b654ecf1a1ba22563ffaaa253e21bc47c14a046a65b74fd31311 |
pdf-javascript-stream | PDF /JS object 111713 at offset 0x508B | 1674 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
|
|||
legacy_pdfkit_stage_000.js3b1e8e55acc3485584a7fa854f1a9edaf1f41af52b68174162e5ea5995b9759f |
deobfuscated-js | double percent-decoded annotation JavaScript at offset 0xFB0 | 15827 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 9 long base64-like blob(s).
|
|||
legacy_pdfkit_stage_001.jsa7bf9e8f3472d8e456111af54d3cbfd9bd06c7e59489254ed4481e1c4d057ace |
deobfuscated-js | multi-marker percent-array decoded JavaScript at offset 0xFB0 | 1520 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
legacy_pdfkit_stage_002.js95d52c265d60ffad372da99bb3db5c3f0b48fc84b1aaa90902895f12786cdc82 |
deobfuscated-js | multi-marker percent-array decoded JavaScript at offset 0x508B | 99 bytes |
legacy_pdfkit_stage_003.js7983f75ca58807096a192c0596a945b237533ae2d204b86f0eeae10c6011045b |
deobfuscated-js | multi-marker percent-array combined decoded JavaScript at offset 0xFB0 | 1620 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.