Malware Insights
The PDF sample contains obfuscated JavaScript, including multiple calls to eval() and unescape(), indicating an attempt to hide malicious code. The critical heuristic firing for CVE-2009-4324, specifically mentioning the media.newPlayer sink and percent-array decoding, strongly suggests exploitation of this vulnerability. The deobfuscated JavaScript artifacts confirm the presence of exploit code designed to download and execute a secondary payload. The reconstructed string literals like "v"+"ar "+"lWUldR4GAG"+" ="+" e"+"v"+"a"+"l;" and similar concatenations are used to construct JavaScript functions, further obscuring the malicious intent. The primary goal appears to be the execution of arbitrary code via the identified exploit.
Heuristics 5
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj111711_000.js0e893abf1566d45c63cabab131fb46cdbfcaceb40ef3170b8357a1fe31fb61cd |
pdf-javascript-stream | PDF /JS object 111711 at offset 0x18E | 3105 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
|
|||
javascript_obj111712_001.js3c225ed4b6dbcc2b99ff01c4fb8be90d447146334dfd155d78ddaee4645a9cba |
pdf-javascript-stream | PDF /JS object 111712 at offset 0xDE5 | 12072 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
|
|||
javascript_obj111713_002.js15489179b2a4e5b2095eaf55c35a756fa369c89f9f4a62696145037724d246d5 |
pdf-javascript-stream | PDF /JS object 111713 at offset 0x3D43 | 2579 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
|
|||
legacy_pdfkit_stage_000.jse1870d54cc45e347aa1de92bf8215a50b2c632d0cec8e3fff4b1472c73c50a9b |
deobfuscated-js | multi-marker percent-array decoded JavaScript at offset 0xDE5 | 1082 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
legacy_pdfkit_stage_001.js96b2a5f7a22877fadb04e07bb4335bd122d4d8b085b2d24069d89aeba75753fb |
deobfuscated-js | multi-marker percent-array decoded JavaScript at offset 0x3D43 | 172 bytes |
legacy_pdfkit_stage_002.js606dd80b4f49ce4a45a7639fd65611ec91508ef61b5b7eaad59399815c57d377 |
deobfuscated-js | multi-marker percent-array combined decoded JavaScript at offset 0xDE5 | 1255 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.