Malicious PDF — malware analysis report

Static analysis result for SHA-256 db4c7c3ae326e6ba…

MALICIOUS

PDF

16.8 KB
MD5: d9d0f4f7bfe9f2dc46d5c48af53bf3cb SHA-1: 80f6a6ed5afc5e6396e18b1d35ce0579bcf52d24 SHA-256: db4c7c3ae326e6bad1311b050af67ad276bb6105da91054063bb3db1189e996e
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.001 Malicious Link

The PDF sample contains obfuscated JavaScript, including multiple calls to eval() and unescape(), indicating an attempt to hide malicious code. The critical heuristic firing for CVE_2009_4324 specifically points to the media.newPlayer exploit, which is triggered by the JavaScript. The deobfuscated JavaScript stages suggest the primary intent is to download and execute a secondary payload. No specific family could be identified due to the generic nature of the exploit.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj111711_000.js
275f750c722c98059f9b3167f578f3d5961d34a0e758ce4fc52bea4a078e5bc0		 pdf-javascript-stream PDF /JS object 111711 at offset 0x18E 3076 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
javascript_obj111712_001.js
ebae720f0b5321793fa0703c9c3161fab05dac906623faa56b18e3cdfe3abd5a		 pdf-javascript-stream PDF /JS object 111712 at offset 0xDC8 11122 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
javascript_obj111713_002.js
200a5719bd9d9edee0791dd6b700ace89614c701a0ddd0b11e0cad033772472d		 pdf-javascript-stream PDF /JS object 111713 at offset 0x3970 2431 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
legacy_pdfkit_stage_000.js
14d9d23d619682a659b666d1537fbe47a8cc4db49b0c37d63714847d39b24a42		 deobfuscated-js multi-marker percent-array decoded JavaScript at offset 0xDC8 1080 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
legacy_pdfkit_stage_001.js
5091795dc7dfd1e269d30a5ab394f1536cab6157b0cb74b7e26a9fdc9129a46f		 deobfuscated-js multi-marker percent-array decoded JavaScript at offset 0x3970 165 bytes
legacy_pdfkit_stage_002.js
376cfd6a3f51ed54b8d4ce85d16c3e84d41b9f4c131e27b4ab8715d3f12255e2		 deobfuscated-js multi-marker percent-array combined decoded JavaScript at offset 0xDC8 1246 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.