Malicious PDF — malware analysis report

Static analysis result for SHA-256 f2464aecd9b9740b…

MALICIOUS

PDF

20.0 KB
MD5: 0c56a04ce233c3ac854e8794f76ac388 SHA-1: 66e62e90363c83040277bb010c00cb4d7e12a6e7 SHA-256: f2464aecd9b9740b7197e30ca4a26b6f9b8517cef2cb673041df3a08b80aa6a8
118 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.001 Malicious Link

The PDF sample contains embedded JavaScript that utilizes eval() and unescape() functions, indicating an attempt to obfuscate and execute malicious code. The critical heuristic firing for CVE-2009-4324 confirms the exploitation of a known vulnerability in Adobe Reader via the media.newPlayer API. The JavaScript is designed to decode and execute a second-stage payload, likely for further system compromise. No specific malware family could be confidently identified.

Heuristics 5

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj111711_000.js
43effd10478caef879f0d3b5aa026db75fbeb465b8983e31dc1267155c576621		 pdf-javascript-stream PDF /JS object 111711 at offset 0x18E 2566 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
javascript_obj111712_001.js
1f71d9e0b2f610c5958dc0aabfeeaddcedd10be56a969ed166cdc62f149a6005		 pdf-javascript-stream PDF /JS object 111712 at offset 0xBCA 14904 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
javascript_obj111713_002.js
78093acf0ae12b3e519550bdb3e7faf730d9ae8d19870f5bdb5a512cf8f9d40c		 pdf-javascript-stream PDF /JS object 111713 at offset 0x4638 2381 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
legacy_pdfkit_stage_000.js
b4db0505387ad754113e3d5926f46348a0c37714878926601c7b0616f8ad98a3		 deobfuscated-js multi-marker percent-array decoded JavaScript at offset 0xBCA 1089 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
legacy_pdfkit_stage_001.js
cd7088aa0ba5ce42db7faac79c4063dccc339c8953139714658e9cb6b07c91fc		 deobfuscated-js multi-marker percent-array decoded JavaScript at offset 0x4638 165 bytes
legacy_pdfkit_stage_002.js
6832b80d3e245b0b258a7b2a8c3d7a83dd7892d2f040ac93500ef425529bacdf		 deobfuscated-js multi-marker percent-array combined decoded JavaScript at offset 0xBCA 1255 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.