Malicious PDF — malware analysis report

Static analysis result for SHA-256 f9e35c9e5489d83c…

MALICIOUS

PDF

26.9 KB Created: 2008-03-27 16:33:33 +08:00 Authoring application: Acrobat PDFMaker 6.0 for Word (via Acrobat Distiller 6.0 (Windows))
MD5: 05e041c41da33016625c2f8b7d1ea34c SHA-1: 50ce196e9d9ffdc307e47cc57f1c02aa4e97c551 SHA-256: f9e35c9e5489d83c8d4307b291482acfa4460170188d1e8e577e1df5bdf7ca10
134 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains embedded JavaScript that utilizes the 'Collab.collectEmailInfo' method, which is a known vulnerability (CVE-2007-5659). This exploit is designed to collect email information from the user. The presence of JavaScript actions and an unescape call further supports the exploitation of this vulnerability. No specific malware family could be identified.

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0032_000.js
aff48fd7782e22df0361126f2d6b900d33615765b642ef927ade5318c69493a2		 pdf-javascript-stream PDF /JS object 32 at offset 0x14F4 4478 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 16 eval/decoder/string-building token(s).
stream_005_off000020bb.bin
c9befcefdb105dad314ee2b2383edde5a278aafa828c32b7a1013150cf3dd8ec		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x20BB 20634 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.