Malicious PDF — malware analysis report

Static analysis result for SHA-256 50a18cbbb92102af…

MALICIOUS

PDF

68.2 KB Created: 2012-10-02 16:53:23 +04:00 Authoring application: hogfeiu (via mstxgsk)
MD5: 22676607999b02f69bd6fbee50b534c6 SHA-1: 805b15e219dab3c0fbc320474e7b8ef4969909f8 SHA-256: 50a18cbbb92102afde766435262943041dda0000bbf9a9741be3b81c755a3381
194 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

This PDF document exploits CVE-2007-5659 by leveraging a JavaScript stager embedded within an AcroForm field. The stager uses unescape() to deobfuscate and execute a payload, likely for information collection or further exploitation. The ML classifier strongly indicates maliciousness, and the presence of JavaScript actions and streams confirms the exploit vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 9

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits
  • AcroForm marker-unescape JavaScript stager high PDF_ACROFORM_MARKER_UNESCAPE_JS_STAGER
    PDF OpenAction JavaScript reads an AcroForm field value, rewrites a long marker token back to percent escapes, then unescape/eval executes the recovered exploit stage.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser exited 1. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
acroform_marker_stage_000.js
b04c45e2ec453f206afcb36d8f1946b5c1ed830bc419c1a3afa686ec42d2d57b		 deobfuscated-js AcroForm field Text3 marker-unescape JavaScript at offset 0x416 3792 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
javascript_obj0106_000.js
4d66b7df8b499a23e11f6bb5732377779c6d7ea24ca19feb87e5565052c331dd		 pdf-javascript-stream PDF /JS object 106 at offset 0x10F1F 203 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0106_001.js
48b5c1aa0b9f3e92a23c6cea25235a186c4aa66d5e158a40d6ff26f2a0e8c10f		 pdf-javascript-stream PDF /JS object 106 at offset 0x10F40 364 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.