PDF malware analysis — malicious · f0c42008fb2fb93f

MALICIOUS

PDF

1.8 KB

MD5: 1a5e51e453c0023140a79434b8abf201 SHA-1: 98ff89eb3c7faca71c22c52127431271135022b0 SHA-256: f0c42008fb2fb93fef8600b2c156bae421f9417efacdb542e75f7a3822d55186

104 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.001 Malicious Link

The PDF document contains embedded JavaScript and utilizes ASCIIHexDecode and ASCII85Decode filters, indicating obfuscation. The critical finding is the exploitation of CVE-2008-2992, evidenced by the util.printf function within the decompressed stream. This suggests the PDF is designed to deliver a malicious payload by exploiting this known vulnerability.

Heuristics 5

util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (matched in decompressed stream)
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85

ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0006_000.js` `83c8a5ec6859407c31b39b3125bcbb28518ebf6aab42b4fa693ae02f089c80b5`	pdf-javascript-stream	PDF /JS object 6 at offset 0x138	1333 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.