Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf83b3fd0ffb18df…

MALICIOUS

PDF

323.8 KB Created: e1svrt Authoring application: Adsfgddfobe (via sfgasdfgsd)
MD5: 06eb7834e1dee1513f93929836b40b01 SHA-1: 278c0e122fde6c126dae1af428f4e4dd332bdb0e SHA-256: cf83b3fd0ffb18df2badf5b4f514af14d37128428c7a4eaba76cacd4a4e4a529
358 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1059.005 Visual Basic

The PDF file contains multiple critical heuristic firings indicating exploitation of CVE-2009-4324, CVE-2009-0927, and CVE-2007-5659. These vulnerabilities are leveraged to execute embedded JavaScript, which is further obfuscated using `eval()` and `unescape()` calls. An extracted artifact, 'Js.Exploit.Shellcode-18', suggests the script's purpose is to download and execute a secondary payload. The presence of multiple exploit-related heuristics and the nature of the extracted artifact strongly indicate a malicious PDF designed for exploitation.

Heuristics 11

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://syndication.visualthesaurus.com/ddc/related.js?lang=en&word=
    • http://www.specificmedia.com/w3c/p3p.xml
    • http://bp.specificclick.net?pixid=99017449
    • http://cache.specificmedia.com/creative/blank.gif?ts=20100902151520&cmxid=2101.010009447900561207xmc
    • http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml
    • http://amch.questionmarket.com/adsc/d746049/2/37377587/decide.php?ord=
    • http://www.visualthesaurus.com/?word=
    • http://syndication.visualthesaurus.com/ddc/gradient.png);background-repeat
    • http://syndication.visualthesaurus.com/ddc/small/
    • http://syndication.visualthesaurus.com/ddc/new.png
    • http://ads.specificmedia.com/serve/v=5;m=3;l=11152;c=101343;b=601397;ts=20100902151524;p=ui%3DGwWdkeNu068_XD%3Btr%3D_GcoloqwZMB%3Btm%3D0-0;cxt=99017449:1930755-99020056:1930419
    • http://cache.specificmedia.com/creative/blank.gif?ts=20100902151524&cmxid=2101.010010134300601397xmc
    • http://amch.questionmarket.com/adsc/d718526/4/37757841/decide.php?ord=
    • http://ads.specificmedia.com/serve/v=5;m=3;l=12272;c=84476;b=499680;ts=20100902151526;p=ui%3DGwWdkeNu068_XD%3Btr%3DtvoIlvZrgFF%3Btm%3D0-0;cxt=99020056:1930419
    • http://cache.specificmedia.com/creative/blank.gif?ts=20100902151527&cmxid=2101.010008447600499680xmc
    • http://cache.specificmedia.com/creative/blank.gif?ts=20100902151530&cmxid=2101.010009388600557068xmc
    • http://ads.specificmedia.com/serve/v=5;m=3;l=11126;c=84476;b=499681;ts=20100902151533;p=ui%3DGwWdkeNu068_XD%3Btr%3Dq3hVnY55QtE%3Btm%3D0-0;cxt=99020056:1930419
    • http://cache.specificmedia.com/creative/blank.gif?ts=20100902151533&cmxid=2101.010008447600499681xmc
    • http://www.googleadservices.com/pagead/p3p.xml
    • http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
    • http://ad.doubleclick.net/adj/N3880.specificmedia.com/B4543532.23;dcove=o;sz=728x90;click=http://ads.specificmedia.com/click/v=5%3Bm=2%3Bl=11124%3Bc=94479%3Bb=561207%3Bp=ui%3DGwWdkeNu068_XD%3Btr%3D8fRto8PQ2NG%3Btm%3D0-0%3Bts=20100902151520%3Bdct=;ord=20100902151520?\
    • http://www.thesaurus.com/browse/
