Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb55072c314114ff…

MALICIOUS

PDF

48.4 KB Created: 2009-07-08 10:53:46 +08:00 Authoring application: Acrobat Distiller 7.0 (Windows)
MD5: 890a8178b41d61f38a8d26ad099741c4 SHA-1: 60308de31b99545d173f5111c988b4c8c257627e SHA-256: fb55072c314114ff855f1656775188bb56e1aa9be8ef1cafa633adcd0002a400
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript T1204.001 Malicious Link or Trusted Form

The PDF file contains embedded JavaScript that leverages the CVE-2009-4324 vulnerability, specifically targeting the media.newPlayer functionality. This exploit is designed to execute arbitrary code, which is a common technique for downloading and executing further malicious payloads. The presence of JavaScript actions and embedded JS streams strongly indicates an attempt to compromise the user's system through this known PDF vulnerability.

Heuristics 4

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0017_000.js
3238ab43d64be757f86271f073632d6616e7da29a9a1d53b880c68b34a7f9c55		 pdf-javascript-stream PDF /JS object 17 at offset 0x4DA 3010 bytes
js_property_alias_stage_000.js
d375791f9ac52f9cb6f56a475cfd7a26b71c2d487e246cdeb22c4d25d56e80f0		 deobfuscated-js JavaScript hex-escape property alias normalized stage at offset 0x4DA 2833 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.