Malicious PDF — malware analysis report

Static analysis result for SHA-256 fad74beddc2c7e33…

MALICIOUS

PDF

45.8 KB
MD5: 4ec44e87e14194fce7c340e006654789 SHA-1: 52ba43995fb80a457feaf8123dbf6ac2964eaf27 SHA-256: fad74beddc2c7e33bc4c35b33dc3a3770968e0205ab2db9bae19edec40693386
136 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 Command and Scripting Interpreter: PowerShell T1204.002 Malicious File Execution: Malicious JavaScript

The PDF file contains embedded JavaScript that exploits CVE-2009-0927 using the Collab.getIcon method. The JavaScript is obfuscated and decodes multiple layers, ultimately executing an exploit stage. This indicates the file is designed to compromise the user's system by leveraging a known vulnerability in Adobe Reader.

Heuristics 5

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
9dd7061bce5052c8852ecf10d6c4654f2fd55760ca87be6eb642e0379d6e95b7		 pdf-javascript-stream PDF /JS object 8 at offset 0x1D3 9215 bytes
custom_b64_stage_000.js
7bc8be0c1df04760f9fdd994eeca94476d67aa0ee6d4a24331790e555ac991fa		 deobfuscated-js custom Base64 decoded JavaScript layer 2 (PDF /JS object 8) at offset 0x8A7 1517 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.