Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb5deec3420a370f…

MALICIOUS

PDF

427.3 KB Created: 2009-12-16 21:50:36 +08:00 Authoring application: PDF Editor - Foxit Software
MD5: 470794dcf268c1363017f5a4e04e0b38 SHA-1: f0894818fce791b86f9075fcac507a32b3c93443 SHA-256: eb5deec3420a370f8f5796bfc8fdbc41b439a8e99cf66c9050b2948a3e54f5ac
106 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious File T1059.001 Command and Scripting Interpreter: JavaScript

The PDF file contains embedded JavaScript and triggers a critical heuristic for CVE-2009-4324 (media.newPlayer). This indicates the document is designed to exploit this vulnerability to execute arbitrary code. The JavaScript is obfuscated using String.fromCharCode, making its exact function difficult to determine, but the overall pattern suggests a malicious payload delivery. No specific malware family could be identified.

Heuristics 7

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009.
  • String.fromCharCode medium PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0017_000.js
4f590eab76e915b914e0ca555a9c5cc45d398f526b69829480e431f3e8b5a1a1		 pdf-javascript-stream PDF /JS object 17 at offset 0x457 2045 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.