PDF malware analysis — malicious · f042c173458f2193

MALICIOUS

PDF

2.3 KB

MD5: d3fddbc9f49ffd3531a89bd8de9471b4 SHA-1: 51912a652d4d5a61e80ad17cc0efed7d79827663 SHA-256: f042c173458f2193afd585b6a7f8814628adcf563b9c15cc3d605b181de0548c

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript/JScript T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by multiple PDF_JAVASCRIPT and PDF_JS heuristic firings. A critical CVE_2008_2992 alert suggests the exploitation of a known vulnerability within the PDF reader. The presence of unescaped JavaScript and a long encoded blob further supports the malicious nature. The primary intent appears to be the execution of a malicious script, likely to download and execute a second-stage payload, leveraging the CVE-2008-2992 vulnerability.

Heuristics 5

util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (matched in decompressed stream)
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj263984_000.js` `cab2e1aadd841dc859a51a2d3590edec8fdc0c8279b0841f6f9233555428aea8`	pdf-javascript-stream	PDF /JS object 263984 at offset 0x197	6962 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).
`javascript_obj263985_001.js` `e5129da95f662b1cb9a7933909a80a2bbb2dcedaeed1b411a9c9ee031cc6fa80`	pdf-javascript-stream	PDF /JS object 263985 at offset 0x6D4	155 bytes
`javascript_obj263986_002.js` `5907d85efd651712c3d120d6cbab222b6a4e2e076216a658b08b926609c53bdc`	pdf-javascript-stream	PDF /JS object 263986 at offset 0x7A6	520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.