Malicious PDF — malware analysis report

Static analysis result for SHA-256 00f3f59c2135429f…

MALICIOUS

PDF

180.5 KB
MD5: 116a82a8f317236012778cf0a2c2ce6d SHA-1: 17cf8e98ebea8ca15a25cf30818af9e7a2b31595 SHA-256: 00f3f59c2135429f11fa0ecadf30493c1f5a70f9c905689ff8efffbeeaa0f84f
312 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell T1059.007 JavaScript

The sample is a PDF file that leverages multiple critical vulnerabilities, CVE-2009-4324 and CVE-2007-5659, to execute embedded JavaScript. The JavaScript code is heavily obfuscated but appears to be designed to download and execute a secondary payload. ClamAV detections on the file and extracted artifacts further confirm its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 10

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • ClamAV: Pdf.Exploit.Agent-36114 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36114
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.freecause.com/images/white1_1.png
    • http://www.airmilesshops.ca/servlet/ContentServer?pagename=airmilesshops/Home&amp;PreferLang=E&amp;RefererPage=AM_BRICK_HOME_DEFAULT
    • http://images.tsn.ca/images/silver/yourcall/tool_tip_right.png
    • http://images.tsn.ca/images/silver/yourcall/headers/its_your_call-435x100.gif
    • http://images.tsn.ca/images/silver/yourcall/headers/top_users-435x100.gif
    • http://images.tsn.ca/images/silver/common/icons/px.gif
    • http://www.w3.org/tr/xhtml1/DTD/xhtml1-transitional.dtd
    • http://www.adobe.com/go/getflashplayer
    • http://community.airmiles.ca/en/
    • https://www.airmiles.ca/arrow/CouponsBonusOffers?sortOption=-startDate
    • http://community.airmiles.ca/en/discussion_detail/?contentid=7716973975507766621
    • http://images.tsn.ca/images/silver/yourcall/tool_tip_right.png);background-repeat:no-repeat;width:142px;height:36px;padding-top:6px;text-align:center;color:#6a7073;font-size:.9em;}#tsnYourCallStory
    • http://images.tsn.ca/images/silver/yourcall/headers/its_your_call-435x100.gif);background-repeat:no-repeat;padding-left:5px;margin-right:-5px;}#tsnYourCallUsers{background-image:url(http://images.tsn.ca/images/silver/yourcall/headers/top_users-435x100.gif);background-repeat:no-repeat;margin-right:-5px;margin-left:-5px;}#tsnYourCallBrick
    • http://images.tsn.ca/images/silver/common/icons/px.gif);}#tsnYourCallBrick
    • http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBIRLoqU0TKDqKMn2lQejzfHEBq-Hg9YBn8vFwxvDrIGmGgAQARgBIPiV9AE4AFD1svuVBmD9oJmB6AOgAdnZpucDsgEUd3d3LnBsZW50eW9mZmlzaC5jb226AQk3Mjh4OTBfYXPIAQLaAVNodHRwOi8vd3d3LnBsZW50eW9mZmlzaC5jb20vaGlzdG9yeS5hc3B4P1NJRD1sNGdwbnFiMWU1eWQ1cDFjNGQxYnVjYXMmR3VpZD0yMTU0MTQ1NYACAZgCjgLAAgXIAu3C0RDgAgDqAhJoaXN0b3J5X3RvcF83Mjh4OTCQA-ADmAOsAqgDAcADDcgDBegDZvUDAECAxOAEAQ&num=1&sig=AGiWqtx3P6-GRWz2P6x78Ji-Mqc2c7qF0A&client=ca-pub-3876727481877168&adurl=http://altfarm.mediaplex.com/ad/ck/5152-94491-2056-20%3Fmpro%3Dhttp://www.kijiji.ca
    • http://pagead2.googlesyndication.com/pagead/imgad?id=CKSop6yQt_7SzQEQ2AUYTzIIZmn5EyFjiWI
    • http://www.google.com/url?ct=abg&amp;q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://www.plentyoffish.com/history.aspx%253FSID%253Dl4gpnqb1e5yd5p1c4d1bucas%2526Guid%253D21541455%26hl%3Den%26client%3Dca-pub-3876727481877168%26adU%3Dkijiji.ca%26adT%3DImageAd%26gl%3DCA&amp;usg=AFQjCNFqUmCqVlV-z0MCmNmbST6jyOBHTg
    • http://images.tsn.ca/images/silver/yourcall/tool_tip_right.png);background-repeat:no-repeat;width:142px;height:36px;padding-top:6px;text-align:center;color:#6a7073;font-size:.9em
    • http://images.tsn.ca/images/silver/yourcall/headers/its_your_call-435x100.gif);background-repeat:no-repeat;padding-left:5px;margin-right:-5px
    • http://images.tsn.ca/images/silver/yourcall/headers/top_users-435x100.gif);background-repeat:no-repeat;margin-right:-5px;margin-left:-5px
    • http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBIRLo%U0TKD%KMn2lQejzfHEB%-Hg9YBn8vFwxvDrIGmGgAQARgBIPiV9AE4AFD1svuVBmD9oJmB6AOgAdnZpucDsgEUd3d3LnBsZW50eW9mZmlzaC5jb226AQk3Mjh4OTBfYXPIAQLaAVNodHRwOi8vd3d3LnBsZW50eW9mZmlzaC5jb20vaGlzdG9yeS5hc3B4P1NJRD1sNGdwbnFiMWU1eWQ1cDFjNGQxYnVjYXMmR3VpZD0yMTU0MTQ1NYACAZgCjgLAAgXIAu3C0RDgAgD%AhJoaXN0b3J5X3RvcF83Mjh4OTCQA-ADmAOsA%gDAcADDcgDBegDZvUDAECAxOAEAQ&num=1&sig=AGiW%tx3P6-GRWz2P6x78Ji-M
    • http://altfarm.mediaplex.com/ad/ck/5152-94491-2056-20?mpro=http://www.kijiji.ca
    • http://www.google.com/url?ct=abg&amp;%=https://www.google.com/adsense/support/bin/re%uest.py?contact=abg_afc&url=http://www.plentyoffish.com/history.aspx?SID=l4gpn
    • http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBIRLo%U0TKD%KMn2lQejzfHEB%-Hg9YBn8vFwxvDrIGmGgAQARgBIPiV9AE4AFD1svuVBmD9oJmB6AOgAdnZpucDsgEUd3d3LnBsZW50eW9mZmlzaC5jb226AQk3Mjh4OTBfYXPIAQLaAVNodHRwOi8vd3d3LnBsZW50eW9mZmlzaC5jb20vaGlzdG9yeS5hc3B4P1NJRD1sNGdwbnFiMWU1eWQ1cDFjNGQxYnVjYXMmR3VpZD0yMTU0MTQ1NYACAZgCjgLAAgXIAu3C0RDgAgD%AhJoaXN0b3J5X3RvcF83Mjh4OTCQA-ADmAOsA%gDAcADDcgDBegDZvUDAECAxOAEAQ&num=1&sig=AGiW%tx3P6-GRWz2P6x78Ji-M�c7�A&client=ca-pub-3876727481877168&adurl=http://altfarm.mediaplex.com/ad/ck/5152-94491-2056-20?mpro=http://www.kijiji.ca
    • http://www.google.com/url?ct=abg&amp;%=https://www.google.com/adsense/support/bin/re%uest.py?contact=abg_afc&url=http://www.plentyoffish.com/history.aspx?SID=l4gpn�e5yd5p1c4d1bucas&Guid=21541455&hl=en&client=ca-pub-3876727481877168&adU=kijiji.ca&adT=ImageAd&gl=CA&amp;usg=AFQjCNF%UmC%VlV-z0MCmNmbST6jyOBHTg

