PDF malware analysis — malicious · f971b8efe85d1065

MALICIOUS

PDF

23.7 KB

MD5: 5cfb6ef74ebe910fc21cf44a1f7aae6c SHA-1: 0fd97033e1418db961604819c3c9ddb41e1f8a7a SHA-256: f971b8efe85d106552f06b6c1026a0995f6cd5c2cbd94f7ea299929f103011a8

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.001 Malicious Link

The PDF file contains embedded JavaScript that utilizes the `eval()` and `unescape()` functions, indicating an attempt to obfuscate malicious code. The critical heuristic firing for CVE-2008-2992, specifically mentioning `util.printf` and a multi-marker percent-array decoded JavaScript, strongly suggests exploitation of this known vulnerability. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload, as evidenced by the deobfuscated JavaScript files found.

Heuristics 5

util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `d7382b63273e16473522ed4e1061a7e8f77aa933966216d3a7d282801739ff83`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	3872 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`javascript_obj111712_001.js` `532a02cdbcf35ed817da0a78fc5e1f4b12929e64a60f0045bdcd8236341526b4`	pdf-javascript-stream	PDF /JS object 111712 at offset 0x10E4	15318 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`javascript_obj111713_002.js` `0bc137eaed8e7d5766df87cd1b4f7f37ec6d28f012f94cab4c055d080b0cf146`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x4CF0	4508 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `a63d87f2b143513c65d1743d1dc1458eace0797e16ff17319fa0a362817b3dff`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x10E4	1413 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `df2e8f38acbcede11c3621c62802a425613ee3b105933e1debbf6452a55bb89f`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x4CF0	384 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
`legacy_pdfkit_stage_002.js` `e42faf3606a0d3454d80994c4a46a3b6a07cab28bb78c6ecc51f39df29e15a2a`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0x10E4	1798 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.