Malicious PDF — malware analysis report

Static analysis result for SHA-256 5cd29aefac06c2b2…

MALICIOUS

PDF

683.6 KB
MD5: 1b8161bbe15d3dcd5765b59ed257b2e0 SHA-1: 16496a3028c615809f9f4256d1e318087a6287c6 SHA-256: 5cd29aefac06c2b2329b8a714ea590bee33f11ee5d009b9f6f474939094d2923
570 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits multiple known Adobe Reader vulnerabilities, including CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The JavaScript is designed to download and execute a second-stage payload from the URL http://aaasss.cz.cc/as/viewforum.php/40e794226514fd89f3f56ce86686f89c?spl=pdf_13. This indicates a dropper functionality aiming to compromise the user's system.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8930

Heuristics 13

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • ClamAV: Pdf.Dropper.Agent-7264171-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7264171-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://aaasss.cz.cc/as/viewforum.php/40e794226514fd89f3f56ce86686f89c?spl=pdf_13
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/t/pg/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/rights/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xmp/InDesign/private
    • http://ns.adobe.com/pdf/1.3/
    • http://www.iec.ch

Extracted artifacts 18

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0345_000.js
193519dc492d920925921b1fd04ff172b54a3bf9dfd2f451223549972649197d		 pdf-javascript-stream PDF /JS object 345 at offset 0xA866C 713 bytes
info_stride_js_000.js
8687b6f9ef52b191324ceaf01bbabc9b371534e0488293235487f973c96b2680		 deobfuscated-js PDF /Info fields via stride 6 4578 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
icc_00_off000a7c4c.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0xA7C4C 3144 bytes
font_00_cff_off0000eda1.bin
38f4ddd32e736897982ced0858b49da07a104e846d0946b9789f4ef370f99eb2		 pdf-font-stream PDF embedded font (cff) at offset 0xEDA1 357 bytes
font_01_cff_off0000f24a.bin
2789af23995f8af33b2dae091e9b962494e0b8b0e898fada623820ee9686b3ca		 pdf-font-stream PDF embedded font (cff) at offset 0xF24A 499 bytes
font_02_cff_off0000f777.bin
755b31802bfcbe5da85fa3b6417005821fa046390579475e59a1b7e221fd17f2		 pdf-font-stream PDF embedded font (cff) at offset 0xF777 2550 bytes
font_03_cff_off000104c5.bin
eb7fc9a0f6b5c973d758c18668889ef5241421e8108bf894a9400ecd0930c40c		 pdf-font-stream PDF embedded font (cff) at offset 0x104C5 3369 bytes
font_04_cff_off0001146e.bin
ce12ce1ce9ee146def1a9a0aa879316c8283c74b0dab40de60412666b768231d		 pdf-font-stream PDF embedded font (cff) at offset 0x1146E 2951 bytes
font_05_cff_off000122a3.bin
650743b0083f4117eafe6d934f210cd07b94d118b25ed99f041916d1b6f42ac7		 pdf-font-stream PDF embedded font (cff) at offset 0x122A3 5979 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.40, consistent with packed or encrypted content.
font_06_cff_off00013b23.bin
91487fd16b17d83908b1ba219ae597731b7158e968667787a056b1d4df0de59a		 pdf-font-stream PDF embedded font (cff) at offset 0x13B23 1949 bytes
font_07_cff_off00014736.bin
cf4944c56c01f4a65c36b5010c12128ca3ddbe0e6806e8b147a7b04453bfa751		 pdf-font-stream PDF embedded font (cff) at offset 0x14736 6612 bytes
font_08_cff_off00016357.bin
c5675bd2f2b586cbf48ee24f95e1cf91eec1b4928c28c92220efce9ec4db3e29		 pdf-font-stream PDF embedded font (cff) at offset 0x16357 3996 bytes
font_09_sfnt_off000178ac.bin
80383e85181b7288bd3f68d71356b7e2ef2e1f0ba00d93e81908469c104a18d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x178AC 52108 bytes
font_10_sfnt_off0001ff94.bin
336a7a084a76c025a84d5a8cbd6080db9a267cde0e24fe672acabed56b19aa8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1FF94 48764 bytes
font_11_sfnt_off000295bf.bin
2722878b19761e7a433e1ca6f32e7f9fe9cccce4136877b3beb9040f23bd4b18		 pdf-font-stream PDF embedded font (sfnt) at offset 0x295BF 23432 bytes
font_14_cff_off0009880c.bin
b7acc2e77938f52ea0e0e99ad276600cacf4c9a68f9966b0cff658984fc5fdfe		 pdf-font-stream PDF embedded font (cff) at offset 0x9880C 1390 bytes
font_18_cff_off0009d670.bin
498107d4b463cdfaabb7ecb0de303a1fd3753cd0475826d8151726b62a86cbb1		 pdf-font-stream PDF embedded font (cff) at offset 0x9D670 2026 bytes
font_19_cff_off0009e197.bin
6b20e84459271e0cdfae9863860320d5b0fe24a40f52c5aa56fd600bf142e820		 pdf-font-stream PDF embedded font (cff) at offset 0x9E197 1370 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.