Malicious PDF — malware analysis report

Static analysis result for SHA-256 e8ad4eed4e68b361…

MALICIOUS

PDF

80.7 KB Created: 2009-07-08 10:53:46 +08:00 Authoring application: Acrobat Distiller 7.0 (Windows)
MD5: 7b28683486d9ff7efec45b533c58a532 SHA-1: e5a518f5ed725c35bfdd1cce2a7000dc55a64e6e SHA-256: e8ad4eed4e68b361fc69e4e2d8b4db70017fe4efaeda92f3eec261f79e723e53
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF sample contains embedded JavaScript that leverages the CVE-2009-4324 vulnerability (media.newPlayer). This vulnerability is known to be used for arbitrary code execution within PDF viewers. The embedded JavaScript is likely responsible for downloading and executing a secondary payload, although the specific details of the payload are not directly discernible from the provided evidence. The presence of JavaScript actions and embedded JS streams, coupled with the critical CVE firing, strongly indicates an exploit attempt.

Heuristics 4

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0017_000.js
fec02ac84241a606ddee84042d46f183d5a3e8bc4f3fce27d6a568b328437545		 pdf-javascript-stream PDF /JS object 17 at offset 0x4DD 2944 bytes
js_property_alias_stage_000.js
0a0704461fa8203c43232880ecb4cca3a34501dc5b509982d7b0a154ee6ce5a0		 deobfuscated-js JavaScript hex-escape property alias normalized stage at offset 0x4DD 2821 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.