Malicious PDF — malware analysis report

Static analysis result for SHA-256 66cc1d48c643d334…

MALICIOUS

PDF

25.1 KB
MD5: f5388f2a1547cf028d5fc11dcefd52e4 SHA-1: 1c6a144d5f4d3c7b4645f316f16988a9626eea26 SHA-256: 66cc1d48c643d334c9e0bf8538f0dce55042046f38c75677d497d9d949aeeef2
250 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF contains obfuscated JavaScript that leverages the CVE-2008-2992 vulnerability, specifically using `util.printf` to execute code. This script is designed to download a second-stage payload from the URL http://gospeltube.com/cache/.svn/.p/.l.php?l=1&spl=pdf_util_printf. The use of `eval()` and string concatenation within the JavaScript indicates a deliberate attempt to obfuscate the malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gospeltube.com/cache/.svn/.p/.l.php?l=1&spl=pdf_util_printf

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj111711_000.js
8f8edfe03882ee0a0d2c5a966f0267c82a1fc5a37a5fcc439e9e0d67a9fd14b1		 pdf-javascript-stream PDF /JS object 111711 at offset 0x18E 3866 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
javascript_obj111712_001.js
d07a8b302c0f6d408926b92a6fc03fd6fdd28383ab7c118a67d38318a650580f		 pdf-javascript-stream PDF /JS object 111712 at offset 0x10DE 16968 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
javascript_obj111713_002.js
2342bfbf0f80a1341296c00f47ae322a9b36287fc08cc51a83165f4be84188ee		 pdf-javascript-stream PDF /JS object 111713 at offset 0x535C 4249 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
javascript_obj111711_003.js
7181d049b121ffd7a4d6d0fca2acb0ec87e3b87cad2fe548af7e8d45de8890b3		 pdf-javascript-stream PDF /JS object 111711 at offset 0x1B2 25239 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 18 long base64-like blob(s).
javascript_obj111712_004.js
146900186c97d6b8631d090e6af76e3d2c24f25f053eb148d029fe1c90015d93		 pdf-javascript-stream PDF /JS object 111712 at offset 0x1102 21319 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 12 long base64-like blob(s).
javascript_obj111713_005.js
380c02b49478ff04b6e9c0d72125cd27db19c04b4897478dbeb48278df5dd603		 pdf-javascript-stream PDF /JS object 111713 at offset 0x537F 4298 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
legacy_pdfkit_stage_000.js
2ce519949289064cac4d9ec5e2f03616b7ef69d371aebd8dd98fe04454eb0f63		 deobfuscated-js multi-marker percent-array decoded JavaScript at offset 0x10DE 1413 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
legacy_pdfkit_stage_001.js
df2e8f38acbcede11c3621c62802a425613ee3b105933e1debbf6452a55bb89f		 deobfuscated-js multi-marker percent-array decoded JavaScript at offset 0x535C 384 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
legacy_pdfkit_stage_002.js
5ec905c90d55fcf4d2b0c31249c4101d8761487d182402b89b67aed6b1434733		 deobfuscated-js multi-marker percent-array decoded JavaScript at offset 0x1B2 1798 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
legacy_pdfkit_stage_003.js
8f8177e35ecae1e2101f74a95a60e66f6f384ff08c4bf2fc99f6727babdd8552		 deobfuscated-js multi-marker percent-array combined decoded JavaScript at offset 0x10DE 9379 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 15 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.