Malicious PDF — malware analysis report

Static analysis result for SHA-256 101809f84cfe19cb…

MALICIOUS

PDF

485.1 KB Created: 2008-03-17 20:52:33 +08:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 7.0 (Windows))
MD5: 397ed1bd1f91c299c52a7f815d6c935e SHA-1: ea396e624047da74f67670a1ee384997126f6242 SHA-256: 101809f84cfe19cb16ca36c4ac4220cd63201b8fcb9aa88b3a3970a11206a103
260 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF sample contains embedded JavaScript that is obfuscated and utilizes the unescape function, indicative of exploit code. Heuristics confirm the exploitation of CVE-2007-5659 (Collab.collectEmailInfo) and the presence of JavaScript exploit stages. The deobfuscated JavaScript appears to download and execute a secondary payload, suggesting a downloader or dropper functionality.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 10

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
2
55f78f9c9b59a08a4cc7757ec73c706b78cdecdde73ffe3b5ff2a5ea4cc47978		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x72E 2041 bytes
javascript_obj0020_000.js
e15edaec6d9b91e743afec610d77afb48eb2c8d21e7441faada5f7649b7bba61		 pdf-javascript-stream PDF /JS object 20 at offset 0x77DB4 9794 bytes
stream_004_off00077db4.js
52433d48bd1c8319b1207193fd323b188b6da3832214c255f2200002cb60ad16		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x77DB4 4900 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 16 eval/decoder/string-building token(s).
generic_stage_recovery_000.js
3624510ac3672a204e074a5a05bb51d5aa80085fb1c82b3e9aea2df7e75462a3		 deobfuscated-js generic stage recovery null-collapse from JavaScript object 20 at offset 0x77DB4 4900 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 16 eval/decoder/string-building token(s).
generic_stage_recovery_001.js
f830ce7ecfed887599594531b6595bf9d26a1503cd5b370a8bc9df6d71a73e66		 deobfuscated-js generic stage recovery split-literal-normalize from decompressed stream at 0x77DB4 at offset 0x77DB4 4540 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 16 eval/decoder/string-building token(s).
generic_stage_recovery_002.js
00a497edd4d40e7e0ac33f5fc1ee5548db435aa199da4de3918b180dd209ef34		 deobfuscated-js generic stage recovery null-collapse -> split-literal-normalize from JavaScript object 20 at offset 0x77DB4 4540 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 16 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.