PDF malware analysis — malicious · 12428cd65d1b34e3

MALICIOUS

PDF

242.4 KB Created: 2011-04-19 14:23:41 +08:00 Authoring application: Acrobat PDFMaker 9.0 Word 版 (via Acrobat Distiller 9.0.0 (Windows))

MD5: 5486a876f39c8495cc9e38ec1f7eb968 SHA-1: b33fc49e713e6ea79a033ef22db69810dffcb2fc SHA-256: 12428cd65d1b34e333f753897c7331dbd30b5d048f7be048be358623d7d4b02a

318 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains embedded JavaScript and Flash content that exploits known vulnerabilities (CVE-2010-1297 and CVE-2009-0927). The JavaScript is heavily obfuscated but appears to be designed to download and execute a second-stage payload, as indicated by the 'generic_stage_recovery' artifacts and ClamAV detection of Js.Exploit.Shellcode-18. The embedded '8.swf' file is also suspicious.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 10

Adobe Flash authplay SWF exploit in PDF — CVE-2010-1297 critical CVE likely CVE_2010_1297_FLASH_RICHMEDIA

PDF combines RichMedia Flash activation, a crafted SWF with ActionScript prototype/AVM-era markers or the AES-PHP/authplay variant markers, and PDF-side shellcode heap-spray staging. This is the static delivery shape associated with CVE-2010-1297 in Adobe Reader's bundled authplay.dll.
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
RichMedia (Flash) high PDF_RICHMEDIA

PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 14

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`8.swf` `feb5afc86348d58d2b64d339698edf9e2207fd2c85931798ab933c5221f9697d`	pdf-embedded-file	PDF EmbeddedFile object 37 at offset 0x4835	2557 bytes
`javascript_obj0027_000.js` `d6d99349e7c690240f5dfc29bc67cd1793d0cbd768c375c5a189f8e013e439df`	pdf-javascript-stream	PDF /JS object 27 at offset 0x1A72	10629 bytes
`javascript_obj0027_001.js` `80b810bcb3e19e0816676150d3b9ff14345e08b7fc3bc6dc8e369e8a81f55728`	pdf-javascript-stream	PDF /JS object 27 at offset 0x1A95	241435 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 40 long base64-like blob(s).
`generic_stage_recovery_000.js` `cb558083fa95f1f6c8d764d36a95bf60923a112a1950677e932914cbf3d51c3c`	deobfuscated-js	generic stage recovery split-literal-normalize from raw PDF metadata at offset 0x0	246918 bytes
Detection ClamAV: Js.Exploit.Shellcode-18 Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 40 long base64-like blob(s).
`generic_stage_recovery_001.js` `3830c60f0af06b260627c04b2f69aed5065b67d629f00ee5619c8a118871af43`	deobfuscated-js	generic stage recovery split-literal-normalize from JavaScript object 27 at offset 0x1A72	9307 bytes
Detection ClamAV: Js.Exploit.Shellcode-18 Obfuscation or payload: unlikely
`generic_stage_recovery_002.js` `c9b62e3c9d27316184286daf69cba6649d36477f102ac41e3ee9a3d40db2204e`	deobfuscated-js	generic stage recovery split-literal-normalize from combined JavaScript objects at offset 0x1A72	249421 bytes
Detection ClamAV: Js.Exploit.Shellcode-18 Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 40 long base64-like blob(s).
`generic_stage_recovery_003.js` `60732e14381741a6addef809879562b1f5b362970801e9a4d10a21162406fc76`	deobfuscated-js	generic stage recovery split-literal-normalize from JavaScript object 27 at offset 0x1A95	240113 bytes
Detection ClamAV: Js.Exploit.Shellcode-18 Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 40 long base64-like blob(s).
`generic_stage_recovery_004.js` `996d5bf0810c49df95988e31251e250adc07a5707fb22ea1a6c28ed190a42517`	deobfuscated-js	generic stage recovery split-literal-normalize from decompressed stream at 0x0 at offset 0x0	246894 bytes
Detection ClamAV: Js.Exploit.Shellcode-18 Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 40 long base64-like blob(s).
`generic_stage_recovery_005.js` `918f2c03d7b5a66519e82c2de82b377f8704a9d711348f182651f8e17978de63`	deobfuscated-js	generic stage recovery null-collapse -> split-literal-normalize from raw PDF metadata at offset 0x0	85157 bytes
Detection ClamAV: Js.Exploit.Shellcode-18 Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 40 long base64-like blob(s).
`generic_stage_recovery_006.js` `141b507c0497bb0b0c9d318682d3c3587f463941f200890e0b304353d74d6a6e`	deobfuscated-js	generic stage recovery null-collapse -> split-literal-normalize from combined JavaScript objects at offset 0x1A72	87691 bytes
Detection ClamAV: Js.Exploit.Shellcode-18 Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 40 long base64-like blob(s).
`generic_stage_recovery_007.js` `f1ca59ddb1afaef1816a16ac7535fdbd577d073231ce57776ee85f3c01f488bb`	deobfuscated-js	generic stage recovery null-collapse -> split-literal-normalize from JavaScript object 27 at offset 0x1A95	78383 bytes
Detection ClamAV: Js.Exploit.Shellcode-18 Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 40 long base64-like blob(s).
`generic_stage_recovery_008.js` `a4e9753ba9ca135bf3ff40819325e4301b1c218234b10fdb7428ccd94d36cc18`	deobfuscated-js	generic stage recovery null-collapse -> split-literal-normalize from decompressed stream at 0x0 at offset 0x0	85133 bytes
Detection ClamAV: Js.Exploit.Shellcode-18 Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 40 long base64-like blob(s).
`js_property_alias_stage_000.js` `ed5acaccc0d286d6b9752b0f9aadaae0ea832f9aa4c0ea46a0f2182c1ea9a7ff`	deobfuscated-js	JavaScript property alias normalized stage at offset 0x1A72	9653 bytes
Detection ClamAV: Js.Exploit.Shellcode-18 Obfuscation or payload: unlikely
`js_property_alias_stage_001.js` `0202aa12fd5803e68ea510e821f127ca3668ca1eeba9085216c285f80db99ad6`	deobfuscated-js	JavaScript property alias normalized stage at offset 0x1A95	240459 bytes
Detection ClamAV: Js.Exploit.Shellcode-18 Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 40 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.