Malicious PDF — malware analysis report

Static analysis result for SHA-256 f6bea60cf425e6dc…

MALICIOUS

PDF

2.3 KB
MD5: 34937b2398c1e7c0cef0d1a0b81815ae SHA-1: 06ee07a956489d0dd5c3e78ac0f2d354e14de1a4 SHA-256: f6bea60cf425e6dc6699a9be7cbdf259ea190003abe152442457daa10e7e1806
238 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.001 Malicious Link T1204.002 Malicious File

This PDF file contains embedded JavaScript that utilizes the Collab.getIcon and Collab.collectEmailInfo functions, known to be vulnerable in CVE-2009-0927 and CVE-2007-5659 respectively. The JavaScript is obfuscated and uses an eval() call, indicating an attempt to hide malicious code execution. The primary goal appears to be exploiting these vulnerabilities to achieve arbitrary code execution.

Heuristics 7

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (matched in decompressed stream)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js
e920b918931a1cd8f8df3bdb366eebb29d6b131226053e6f4d697a3c1840adcc		 pdf-javascript-stream PDF /JS object 4 at offset 0x249 6787 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.