PDF malware analysis — malicious · 8042eb0256fe6229

MALICIOUS

PDF

293.2 KB Created: 2008-02-27 16:58:09 +08:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 6.0.1 (Windows))

MD5: 70d0d15041a14adaff614f0b7bf8c428 SHA-1: 77c72ae0dbdb1cf82684b1a6870bf04402972362 SHA-256: 8042eb0256fe62297b0a0f1730434ecf4a0eda654ad0768852a0c5f2e3ebfc2e

346 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF file contains embedded JavaScript that exploits CVE-2007-5659 (Collab.collectEmailInfo) and uses unescape() for obfuscation. The JavaScript is designed to download and execute a second-stage payload, as indicated by the 'Win.Trojan.Dropper-82' ClamAV detection on both the main file and an extracted artifact named 'javascript_obj0017_000.js'. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 0.9599

Heuristics 11

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
ClamAV: Win.Trojan.Dropper-82 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Dropper-82
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/xhtml
- http://www.xfa.org/schema/xfa-data/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
- https://www.verisign.com/repository/CPS��
- https://www.verisign.com
- https://www.verisign.com/repository/verisignlogo.gif0��
- https://www.verisign.com/CPS0b
- http://www.microsoft.com/truetype/0
- https://www.verisign.com/repository/verisignlogo.gif06
- http://status.verisign.com/class1.crl0
- http://www.microsoft.com/typography

Extracted artifacts 11

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0017_000.js` `a855e1484b6aa802ce0f6f936ba6d5b5bb5556ec34d1f510cb7f17c768fa4311`	pdf-javascript-stream	PDF /JS object 17 at offset 0x67D	4622 bytes
Detection ClamAV: Win.Trojan.Dropper-82 Obfuscation or payload: likely Carved artifact contains 16 eval/decoder/string-building token(s).
`font_00_sfnt_off0000f7c8.bin` `f64e51b19ef30b8390ae0965eabb6e5ad79c28c1dca58ec5824b119be08e34ea`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF7C8	4974 bytes
`font_01_sfnt_off000109df.bin` `048a76ea9beed1530973f7146ca79f30d494bb06eadc132577c3495826e34987`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x109DF	4838 bytes
`font_02_sfnt_off0001183d.bin` `589bcda2da9d8372fad396daf5af7158352d31238df10a8c82c57e83caced8e2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1183D	5070 bytes
`font_03_sfnt_off00022a91.bin` `680b47e1db53a8ae309f120de1ab83086be0a73da66f51157ee9102250c09a3a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x22A91	21812 bytes
`font_04_sfnt_off00024f62.bin` `91969df9276eb9cb5ef00a73fdd7980efc1ff29d33a7eddcf42bb1ddf8507a5d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x24F62	13836 bytes
`font_05_sfnt_off00026d2e.bin` `beb34830b35f9f4e51b71c8a1de0c9e5a95f24328af1ed5d8f650aa78531f139`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x26D2E	56408 bytes
`font_06_sfnt_off0002e7c1.bin` `a286bfbe80753e55b9301a2d587bf23baab5b76161513c40c4c248c269537519`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2E7C1	71312 bytes
`font_07_sfnt_off000391ab.bin` `acf4d9342887c36b031c9f7338e7eead47164de371f5e36f1d9e6b8c5041d343`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x391AB	21172 bytes
`font_08_sfnt_off00042028.bin` `4f1f2c4bd542caf8c46550e0c603495995af3ea0394403a81ead521be99f8169`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x42028	37692 bytes
`font_09_sfnt_off00047d58.bin` `e5ba2667b15c198a224ae439c7de63de0325cdaf212360b7acb8b63b3bd5384b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x47D58	4822 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.