Malicious PDF — malware analysis report

Static analysis result for SHA-256 01934ac841f4ed0f…

MALICIOUS

PDF

6.5 KB Created: 2009-05-06 20:45:24 +08:00 Authoring application: DocuCom PDF Core Library
MD5: cd60b247d3d740749dac7f619c332e2e SHA-1: 6ee6209b4b285b10506882297a3e8b2f99e476f2 SHA-256: 01934ac841f4ed0fa66de7f7ae63bee38dd1f65715d533524e55240170a96d47
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link T1566.002 Spearphishing Attachment

The PDF contains embedded JavaScript that is heavily obfuscated and utilizes unescape functions, indicating an attempt to hide malicious code. Heuristics and ClamAV detections confirm this is a dropper for a second-stage exploit. The primary function of the embedded JavaScript appears to be downloading and executing further malicious content, as suggested by the 'generic_stage_recovery' heuristic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 9

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV: Pdf.Dropper.Agent-1532760 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-1532760
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js
9a84a4e4f382558c62b44d7dca77c92bf7e5370d9d0bb0f01bcabb923b479ef3		 pdf-javascript-stream PDF /JS object 4 at offset 0x891 14600 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: unlikely
stream_003_off00000891.bin
f60364a03a98318aee1f6e292b69354bd432e6d27e9148e0764202728513405b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x891 7299 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
generic_stage_recovery_000.js
e6884e53e3bf656515db3e0d1c287765b6dc4d71fb7414409f2379c5699067fc		 deobfuscated-js generic stage recovery split-literal-normalize from decompressed stream at 0x891 at offset 0x891 5781 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
generic_stage_recovery_001.js
46160f57a85716680f6af08accbde22bfa49a6b8c65edd5c3fb6bc6980ac08da		 deobfuscated-js generic stage recovery null-collapse -> split-literal-normalize from JavaScript object 4 at offset 0x891 5783 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
generic_stage_recovery_002.js
77407f700df2c03bf58dda594147fb8dd88ec627f8904e3087e841a32d25d91c		 deobfuscated-js generic stage recovery split-literal-normalize -> split-literal-normalize from decompressed stream at 0x891 at offset 0x891 5778 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
generic_stage_recovery_003.js
3d1963903906c8edf72a68452107132a5e41d77967d2f8d9e3290de095e91386		 deobfuscated-js generic stage recovery split-literal-normalize -> percent-decode from decompressed stream at 0x891 at offset 0x891 5773 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
generic_stage_recovery_004.js
932d6953f884b1c04e22bfc9e052470e2253bdd0264a37d6a9e7b0815bf2c0ce		 deobfuscated-js generic stage recovery null-collapse -> split-literal-normalize -> split-literal-normalize from JavaScript object 4 at offset 0x891 5780 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
generic_stage_recovery_005.js
5dff2308770e5f9f762e2aa5a434a9b34e0e9f9b8ab4592387f2b5ab2702d185		 deobfuscated-js generic stage recovery null-collapse -> split-literal-normalize -> percent-decode from JavaScript object 4 at offset 0x891 5775 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
generic_stage_recovery_006.js
d9bad1c4519c93e9bcebc555177f84655234dfa880fdbd84138c0ee5189410c4		 deobfuscated-js generic stage recovery split-literal-normalize -> split-literal-normalize -> percent-decode from decompressed stream at 0x891 at offset 0x891 5770 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.