PDF malware analysis — malicious · fa0e2f40ceca2e5a

MALICIOUS

PDF

18.8 KB

MD5: 71becef432822d3be8ff27d375326a90 SHA-1: f2166b53302669d72c5457a4456309c6baad6bd3 SHA-256: fa0e2f40ceca2e5a5dd8b143d9b3bc2e46559d907854c1075a56b5db26d4e878

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.001 Malicious Link

The PDF file contains obfuscated JavaScript that leverages the `eval()` and `unescape()` functions, a common technique for hiding malicious code. The critical heuristic firing for CVE-2009-4324 indicates the exploitation of a known vulnerability in Adobe Reader via the `media.newPlayer` object. The embedded JavaScript streams, particularly the deobfuscated `legacy_pdfkit_stage_000.js` and `legacy_pdfkit_stage_002.js`, confirm the use of `eval()` and `unescape()` to construct and execute further code, likely to download and run a secondary payload. The attack pattern is consistent with exploiting PDF reader vulnerabilities to achieve arbitrary code execution.

Heuristics 5

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `0b62cff60dfc662f1033049d34237bd65e20b50872500f8f6835db7e2643bb2a`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	2868 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
`javascript_obj111712_001.js` `d945e219d7acefde1a104e08b965aea4558f47a5b393a299a9ab5715801da58d`	pdf-javascript-stream	PDF /JS object 111712 at offset 0xCF8	13545 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`javascript_obj111713_002.js` `f61b6ba3499d200060a0c41e1fce1cf2d0a9d7cf29bbd1e563180d1b3298a141`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x4217	2203 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `4660f5b805aa7e189066b22c8c1a8ee1a3b032fc18950defabe0928e52f9525c`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0xCF8	1083 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `5091795dc7dfd1e269d30a5ab394f1536cab6157b0cb74b7e26a9fdc9129a46f`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x4217	165 bytes
`legacy_pdfkit_stage_002.js` `890aed34847f1212355568f99b7ae0ae1d2ee13f9ae521a2ff77d0a4ca55c3ad`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0xCF8	1249 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.