Malicious PDF — malware analysis report

Static analysis result for SHA-256 e78c8e939af3da25…

MALICIOUS

PDF

1.9 KB
MD5: f96288309c020bc5e2db694eea508af1 SHA-1: 3ed47b9749ac082dedd5ac77f1cc3c9d3167c03d SHA-256: e78c8e939af3da25ff7ff5c89307bd64fad3d4cd441dd8419f9f90b57e1f6fac
76 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The critical CVE_2008_2992 heuristic firing on 'util.printf' suggests exploitation of a known vulnerability within the PDF parser to achieve arbitrary code execution. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload, although the specific actions are obfuscated. The DOC BODY content appears to be malformed or truncated, providing no further context on the document's lure.

Heuristics 3

  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
1e738c881ef714d1d6c5327f3e510b31b0b179512b78e83193617a5848457c71		 pdf-javascript-stream PDF /JS object 6 at offset 0x138 1315 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.