    • http://ad.doubleclick.net/adi/N5688.131139.0377843110521/B4381208.63;sz=300x250;pc=[TPAS_ID];click=http://ads.specificmedia.com/click/v=5%3Bm=2%3Bl=11152%3Bc=101343%3Bb=601397%3Bp=ui%3DGwWdkeNu068_XD%3Btr%3D_GcoloqwZMB%3Btm%3D0-0%3Bts=20100902151524%3Bdct=;ord=20100902151524
    • http://ad.doubleclick.net/adj/N5688.131139.0377843110521/B4381208.63;sz=300x250;pc=[TPAS_ID];click=http://ads.specificmedia.com/click/v=5%3Bm=2%3Bl=11152%3Bc=101343%3Bb=601397%3Bp=ui%3DGwWdkeNu068_XD%3Btr%3D_GcoloqwZMB%3Btm%3D0-0%3Bts=20100902151524%3Bdct=;ord=20100902151524
    • http://ad.doubleclick.net/jump/N5688.131139.0377843110521/B4381208.63;sz=300x250;pc=[TPAS_ID];ord=20100902151524
    • http://ad.doubleclick.net/ad/N5688.131139.0377843110521/B4381208.63;sz=300x250;pc=[TPAS_ID];ord=20100902151524
    • http://ad.doubleclick.net/adi/N5853.126328.9391013998421/B3822438.3;sz=300x250;click=http://ads.specificmedia.com/click/v=5%3Bm=2%3Bl=12272%3Bc=84476%3Bb=499680%3Bp=ui%3DGwWdkeNu068_XD%3Btr%3DtvoIlvZrgFF%3Btm%3D0-0%3Bts=20100902151527%3Bdct=;ord=20100902151527
    • http://ad.doubleclick.net/adj/N5853.126328.9391013998421/B3822438.3;sz=300x250;click=http://ads.specificmedia.com/click/v=5%3Bm=2%3Bl=12272%3Bc=84476%3Bb=499680%3Bp=ui%3DGwWdkeNu068_XD%3Btr%3DtvoIlvZrgFF%3Btm%3D0-0%3Bts=20100902151527%3Bdct=;ord=20100902151527
    • http://ad.doubleclick.net/jump/N5853.126328.9391013998421/B3822438.3;sz=300x250;ord=20100902151527
    • http://ad.doubleclick.net/ad/N5853.126328.9391013998421/B3822438.3;sz=300x250;ord=20100902151527
    • http://ad.doubleclick.net/adj/N3880.specificmedia.com/B4684875;dcove=o;sz=300x250;click=http://ads.specificmedia.com/click/v=5%3Bm=2%3Bl=11125%3Bc=93886%3Bb=557068%3Bp=ui%3DGwWdkeNu068_XD%3Btr%3DPeAajYWP6eC%3Btm%3D0-0%3Bts=20100902151530%3Bdct=;ord=20100902151530
    • http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd
    • http://ad.doubleclick.net/adi/N5853.126328.9391013998421/B3822438.2;sz=160x600;click=http://ads.specificmedia.com/click/v=5%3Bm=2%3Bl=11126%3Bc=84476%3Bb=499681%3Bp=ui%3DGwWdkeNu068_XD%3Btr%3Dq3hVnY55QtE%3Btm%3D0-0%3Bts=20100902151533%3Bdct=;ord=20100902151533
    • http://ad.doubleclick.net/adj/N5853.126328.9391013998421/B3822438.2;sz=160x600;click=http://ads.specificmedia.com/click/v=5%3Bm=2%3Bl=11126%3Bc=84476%3Bb=499681%3Bp=ui%3DGwWdkeNu068_XD%3Btr%3Dq3hVnY55QtE%3Btm%3D0-0%3Bts=20100902151533%3Bdct=;ord=20100902151533
    • http://ad.doubleclick.net/jump/N5853.126328.9391013998421/B3822438.2;sz=160x600;ord=20100902151533
    • http://ad.doubleclick.net/ad/N5853.126328.9391013998421/B3822438.2;sz=160x600;ord=20100902151533

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
49abc56c3a0e318e14f3925953a3d61c948434787c6f71b63eef14c1e0c9dd6a		 pdf-javascript-stream PDF /JS object 6 at offset 0x14A 905 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
embedded_pdf_script_00025d4c.bin
5fd5bcfe881e98b8cc47b9fde239ac48911968920df19a08d31a7a08b3c3911b		 pdf-embedded-script PDF decompressed stream script payload at offset 0x25D4C 331516 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 22 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
legacy_pdfkit_stage_000.js
4cff2fd28bb4c0b444d0273415d450cf9bc660508695b1bf447107d26c3e7dd7		 deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x3AB 11456 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.