Txt.Downloader.Nemucod-6769573-0 — PDF malware analysis

Static analysis result for SHA-256 05b516fe27ec0221…

MALICIOUS

PDF

59.2 KB Authoring application: PyPDF2
MD5: e98802f1510ee971bc230ff6022bfbe1 SHA-1: 6aaf105a351272109d803576d5bccf79e939091f SHA-256: 05b516fe27ec02210829b8d1ba762de829eaa12c5b584626867841bc15507759
286 Risk Score

Malware Insights

Txt.Downloader.Nemucod-6769573-0 · confidence 95%

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and ML classifiers, indicating it contains a downloader. The embedded JavaScript, obfuscated using hex escapes and eval(), is designed to execute and likely download a secondary payload. The primary technique observed is the exploitation of PDF vulnerabilities to run JavaScript, which is then used to fetch further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 7

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV: Txt.Downloader.Nemucod-6769573-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Txt.Downloader.Nemucod-6769573-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
a1130cb1e5490d6ce4962bed5982d78c81b0683ff18d65bfbce4b82804da6b09		 pdf-javascript-stream PDF /JS object 8 at offset 0x69A 17469 bytes
Detection
ClamAV: Txt.Downloader.Nemucod-6769573-0
Obfuscation or payload: likely
Carved artifact contains 48 eval/decoder/string-building token(s). Carved artifact contains 2 long hex-escaped blob(s).
javascript_obj0008_001.js
43e5972dbc06a39d481d4212f1ac66b2469984e12be3003b7fa9f8132c8aa43c		 pdf-javascript-stream PDF /JS object 8 at offset 0x69A 737 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.