Malicious PDF — malware analysis report

Static analysis result for SHA-256 dfacec1b1ab7b1db…

MALICIOUS

PDF

119.9 KB Created: 2009-06-26 16:25:57 +08:00 Authoring application: Acrobat PDFMaker 7.0 for Word (via Acrobat Distiller 7.0 (Windows))
MD5: 23326bc8b4ad769928e9343be8b01eb1 SHA-1: fec8615d8ef0a1ee90b8a79bf9abff92a9b8d2b3 SHA-256: dfacec1b1ab7b1dba586fa5381f0682ae6148e66e6a6ab8720e4e5b8d242724b
78 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF document contains embedded JavaScript that leverages the CVE-2009-0927 vulnerability. This exploit is designed to execute arbitrary JavaScript code within the context of the PDF viewer. The heuristic firings indicate that the PDF launcher concatenates info fields, extracts characters at a fixed stride, and evaluates the result, which is a common technique for exploiting this vulnerability. The specific exploit mechanism points to a malicious PDF designed to compromise the user's system.

Heuristics 4

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0048_000.js
1cdadb243e498c2060f705d316617a2097888a80306eadfc740bd5544b085474		 pdf-javascript-stream PDF /JS object 48 at offset 0x50B 4218 bytes
js_property_alias_stage_000.js
f18d1ea6318218c0186598905640f82ae05e73b45f0ed1f8b49737c66ce46e50		 deobfuscated-js JavaScript property alias normalized stage at offset 0x50B 3425 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.