Malicious PDF — malware analysis report

Heuristics 10

• Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
  PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
• Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
  PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
• Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECT
  A PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
• Annotation subject percent-decoding eval stager critical PDF_ANNOT_SUBJECT_MARKER_EVAL_STAGER
  OpenAction JavaScript forces annotation enumeration, reads an annotation /Subject payload with getAnnots(), rewrites marker bytes into percent escapes, decodes it with unescape(), and dispatches it through eval. This is a high-confidence exploit-kit staging pattern. It is intentionally not mapped to CVE-2009-1492 unless getAnnots() itself carries the crafted integer or long argument shape for that vulnerability.
• ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
• PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
  Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
• JavaScript action low PDF_JAVASCRIPT
  PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
  One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://aghrcgpavmr.com/nte/prox.php/eH51e6237fV0100f080006R6d95516a102Tb43645cd201l0010

Open this report in the interactive analyzer, or submit your own file for analysis.