Malicious PDF — malware analysis report

Static analysis result for SHA-256 f4854798b4b76a53…

MALICIOUS

PDF

787.3 KB Created: 2010-02-16 17:56:38 UTC Authoring application: Microsoft Word (via Mac OS X 10.5.8 Quartz PDFContext)
MD5: 13cf8eacd430afbe7d1302d1532bf7d2 SHA-1: 985f8673858582d0ee552b43e692c85c307020b9 SHA-256: f4854798b4b76a53fd20c5e050f38af61efbcfafbe8eeb3856f29972002302a8
84 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious File T1059.001 Command and Scripting Interpreter: PowerShell

The PDF file contains embedded JavaScript and triggers a critical heuristic for CVE-2009-4324, specifically related to the media.newPlayer object. This indicates the document is designed to exploit this vulnerability. The embedded JavaScript, although obfuscated, uses String.fromCharCode, suggesting it's intended to download and execute a second-stage payload. The document body is heavily corrupted and unreadable, providing no further context.

Heuristics 4

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off000010cc.icc
2a18161bb96fd584d19e737ce294732789e0e8e6ae8c8e4e5f09f1b138232a63		 pdf-icc-profile PDF ICC profile at offset 0x10CC 1456 bytes
font_00_sfnt_off000b01f9.bin
989a095cdc5b608bd58355e60da8ed06dcb8acc8a6bb153b0881a79522f1ce02		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB01F9 8748 bytes
font_01_sfnt_off000b1dc3.bin
7f0979f7a45b506cdf784672fd1fb4f8b98616f6d9252a33d39135ac0484f058		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB1DC3 16032 bytes
font_02_sfnt_off000b4e02.bin
1d03062484afc130d3662a8f75096ad0d78bbaea9b44a1fee68c905e141cba6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB4E02 25516 bytes
font_03_sfnt_off000b9e24.bin
ff557e4d7e496a5f19fe5004d5ccd9c5c4ac7ef4aa6490d2d4e29aade0b170e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB9E24 12836 bytes
font_04_sfnt_off000bc432.bin
5257a7fb9a571e00baba6cd34333361ea0d86e7c6f331d75b78cf58986224383		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBC432 14956 bytes
font_05_sfnt_off000bf0c1.bin
09e8a464d0b7ca7b5a06876048db843d40544daed84a1bca4f31469574c787dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBF0C1 29420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.