Malicious PDF — malware analysis report

Static analysis result for SHA-256 d7ddd9b97e656d1f…

MALICIOUS

PDF

8.1 KB Created: 2010-03-18 10:30:10 +01:00
MD5: 2488e7586eb1046ef8225e3c977f7abf SHA-1: 904efb88f3d2557dc7daae05419ce3717134d5ec SHA-256: d7ddd9b97e656d1fed2cd13bf550905de33c135d5b70edf9fc4bf9cee0b0e8e1
178 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The file is a PDF containing embedded JavaScript, indicated by multiple PDF_JAVASCRIPT and PDF_JS heuristic firings. The presence of PDF_U3D_CVE_RELATED and PDF_FILTER_HEX suggests exploitation of a vulnerability related to Adobe Reader's 3D content parsing. The ClamAV detection of 'Pdf.Exploit.Agent-19360' confirms its malicious nature. The embedded JavaScript is likely responsible for executing the exploit payload.

Heuristics 8

  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • ClamAV: Pdf.Exploit.Agent-19360 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-19360
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js
6c85aefc548cb4e97188ee8ef11ce0a94b051a73a7ade643b034dec4e4ac0eac		 pdf-javascript-stream PDF /JS object 1 at offset 0x10D3 3064 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
javascript_obj0002_001.js
53ef3e86395c29047481d41061937b32759780f8b45be9739a0a576f50df45b1		 pdf-javascript-stream PDF /JS object 2 at offset 0x1006 58 bytes
u3d_00_off00000eb1.bin
f68c50e5c3ef711fa3e0d4698e0c1e9c4126c4877e045d50157794c96e639fe5		 pdf-3d-stream PDF U3D 3D stream at offset 0xEB1 268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.