Malicious PDF — malware analysis report

Static analysis result for SHA-256 f0f8bfcf5a76b8dd…

MALICIOUS

PDF

386.8 KB Created: 2008-01-05 16:25:50 +01:00 Authoring application: LaTeX with hyperref package (via pdfeTeX-1.21a)
MD5: d06cd2e441b70915d6aa859064fcceac SHA-1: 1b9d1cb5ad0afb2c58b6714f9873a053c3ea2ef7 SHA-256: f0f8bfcf5a76b8dd5319c12d32658a52110dc2f0fbd08982d766975325375751
212 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

This PDF document exploits CVE-2011-2462 and CVE-2009-3459, leveraging a JavaScript heap spray within the U3D parser. The embedded JavaScript, though obfuscated, is designed to execute malicious code. The primary attack vector appears to be the exploitation of the Adobe Reader 3D U3D parser vulnerability, which is a known method for delivering secondary payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 8

  • Adobe Reader U3D parser exploit with JavaScript heap spray critical CVE likely CVE_2011_2462_U3D_HEAPSPRAY
    PDF combines U3D/3D annotation content with JavaScript heap-spray shellcode. Public CVE-2011-2462 exploit chains use a crafted U3D stream and JavaScript heap spray to control memory during Adobe Reader's U3D parser corruption.
  • Adobe Reader U3D auto-activated 3D annotation — CVE-2009-3459 critical CVE likely CVE_2009_3459_U3D_AUTOACTIVATE
    PDF contains a /Subtype /3D annotation that is configured to auto-activate on page view (/3DA <</A /PV /AIS /I>>) alongside a /U3D stream and JavaScript. This is the document shape used by CVE-2009-3459 (Adobe Reader U3D CLODProgressiveMeshDeclaration heap overflow, APSB09-15): the U3D parser runs without any user interaction once the page is rendered, while the accompanying JavaScript prepares a heap-spray to land controlled memory inside the corrupted allocation.
  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vcg.isti.cnr.it)/S/URI/Type/Action
    • http://meshlab.sourceforge.net)/S/URI/Type/Action
    • http://vcg.isti.cnr.it
    • http://meshlab.sourceforge.net
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0015_000.js
6b7b97a43069e3ad20209e754c60214aac1a416570603df820e7eaf94166e219		 pdf-javascript-stream PDF /JS object 15 at offset 0x665 106149 bytes
stream_010_off0003559f.bin
b1f937b9541d599e1c6000c4c47f7f3f21a4d9b0e1051c8a5580e07bc6106afd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3559F 177792 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.72, consistent with packed or encrypted content.
font_00_type1_off0002e9dc.bin
d129a586d7449f3004ab2629e1b01753002037f8ca955d68339aba6fea13d9dd		 pdf-font-stream PDF embedded font (type1) at offset 0x2E9DC 6428 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.55, consistent with packed or encrypted content.
font_01_type1_off00030277.bin
6d68a200ddadd677e7031f9795a017ce42b4d7f02b68d39a072ecbc1e20fb5d6		 pdf-font-stream PDF embedded font (type1) at offset 0x30277 7849 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.64, consistent with packed or encrypted content.
font_02_type1_off00032143.bin
cab7a46a0f2b73639fc37aa221b515da6888b096748ee89dec2f4876e25f7f1f		 pdf-font-stream PDF embedded font (type1) at offset 0x32143 2374 bytes
font_03_type1_off00032934.bin
f1d06dc0327817e03d778a88f65436557134c269106fbc5438dd4ef0c897a441		 pdf-font-stream PDF embedded font (type1) at offset 0x32934 11287 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.76, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.