MALICIOUS
250
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The PDF file contains obfuscated JavaScript that leverages the CVE-2008-2992 vulnerability, indicated by the 'util.printf' sink and the PDF_JS_EXPLOIT_CLUSTER heuristic. The script is designed to download a second-stage payload from the URL http://gospeltube.com/cache/.svn/.p/.l.php?l=1&spl=pdf_util_printf. The use of eval() and unescape() functions, along with complex string concatenation and array manipulation, points to a downloader or initial access stage of a malware infection.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 8
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution
-
PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URLDecoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://gospeltube.com/cache/.svn/.p/.l.php?l=1&spl=pdf_util_printf
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj111711_000.js38ed99bb157ce98ec8cd7cc69c3ac0e2370456143bc99701d4d8d6a7a54d556d |
pdf-javascript-stream | PDF /JS object 111711 at offset 0x18E | 3952 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
|
|||
javascript_obj111712_001.js9f8034b854c2f139a3b6ba645f1aca5b15715d48faac78982fc00754f42f277e |
pdf-javascript-stream | PDF /JS object 111712 at offset 0x1134 | 19043 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
|
|||
javascript_obj111713_002.jsff7d2b8479804a29d3221f06831f1a2fd160d0451fe9abd69c2b427e05b0c7e7 |
pdf-javascript-stream | PDF /JS object 111713 at offset 0x5BCD | 4776 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
|
|||
javascript_obj111711_003.js43562d659b4bc22a94129b1808d7c99c1992da20c4deef68583e31ee17ba6ddf |
pdf-javascript-stream | PDF /JS object 111711 at offset 0x1B2 | 27927 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 13 long base64-like blob(s).
|
|||
javascript_obj111712_004.js5ea8c18dffa6e2616f8657c368a100cccfc50d26f5860dd1638ec19661ba56fd |
pdf-javascript-stream | PDF /JS object 111712 at offset 0x1158 | 23921 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 9 long base64-like blob(s).
|
|||
javascript_obj111713_005.js2d81ed9b5d23a523dc498a6e503b465013cb53c58e84f416e83d20a705d1895d |
pdf-javascript-stream | PDF /JS object 111713 at offset 0x5BF0 | 4825 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
|
|||
legacy_pdfkit_stage_000.jsa63d87f2b143513c65d1743d1dc1458eace0797e16ff17319fa0a362817b3dff |
deobfuscated-js | multi-marker percent-array decoded JavaScript at offset 0x1134 | 1413 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
legacy_pdfkit_stage_001.js62f431cd251bfe244e459f55272bf2e4f2b1e8ff81b6dd756324618b6d92949f |
deobfuscated-js | multi-marker percent-array decoded JavaScript at offset 0x5BCD | 388 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
legacy_pdfkit_stage_002.jsd2f39dee64c96c10c4b52897ef42b7cc3b9dc3d2e741bf79c7d8e43c39e306c7 |
deobfuscated-js | multi-marker percent-array decoded JavaScript at offset 0x1B2 | 1802 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
legacy_pdfkit_stage_003.js2bf1f72f853b444ed2fdf7a7520e85aea6b0e56dacea250d8b9aea1cc2d0761a |
deobfuscated-js | multi-marker percent-array combined decoded JavaScript at offset 0x1134 | 9403 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 15 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.