PDFExaminer


Recent PDF malware detections. This list is delayed 2 weeks. +Submit one

MD5filenamesizeseverityjsflashembedencrypt
cb1ebfb765a792bcad5f48087ac45f87 view report 59e82804eac6da76211ef611df007b7b7d2be00c8c835bce112f9f539385d451:secure.pdf: 3120830 7 J   P  
292.0@2483249: suspicious.pdf embedded PDF file
292.0@2483249: suspicious.warning: object contains embedded PDF
293.0@3119188: suspicious.warning: object contains JavaScript
294.0@3119309: pdf.exploit execute EXE file
294.0@3119309: pdf.exploit access system32 directory
294.0@3119309: pdf.exploit execute action command
294.0@3119309: pdf.execute exe file
294.0@3119309: pdf.execute access system32 directory
876d1b09e859f57c8577d514d318fa83 view report 7da6a5bd77262e06e71973ddfc6175925f577380827eba010e3b7715ac7afbe7:aaa03400: 6630 99 J      
9.0@660: suspicious.obfuscation using unescape
9.0@660: suspicious.string nopblock
9.0@660: suspicious.obfuscation using eval
9.0@660: suspicious.obfuscation using String.fromCharCode
9.0@660: suspicious.string shellcode
9.0@660: pdf.suspicious util.printd used to fill buffers
9.0@660: pdf.exploit media.newPlayer CVE-2009-4324
9.0@660: suspicious.warning: object contains JavaScript
f252d63c9b5faa4ea9edb6702dc342ec view report e4138b64dd0868a97ae06d2eb2eed692fdf8d4da97eea2f86a9398c37786dfcf:/home/cuckoo/Code/activeDefender/activeDefender/data/generated_malicious_pdfs_batch_4/downloader_9c973cdf6db41f0d24e1d36726268d46a6201eff_variant_65650.pdf: 533346 83 J      
280.0@515174: suspicious.obfuscation using unescape
280.0@515174: suspicious.obfuscation toString
280.0@515174: suspicious.obfuscation using String.replace
280.0@515174: suspicious.obfuscation using substring
280.0@515174: suspicious.string Shellcode NOP sled
280.0@515174: suspicious.obfuscation using app.setTimeOut to eval code
280.0@515174: pdf.exploit Collab.getIcon CVE-2009-0927
280.0@515174: pdf.exploit util.printf CVE-2008-2992
280.0@515174: suspicious.warning: object contains JavaScript
0cfc35467806746232208efd1a71d8f9 view report 51a4c802a8aa0577dfcb4f2c9eba950de7d6c0dcffe02d8c96da694bf74be570:/home/cuckoo/Code/activeDefender/activeDefender/data/generated_malicious_pdfs_batch_2/downloader_070a193a234527b779490c7bfbca2048d407a4f9_variant_60930.pdf: 9640 28 J      
7.0@438: suspicious.obfuscation using charCodeAt
7.0@438: suspicious.obfuscation using eval
7.0@438: suspicious.obfuscation toString
7.0@438: suspicious.obfuscation using substr
7.0@438: suspicious.obfuscation using String.fromCharCode
8.0@9096: suspicious.obfuscation using unescape
8.0@9096: suspicious.obfuscation using String.replace
8.0@9096: suspicious.obfuscation getAnnots access blocks
8.0@9096: suspicious.warning: object contains JavaScript
6c219a84fb03297f32be3d46c052dbbc view report 8bb7b5e7996ef21cc411c6a40a6d7479038dfc61c5508e6f344fd0c041e4c752:/home/cuckoo/Code/activeDefender/activeDefender/data/generated_malicious_pdfs_batch_4/downloader_bb8cfc5a48603a98a4157ebe05f7683ad3949542_variant_65650.pdf: 533092 83 J      
280.0@514920: suspicious.obfuscation using unescape
280.0@514920: suspicious.obfuscation toString
280.0@514920: suspicious.obfuscation using String.replace
280.0@514920: suspicious.obfuscation using substring
280.0@514920: suspicious.string Shellcode NOP sled
280.0@514920: suspicious.obfuscation using app.setTimeOut to eval code
280.0@514920: pdf.exploit Collab.getIcon CVE-2009-0927
280.0@514920: pdf.exploit util.printf CVE-2008-2992
280.0@514920: suspicious.warning: object contains JavaScript
094fc6e2a73f0d4f2dc662f469624ffb view report b3450a6602cd17812305b9c497fa1343937580c81eaa941491bc0fe22634b213:/home/cuckoo/Code/activeDefender/activeDefender/data/generated_malicious_pdfs_batch_4/downloader_0d39d094ac42c91504182b36c0df1b01941731ba_variant_65650.pdf: 23219 83 J      
17.0@10311: suspicious.obfuscation using unescape
17.0@10311: suspicious.obfuscation toString
17.0@10311: suspicious.obfuscation using String.replace
17.0@10311: suspicious.obfuscation using substring
17.0@10311: suspicious.string Shellcode NOP sled
17.0@10311: suspicious.obfuscation using app.setTimeOut to eval code
17.0@10311: pdf.exploit Collab.getIcon CVE-2009-0927
