Malicious PDF — malware analysis report

Static analysis result for SHA-256 e34d1862ec1326e8…

MALICIOUS

PDF

230.0 KB Created: 2010-01-07 11:07:02 +08:00
MD5: a4acfafcc70b44047ef80d2b0623f9b0 SHA-1: e2ed2ca5f93edf5c0c18cef9c9bd27e2739c74f3 SHA-256: e34d1862ec1326e8f40d75a4f95784d46bf6b3b99f8f6c24a8066d4cf98d9485
84 Risk Score

Malware Insights

The PDF file contains embedded JavaScript that is triggered by the CVE-2009-4324 vulnerability, specifically related to the media.newPlayer function. This indicates the file is designed to exploit this known vulnerability in Adobe Reader to execute arbitrary code. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload, although the exact nature of the payload cannot be determined from the provided evidence.

Heuristics 5

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
legacy_pdfkit_stage_000.js
42c3f4df375ff6f58ff655cc4f88b5cc28f0dd33b978390db3538684a6219b74		 deobfuscated-js string-concatenation normalized Acrobat API aliases at offset 0x674 126 bytes
objstm_0026_00.bin
1927301306a8a9b7ed09f153bcb6dbe394efd284902831ca549fbd446c3a8d21		 pdf-objstm-decoded PDF /ObjStm 26 0 obj (inflated) 306 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.