Malicious PDF — malware analysis report

Static analysis result for SHA-256 e315cce04ee6537c…

MALICIOUS

PDF

98.0 KB Created: 2009-07-08 10:53:46 +08:00 Authoring application: Acrobat Distiller 7.0 (Windows)
MD5: 89fffc9561f1133116965d2c74bc7447 SHA-1: 408025e1c3713c4cd8d576821cf1fdabcc8b9199 SHA-256: e315cce04ee6537c5d55e76f10034904f371ee26118e55b2e0302941de268402
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript that leverages the CVE-2009-4324 vulnerability. The heuristic firings indicate that the JavaScript is obfuscated and designed to be evaluated after being constructed from specific PDF properties. This technique is commonly used to download and execute further malicious payloads.

Heuristics 4

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0017_000.js
f84736c2ad6b55a2cd19591a17b8698db9d6c8aa54560e0a6c7a7272c028dbc8		 pdf-javascript-stream PDF /JS object 17 at offset 0x4DD 2948 bytes
js_property_alias_stage_000.js
a18b0afb2f5126a0ad6438c92249070b976ce22ec033f33f6a6c586b288e0e0c		 deobfuscated-js JavaScript hex-escape property alias normalized stage at offset 0x4DD 2825 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.