Malicious PDF — malware analysis report

Static analysis result for SHA-256 d98ac1b0317ab4c2…

MALICIOUS

PDF

46.0 KB
MD5: ee0e7fd5f08507e511688956f3407482 SHA-1: 42ae9d04f49b17e125bdaace9d1b10188d928e39 SHA-256: d98ac1b0317ab4c2debcc324b28182030c4b2697cf90f78a87ad234dcc7748c7
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 Command and Scripting Interpreter: PowerShell T1204.002 Malicious File Execution: Malicious JavaScript

The PDF file contains embedded JavaScript that leverages the CVE-2009-0927 vulnerability in Adobe Reader. The JavaScript is heavily obfuscated, employing custom Base64 decoding and multiple layers to hide the exploit code. This technique is commonly used to download and execute a second-stage payload.

Heuristics 5

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
abae749eb47edd940420607d4da0361851d9b437887049d666a913db63970ee9		 pdf-javascript-stream PDF /JS object 8 at offset 0x1D3 9263 bytes
custom_b64_stage_000.js
2574efb33b6d84146d621e88e5bda2367e260633dbdc841c3d7581d81cd5ecca		 deobfuscated-js custom Base64 decoded JavaScript layer 2 (PDF /JS object 8) at offset 0x8A7 1529 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.