Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d22b455007f4316…

MALICIOUS

PDF

35.5 KB Created: 2009-05-01 21:21:45 Authoring application: tvEeSFCPx (via NeTSnrx)
MD5: de54b83f8cb044c1d8a947f7a97d09b4 SHA-1: 2b3dac5926e66aa3f38ca096573049b76448cd5a SHA-256: 3d22b455007f4316ca994fd95ee5630daae7cc6fb8c3722effb7e0709e673ed7
172 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript that utilizes eval() and unescape() functions, indicating obfuscation. The generic stage recovery heuristic suggests that the script is designed to download and execute a second-stage payload. The ML classifier strongly flags this PDF as malicious. No specific family could be identified due to the generic nature of the obfuscation and delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, or hex literals. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser exited 1. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • ClamAV scan did not complete on extracted artifact info CLAMAV_SCAN_INCOMPLETE
    ClamAV did not complete on 6 carved artifact(s); EXTRACTED_FILE_CLAMAV may be missing for this run. The result is not cached so a later submission will retry the scan.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
8220c6d77d53ec9b17e29d9202f368102816bb514dcbf4d3a29a01760eaf8744		 pdf-javascript-stream PDF /JS object 7 at offset 0x215 35126 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
javascript_obj0007_001.js
0608e2bdfe829e74bba6252f3489be33d8776a80f1f93d713671ed55a3412d59		 pdf-javascript-stream PDF /JS object 7 at offset 0x215 35039 bytes
generic_stage_recovery_000.js
b56af5917baf80955b62bc44f4380c96dd2df735f9e21911711bffd64d07ea6c		 deobfuscated-js generic stage recovery percent-decode from JavaScript object 7 at offset 0x215 26502 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
generic_stage_recovery_001.js
2ad85955437dcd11e45e674347d0a6390b084e8c34a6ab96fe01123b29a8c184		 deobfuscated-js generic stage recovery percent-decode from JavaScript object 7 at offset 0x215 26415 bytes
generic_stage_recovery_002.js
6e6dbe577edf5b338a90cbc1d083fafff70d08c3abd5a928bb1b4460a368edf9		 deobfuscated-js generic stage recovery percent-decode -> percent-decode from JavaScript object 7 at offset 0x215 26292 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
generic_stage_recovery_003.js
ab2a0be9f947665b81f86db3444ea7b84486aff2731697bfe0bedd659932c6b2		 deobfuscated-js generic stage recovery percent-decode -> percent-decode from JavaScript object 7 at offset 0x215 26205 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.