Malicious PDF — malware analysis report

Static analysis result for SHA-256 e14d1c5c9d1805a1…

MALICIOUS

PDF

20.5 KB
MD5: 1b47c6a1abd5f2f116d87e331eef3b74 SHA-1: 6d4f8c0eed8a93507f218e82447f33a4756817a2 SHA-256: e14d1c5c9d1805a189973868767e71d5fc58408f0761e5006f6868fff282e79e
118 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF sample contains multiple embedded JavaScript streams, with one critical heuristic firing for CVE-2009-0927 due to the use of Collab.getIcon. The document body shows obfuscated JavaScript code that utilizes eval() and unescape() functions, indicating an attempt to hide malicious actions. The primary intent appears to be the execution of a second-stage payload via the exploited vulnerability, likely leading to further malware infection.

Heuristics 5

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj111711_000.js
6de8a93b4927f719158c11e59d3356a2ae8f88dfe4333b936f1ca160245430ae		 pdf-javascript-stream PDF /JS object 111711 at offset 0x18E 3466 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
javascript_obj111712_001.js
d47bd8f28b1a2780be364306d8d4ec8402bee5829adfc2091c9de804835e6bdd		 pdf-javascript-stream PDF /JS object 111712 at offset 0xF4E 15390 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
javascript_obj111713_002.js
cdcd649b7310364a8fd706c78606748454b8ff749f8dd7fccb7f2ff23b92ec76		 pdf-javascript-stream PDF /JS object 111713 at offset 0x4BA2 1502 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
legacy_pdfkit_stage_000.js
6e63db0211906ea6e20382de4ea7f82082467e32ab22d481ab31f199862b6301		 deobfuscated-js multi-marker percent-array decoded JavaScript at offset 0xF4E 1527 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
legacy_pdfkit_stage_001.js
407624ceb11bdfcccd03817d5cc6229f3a3f8dfc15051e1567d07f2b81bcede8		 deobfuscated-js multi-marker percent-array decoded JavaScript at offset 0x4BA2 100 bytes
legacy_pdfkit_stage_002.js
3862a9bd1f3d2f5240270baa44a196a4c7f6c6f3fdd005cbba1b428fdf09fd9d		 deobfuscated-js multi-marker percent-array combined decoded JavaScript at offset 0xF4E 1628 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.