17.0@10311: pdf.exploit util.printf CVE-2008-2992
17.0@10311: suspicious.warning: object contains JavaScript
884450099f09e6fbb64a0491b1223411 view report 61e4cceeb03c0fa9f3191168e4f2646e47e2ede05d2a041c46bd05e39617956f:/home/cuckoo/Code/activeDefender/activeDefender/data/generated_malicious_pdfs_batch_4/downloader_0a78d64d9b9ece970dacd95b9624a327ff4b052d_variant_65650.pdf: 533286 83 J      
280.0@515114: suspicious.obfuscation using unescape
280.0@515114: suspicious.obfuscation toString
280.0@515114: suspicious.obfuscation using String.replace
280.0@515114: suspicious.obfuscation using substring
280.0@515114: suspicious.string Shellcode NOP sled
280.0@515114: suspicious.obfuscation using app.setTimeOut to eval code
280.0@515114: pdf.exploit Collab.getIcon CVE-2009-0927
280.0@515114: pdf.exploit util.printf CVE-2008-2992
280.0@515114: suspicious.warning: object contains JavaScript
238499ff0c071c72591d42018a086019 view report f4a170025b9afc12f752d220cc9245dbcb6e43ad80b5c3ad2c16def5e0ed456b:f2286d1cecf77b188470f9bdd50fdeca32ad4cd8: 329168 1 J      
3.0@139: suspicious.warning: object contains JavaScript
d2403a1491a3530f738a5884309a9110 view report 1ae8885f3db57f967fb5cb8cf81f6630ce8b043dd36833cd3c95f461cbaefecf:d2403a1491a3530f738a5884309a9110: 13408 14 J      
8.0@283: suspicious.javascript in XFA block
8.0@283: suspicious.obfuscation using substr
8.0@283: suspicious.warning: object contains JavaScript
22.0@13055: suspicious.javascript object
17.0@13102: suspicious.warning: object contains JavaScript
42c33ee48799cb00f768ece823f8c7d3 view report 52bdf754ae1c8859c4d5b524c64adb7a2e82e9cfa4e4fec9c5666bbc7f0d3334:/home/cuckoo/Code/activeDefender/activeDefender/data/generated_malicious_pdfs_batch_4/downloader_796502d78b0d2d40f32384628851fa21774a14c2_variant_65650.pdf: 533189 83 J      
279.0@515037: suspicious.obfuscation using unescape
279.0@515037: suspicious.obfuscation toString
279.0@515037: suspicious.obfuscation using String.replace
279.0@515037: suspicious.obfuscation using substring
279.0@515037: suspicious.string Shellcode NOP sled
279.0@515037: suspicious.obfuscation using app.setTimeOut to eval code
279.0@515037: pdf.exploit Collab.getIcon CVE-2009-0927
279.0@515037: pdf.exploit util.printf CVE-2008-2992
279.0@515037: suspicious.warning: object contains JavaScript
c55034f06ea2b9e8362fc3abaa7fa50d view report ad6cec5b052adc5db046f96185ab6010fad2f143054e1a4e9a950320b6e15b86:FIRMATO_Autodichiarazione_Produttore_Allegato3.pdf: 295031 231 J      
226.0@6906: suspicious.javascript object
227.0@6952: suspicious.javascript object
228.0@6998: suspicious.javascript object
229.0@7044: suspicious.javascript object
230.0@7090: suspicious.javascript object
231.0@7136: suspicious.javascript object
232.0@7182: suspicious.javascript object
233.0@7228: suspicious.obfuscation using substr
233.0@7228: suspicious.warning: object contains JavaScript
234.0@7578: suspicious.warning: object contains JavaScript
235.0@7919: suspicious.obfuscation using substr
235.0@7919: suspicious.warning: object contains JavaScript
236.0@8321: suspicious.obfuscation using charCodeAt
236.0@8321: suspicious.obfuscation toString
236.0@8321: suspicious.obfuscation using substr
236.0@8321: suspicious.warning: object contains JavaScript
237.0@10066: suspicious.obfuscation using substr
237.0@10066: suspicious.warning: object contains JavaScript
238.0@10419: suspicious.obfuscation using charCodeAt
238.0@10419: suspicious.warning: object contains JavaScript
239.0@10934: suspicious.warning: object contains JavaScript
317.0@59989: suspicious.warning: object contains JavaScript
318.0@60179: suspicious.warning: object contains JavaScript
319.0@60369: suspicious.warning: object contains JavaScript
320.0@60559: suspicious.warning: object contains JavaScript
321.0@60749: suspicious.javascript object
322.0@60795: suspicious.javascript object
323.0@60841: suspicious.obfuscation using substr
323.0@60841: suspicious.warning: object contains JavaScript
324.0@61095: suspicious.obfuscation using substr
324.0@61095: suspicious.warning: object contains JavaScript
325.0@61349: suspicious.javascript object
326.0@61395: suspicious.javascript object