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
4bcb228b2aa71a5c7a68b75653d94c427c704ba8da6c821d6848406201028b0f		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 2687 bytes
Detection
ClamAV: Pdf.Exploit.Agent-36307
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
javascript_obj0008_001.js
df95dac246a76fdafb8b538f385180181fac8a7c77e9cf86eaa9a22aa6488b78		 pdf-javascript-stream PDF /JS object 8 at offset 0x209 184265 bytes
Detection
ClamAV: Pdf.Exploit.Agent-36307
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s).
embedded_pdf_script_000020a6.bin
b388a25dfed05daf230c258c259a95d84925c69844f23d57b4b548a014ef0464		 pdf-embedded-script PDF raw stream script payload at offset 0x20A6 181269 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 long base64-like blob(s).
legacy_pdfkit_stage_000.js
fba885ad6b7dd6eec7906518303d1e4dd7b0e4032c6a7cd96ea9addd95c79da2		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0xC9A 549 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
legacy_pdfkit_stage_001.js
4344a092251aa6f08e556862721780bee68cffee3f34ba80a30c3c5b8994dddd		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0xC9A 137039 bytes
Detection
ClamAV: Html.Trojan.Shellcode-19
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
legacy_pdfkit_stage_002.js
42025b552c7960b53abcd8cd732b01c8d109eccfdfefc352b9826c4d5807d414		 deobfuscated-js cross-stage annotation API aliases at offset 0x1E7 81 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.