PDF malware analysis — malicious · 09f0af9ab0e0e57e

MALICIOUS

PDF

44.8 KB

MD5: e32797e84213a1517978aac2f22b0f27 SHA-1: 9d1822fb1c1ce7fbb7ea95fad502a3061eb1f73e SHA-256: 09f0af9ab0e0e57ed04d4fdbde57e9dece64aa76116dec6bc5f7b1566d05a858

336 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains JavaScript that exploits CVE-2010-2883 (Adobe Reader CoolType SING font exploit) and other PDF JavaScript exploit clusters. The embedded JavaScript is designed to download a second-stage payload from the URL http://lokose.com/tre/vena.asp/yHa422950aV03f01036002R747008b510aTe89b4c4dQ00000000900801F00000000J00000000l080aKaf908f61327. This indicates a clear intent to exploit a vulnerability for initial execution and download further malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 10

Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883

PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://lokose.com/tre/vena.asp/yHa422950aV03f01036002R747008b510aTe89b4c4dQ00000000900801F00000000J00000000l080aKaf908f61327
- http://www.bitstream.com
- http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/2.6/
- http://www.xfa.org/schema/xfa-template/2.6/

Extracted artifacts 9

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0012_000.js` `18909f5794ae70b260af1ed047c12f875c1fa4e806ceb44e1bbca53dbde07f99`	pdf-javascript-stream	PDF /JS object 12 at offset 0xA0BA	3796 bytes
`javascript_obj0012_001.js` `0ada5db2876b5394842a9c4cf1ad3626a1f6c775b92c501eba34446eca036a08`	pdf-javascript-stream	PDF /JS object 12 at offset 0xA100	4682 bytes
`generic_stage_recovery_000.js` `519317489fda04a1e95683ac3c6e9dee691e6e194b63c963830bda6260426e48`	deobfuscated-js	generic stage recovery split-literal-normalize from JavaScript object 12 at offset 0xA0BA	3746 bytes
`generic_stage_recovery_001.js` `745c44afa7e228f25277e38f9a3777af8efe5feece42ca188712f65872f3aa42`	deobfuscated-js	generic stage recovery split-literal-normalize from JavaScript object 12 at offset 0xA100	4632 bytes
`generic_stage_recovery_002.js` `ff24774b18ce7cc953ab3a008012b7da4c265033422046cd00e2a9239e854300`	deobfuscated-js	generic stage recovery split-literal-normalize from combined JavaScript objects at offset 0xA0BA	8379 bytes
Detection ClamAV: Js.Exploit.Shellcode-18 Obfuscation or payload: unlikely
`generic_stage_recovery_003.js` `7efd39c9c1dc89951b9744eab617875c29d723a1608642cffc050c9d47e5ed3d`	deobfuscated-js	generic stage recovery split-literal-normalize from decompressed stream at 0x0 at offset 0x0	45846 bytes
`generic_stage_recovery_004.js` `cae37f3e8abe160fff2ea4afff3a5cd67f55425740fd1c447cd6150ffad4e26e`	deobfuscated-js	generic stage recovery percent-decode from decompressed stream at 0x0 at offset 0x0	45894 bytes
`generic_stage_recovery_005.js` `9f6bda65e4109d407eda5c44e2c813c69642e104e8a1e49755392795b72bfc26`	deobfuscated-js	generic stage recovery split-literal-normalize -> percent-decode from decompressed stream at 0x0 at offset 0x0	45844 bytes
`font_00_sfnt_off0000033c.bin` `683fcffe9abaad29001e134bdd9ad7d1628d5cbbf628c451b6c621f202a7dae4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x33C	65932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.