327.0@61441: suspicious.obfuscation using substr
327.0@61441: suspicious.warning: object contains JavaScript
328.0@61841: suspicious.obfuscation using substr
328.0@61841: suspicious.warning: object contains JavaScript
329.0@62241: suspicious.javascript object
330.0@62287: suspicious.javascript object
331.0@62333: suspicious.warning: object contains JavaScript
332.0@62609: suspicious.warning: object contains JavaScript
333.0@62885: suspicious.warning: object contains JavaScript
334.0@63191: suspicious.warning: object contains JavaScript
335.0@63497: suspicious.warning: object contains JavaScript
336.0@63785: suspicious.warning: object contains JavaScript
337.0@64073: suspicious.javascript object
338.0@64119: suspicious.javascript object
339.0@64165: suspicious.warning: object contains JavaScript
340.0@64424: suspicious.warning: object contains JavaScript
341.0@64683: suspicious.javascript object
342.0@64729: suspicious.javascript object
343.0@64775: suspicious.warning: object contains JavaScript
344.0@65106: suspicious.warning: object contains JavaScript
345.0@65437: suspicious.javascript object
346.0@65483: suspicious.javascript object
347.0@65529: suspicious.obfuscation using substr
347.0@65529: suspicious.warning: object contains JavaScript
348.0@65827: suspicious.obfuscation using substr
348.0@65827: suspicious.warning: object contains JavaScript
349.0@66125: suspicious.javascript object
350.0@66171: suspicious.javascript object
351.0@66217: suspicious.obfuscation using substr
351.0@66217: suspicious.warning: object contains JavaScript
352.0@66460: suspicious.obfuscation using substr
352.0@66460: suspicious.warning: object contains JavaScript
353.0@66703: suspicious.javascript object
354.0@66749: suspicious.javascript object
355.0@66795: suspicious.warning: object contains JavaScript
356.0@67055: suspicious.warning: object contains JavaScript
357.0@67315: suspicious.warning: object contains JavaScript
358.0@67593: suspicious.warning: object contains JavaScript
359.0@67871: suspicious.javascript object
360.0@67917: suspicious.javascript object
361.0@67963: suspicious.obfuscation using substr
361.0@67963: suspicious.warning: object contains JavaScript
362.0@68262: suspicious.obfuscation using substr
362.0@68262: suspicious.warning: object contains JavaScript
363.0@68561: suspicious.javascript object
364.0@68607: suspicious.javascript object
365.0@68653: suspicious.obfuscation using substr
365.0@68653: suspicious.warning: object contains JavaScript
366.0@68952: suspicious.obfuscation using substr
366.0@68952: suspicious.warning: object contains JavaScript
367.0@69251: suspicious.javascript object
368.0@69297: suspicious.javascript object
369.0@69343: suspicious.obfuscation using substr
369.0@69343: suspicious.warning: object contains JavaScript
370.0@69642: suspicious.obfuscation using substr
370.0@69642: suspicious.warning: object contains JavaScript
371.0@69941: suspicious.warning: object contains JavaScript
372.0@70229: suspicious.warning: object contains JavaScript
373.0@70517: suspicious.javascript object
374.0@70563: suspicious.javascript object
375.0@70609: suspicious.warning: object contains JavaScript
376.0@70868: suspicious.warning: object contains JavaScript
377.0@71127: suspicious.javascript object
378.0@71173: suspicious.javascript object
379.0@71219: suspicious.warning: object contains JavaScript
380.0@71549: suspicious.warning: object contains JavaScript
381.0@71879: suspicious.javascript object
382.0@71925: suspicious.javascript object
383.0@71971: suspicious.obfuscation using substr
383.0@71971: suspicious.warning: object contains JavaScript
384.0@72269: suspicious.obfuscation using substr
384.0@72269: suspicious.warning: object contains JavaScript
385.0@72567: suspicious.javascript object
386.0@72613: suspicious.javascript object
387.0@72659: suspicious.obfuscation using substr
387.0@72659: suspicious.warning: object contains JavaScript
388.0@72902: suspicious.obfuscation using substr
388.0@72902: suspicious.warning: object contains JavaScript
389.0@73145: suspicious.javascript object
390.0@73191: suspicious.javascript object
391.0@73237: suspicious.warning: object contains JavaScript
