PDF malware analysis — malicious · dbd1a7ce06b601c2

MALICIOUS

PDF

267.2 KB

MD5: 71e82bee3ef47a667268d495f7035cf6 SHA-1: c5df9e1ac115430f6b6ffbd861c625cb26a8b2fa SHA-256: dbd1a7ce06b601c23eff4a083d62b73a42d49ce3e16448c2e3e6d89af817bebc

84 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: Malicious File

The PDF file contains embedded JavaScript that utilizes the String.fromCharCode method and exploits CVE-2009-4324 via the media.newPlayer object. This indicates the document is designed to execute arbitrary code upon opening. The JavaScript is obfuscated, but the exploit targeting is clear. No specific family could be identified.

Heuristics 4

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
String.fromCharCode low PDF_FROMCHARCODE

String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.

Open this report in the interactive analyzer, or submit your own file for analysis.