Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b708d210a2b5781…

MALICIOUS

PDF

175.2 KB Created: 2011-04-19 14:23:41 +08:00 Authoring application: Acrobat PDFMaker 9.0 Word 版 (via Acrobat Distiller 9.0.0 (Windows))
MD5: bb948433d123608b9fdbb0dc02f13b76 SHA-1: 545565776f8879e3cc78df0e5b6add83ce14de5c SHA-256: 7b708d210a2b578160b996402cc9d0fae666607f21e4e218f2c7e9a358db0b74
316 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits known vulnerabilities in Adobe Flash (CVE-2010-1297) and PDF (CVE-2009-0927). The JavaScript is designed to download and execute a second-stage payload, as indicated by the critical heuristic firings for exploit stages and ClamAV detection of shellcode. The reconstructed JavaScript payload is too obfuscated to determine its exact destination, but the overall intent is clearly malicious execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 9

  • Adobe Flash authplay SWF exploit in PDF — CVE-2010-1297 critical CVE likely CVE_2010_1297_FLASH_RICHMEDIA
    PDF combines RichMedia Flash activation, a crafted SWF with ActionScript prototype/AVM-era markers or the AES-PHP/authplay variant markers, and PDF-side shellcode heap-spray staging. This is the static delivery shape associated with CVE-2010-1297 in Adobe Reader's bundled authplay.dll.
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
8.swf
2aa862d005f88538e38f0035e72490ff3991361b263b95d6130145c16f6a7c8d		 pdf-embedded-file PDF EmbeddedFile object 37 at offset 0x28FA6 2557 bytes
javascript_obj0027_000.js
86e9c5563606e159188b0ae74c8f4a5d57c92509939674e866023de6dda78eb3		 pdf-javascript-stream PDF /JS object 27 at offset 0x2808D 11088 bytes
generic_stage_recovery_000.js
aa8b979919c9ea7d26810242e14a8de830455fa181d22687308bbe43fa15cc55		 deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 27 at offset 0x2808D 9730 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: unlikely
js_property_alias_stage_000.js
52497e1ee7befaf0570c9e38d5a2e8a0b396f59dc34af1caaff475ee9b9c0f70		 deobfuscated-js JavaScript property alias normalized stage at offset 0x2808D 9941 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.