PDF malware analysis — malicious · 159ab2aeea0a403c

MALICIOUS

PDF

5.6 KB Authoring application: Jidagelageno (via 7f751Ylojoppekaxopqi)

MD5: ecdaf67f9a87a6c60223e6db9dac6bcf SHA-1: e09cddcf2808e589a7b3128023e0edf9603224b8 SHA-256: 159ab2aeea0a403c6056c466b6a4c7ee050263f38543083caa1a370c9133c5d0

86 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, identified by multiple heuristics including 'PDF_JAVASCRIPT' and 'PDF_JS'. The JavaScript appears to be a stager, employing XOR-based deobfuscation and an 'eval' function to execute further code. The script reconstructs strings like 'eval', 'getPageN9thWord', and '\x' which are indicative of payload execution. Given the malicious verdict and the nature of the script, it is highly probable that this PDF is delivered as a malicious attachment via spearphishing.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER

PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0008_000.js` `c510f8c6a5031d17c6606a6a4e88ede1c3452bf51c2d06efb7ba03d3692fec56`	pdf-javascript-stream	PDF /JS object 8 at offset 0xF52	1346 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.