Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d40f68773193b0f…

MALICIOUS

PDF

335.5 KB Created: 2009-09-29 17:28:27 +08:00 Authoring application: PScript5.dll Version 5.2.2 (via Acrobat Distiller 6.0 (Windows))
MD5: 270ea1808ec66b4dd74b397254e57ce2 SHA-1: 7ebe7409a5759158a677dc191218c2777c20fe03 SHA-256: 0d40f68773193b0ff870332e11c525d3e64ee4a993c971c1d9badb95a52616f9
512 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that leverages multiple CVEs, specifically Collab.collectEmailInfo (CVE-2007-5659) and Collab.getIcon (CVE-2009-0927), to execute code. The JavaScript is designed to collect email information and appears to be part of an exploit kit aimed at compromising Adobe Reader. The primary function of the script is to exploit these vulnerabilities for client-side execution, likely as a precursor to further malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9790

Heuristics 13

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (matched in decompressed stream)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ClamAV: Pdf.Exploit.Agent-35646 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35646
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0030_000.js
f6665a2b917420327cee75bc3142d96cc4e67dd9009946b609277cbcc4f01729		 pdf-javascript-stream PDF /JS object 30 at offset 0x4F9D 5079 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: unlikely
javascript_obj0051_001.js
2b11dd708aa56c68c96f9840aad20b570c8c1d2a148d2baf32bd6974f8029b8b		 pdf-javascript-stream PDF /JS object 51 at offset 0x5271E 5499 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
generic_stage_recovery_000.js
eaad06f4e88ea7ac410811174aa1d4cdd517506713602d636c3dd87a32727ebe		 deobfuscated-js generic stage recovery percent-decode from JavaScript object 30 at offset 0x4F9D 5071 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: unlikely
generic_stage_recovery_001.js
5be6666d04dac2225a96708cf98249e79c3c5c47360ac819b7173f47540d72d2		 deobfuscated-js generic stage recovery percent-decode from combined JavaScript objects at offset 0x4F9D 10563 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
generic_stage_recovery_002.js
7098d7f1d5d4111a540b6e17ab7226f3600b8452c7bd341d4ac18b2b0fdd62b4		 deobfuscated-js generic stage recovery percent-decode from JavaScript object 51 at offset 0x5271E 5491 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
combined_document_js_000.js
44ac5e8a59fa4a21951736daa0989199b9cbbc3f4838a38e880735393173d40e		 deobfuscated-js combined document JavaScript streams at offset 0x4F9D 10579 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
polyglot_child_pdf_off0004bdcb.pdf
1c6ce7a783be0494a1d54d06964f2958653bbb74017349b569d4c8659eeb8bee		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x4BDCB 32828 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.