392.0@73497: suspicious.warning: object contains JavaScript
393.0@73757: suspicious.warning: object contains JavaScript
394.0@74035: suspicious.warning: object contains JavaScript
395.0@74313: suspicious.javascript object
396.0@74359: suspicious.javascript object
397.0@74405: suspicious.obfuscation using substr
397.0@74405: suspicious.warning: object contains JavaScript
398.0@74704: suspicious.obfuscation using substr
398.0@74704: suspicious.warning: object contains JavaScript
399.0@75003: suspicious.warning: object contains JavaScript
400.0@75181: suspicious.warning: object contains JavaScript
401.0@75359: suspicious.javascript object
402.0@75405: suspicious.javascript object
403.0@75451: suspicious.obfuscation using substr
403.0@75451: suspicious.warning: object contains JavaScript
404.0@75750: suspicious.obfuscation using substr
404.0@75750: suspicious.warning: object contains JavaScript
405.0@76049: suspicious.javascript object
406.0@76095: suspicious.javascript object
407.0@76141: suspicious.obfuscation using substr
407.0@76141: suspicious.warning: object contains JavaScript
408.0@76440: suspicious.obfuscation using substr
408.0@76440: suspicious.warning: object contains JavaScript
409.0@76739: suspicious.javascript object
410.0@76785: suspicious.javascript object
411.0@76831: suspicious.obfuscation using substr
411.0@76831: suspicious.warning: object contains JavaScript
412.0@77128: suspicious.obfuscation using substr
412.0@77128: suspicious.warning: object contains JavaScript
413.0@77425: suspicious.warning: object contains JavaScript
414.0@77731: suspicious.warning: object contains JavaScript
415.0@78037: suspicious.javascript object
416.0@78083: suspicious.javascript object
417.0@78129: suspicious.obfuscation using substr
417.0@78129: suspicious.warning: object contains JavaScript
418.0@78425: suspicious.obfuscation using substr
418.0@78425: suspicious.warning: object contains JavaScript
419.0@78721: suspicious.javascript object
420.0@78767: suspicious.javascript object
421.0@78813: suspicious.obfuscation using substr
421.0@78813: suspicious.warning: object contains JavaScript
422.0@79109: suspicious.obfuscation using substr
422.0@79109: suspicious.warning: object contains JavaScript
ba6b98a1d45f57b613e1e6f24656722b view report 34ef4dbd95e6324c3c369529b450992ce7a0ed6d5e37ba1f5f0c19e4fced9768:/home/cuckoo/Code/activeDefender/activeDefender/data/generated_malicious_pdfs_batch_4/downloader_759b3c10b53b70d5f1bbd5db64ba384020149bfa_variant_65650.pdf: 533291 83 J      
280.0@515119: suspicious.obfuscation using unescape
280.0@515119: suspicious.obfuscation toString
280.0@515119: suspicious.obfuscation using String.replace
280.0@515119: suspicious.obfuscation using substring
280.0@515119: suspicious.string Shellcode NOP sled
280.0@515119: suspicious.obfuscation using app.setTimeOut to eval code
280.0@515119: pdf.exploit Collab.getIcon CVE-2009-0927
280.0@515119: pdf.exploit util.printf CVE-2008-2992
280.0@515119: suspicious.warning: object contains JavaScript
a03871d80cc30a917006636ed99a30fe view report 125c127fb084e10bfe03e8ca75595b4e60ba22b87ac9fa22c24485d68ba50b25:a8c10e81ef7e3d23199e1905d4d8b434cf5ecae6: 314402 1 J      
3.0@200: suspicious.warning: object contains JavaScript
7d113cf4026bdffd79b9d57fdd7534d3 view report deb6add48f4905d7f59bbfd27f0db3bdd638bfffdbea3b8dd13bcd42b3d14ced:shipment_Bill_Copy.pdf: 206708 1        
3.0@9: suspicious.embedded external content
26e13f1bb3d58ddf6d6bcc322c9afd01 view report 7115a3753b6aa63c903ac4c042794b7557de337eea4104a04541768cc239d642:/home/cuckoo/Code/activeDefender/activeDefender/data/generated_malicious_pdfs_batch_2/downloader_05f6644b44d867d211a5e6fe2c5d875874e17d93_variant_60930.pdf: 9640 28 J      
7.0@438: suspicious.obfuscation using charCodeAt
7.0@438: suspicious.obfuscation using eval
7.0@438: suspicious.obfuscation toString
7.0@438: suspicious.obfuscation using substr
7.0@438: suspicious.obfuscation using String.fromCharCode
8.0@9096: suspicious.obfuscation using unescape
8.0@9096: suspicious.obfuscation using String.replace
8.0@9096: suspicious.obfuscation getAnnots access blocks
8.0@9096: suspicious.warning: object contains JavaScript