PDF malware analysis — malicious · 671fbf31ed3f6675

MALICIOUS

PDF

118.8 KB

MD5: 04dd8a4dc657d2a348bcfc322d5904d2 SHA-1: 6f26796425b6862819f1903a4ac366f0f01492cf SHA-256: 671fbf31ed3f6675ab787ab6c4f80044a4921571b5742140814145e5a29d7227

256 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF sample contains embedded JavaScript that utilizes eval() and String.fromCharCode, indicative of obfuscated malicious code. Heuristics and ClamAV detection confirm this is a known exploit, likely Pdf.Exploit.Agent-36086. The JavaScript is designed to download and execute a secondary payload, a common technique for initial compromise.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 6

ClamAV: Pdf.Exploit.Agent-36086 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-36086
JavaScript action low 3 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Large comment-padded JavaScript eval stager high PDF_JS_LARGE_COMMENT_PADDED_EVAL

PDF JavaScript contains a very large stream padded with long random-looking block comments around String.fromCharCode and eval. This is an exploit-kit obfuscation shape used to bury a decoder and recovered stage inside noise, not normal PDF form automation.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0006_000.js
bddb663a9face50cb56c1cfe7e8edc697210b49e268139d2f5138390f3c75f61 pdf-javascript-stream PDF /JS object 6 at offset 0x143 627907 bytes

Filename	Kind	Source	Size
`javascript_obj0006_000.js` `bddb663a9face50cb56c1cfe7e8edc697210b49e268139d2f5138390f3c75f61`	pdf-javascript-stream	PDF /JS object 6 at offset 0x143	627907 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 42 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script function xnK(hNF){ /*0JbX3QOhijqOPBfpe8A8vomFJQHpsGqBpCysrlKJFaxtLNSUr7pPt4yjLYLromRUiqf20UcHmXteWmF2MuvQ3OA1y1oVRnP0O4bYXnFjj8xfucgfHL5KzFK8F92wwQFkUQhRcX0w4HLyU2OANTklx5sbctHIjm3cbk4ogcUkUFTNGGnsyHN6LfgYJYG2kIev2hUhuNCorua80yzIemNC4Xk2CmljBRlTKCnxeLZIW6RtFzI2lHDpDYqejMyVCTNmv0TJVSqQYhjDQ1EbHhAjfyyM6snYfJsoCajuA9rSr4HrIS8sresZNd4fA2ujtTWEbpekR6MVMcCEkC6MQxKCLOSkPlEidAWpZaJQfuK2HlF2YLNNixp3kgn0C1rQBnezyYoNs9O0ttaqdXdwuDyOUVYvWpkwMz6jxu7CV96niwBfK7JmFxfAuLvT62FE8ZbC5aeZijmBQXRz4zWI7ahAVNs1P7FX6Qy0M9i6uTWrJuvipdoAvZvhqv7x03CZBMZnUgso0nQTSkbgyAR3yljYQqvs7Y4SXqMdSamff8kqnS1eUyzdvpD1o67m9ZizKvrVSGU8Ndya6ypZ6YbBmPBLVI74GpCqU3kMJeUwsrHx6v53HGpwg0qZguEF65z8pkRDdm5F3BE87JaNoAjFKKDdhEilcqLxgnLDrpF34N9MYWaxeQgYsgbKUu67UQDacnNENsGQfOCdKNKZC1X4g8OaBTgvIUFVhsy4VeU03vmMi7KU8GXnNLyoDOTlIxfZO2U2W44rpQJwzCDfz13jzqWmig5Qw3Qj5JlMpqbe9IOLk3jl6CUvygOPkEkntErbZqYoR0CRqKbs3wyFq3cGR11ulnXZO9Ye6l5eX46mNgPQMnubpGSfHTK2fG4OXhUim9eqdBdtq3eNwqccisTabUqRUtFRLy98GnxTZKlpNAcj1ovjRot2iUTcnx386beMyMExwWiA8CBw8UmvnoOggDN2LTdEMLhihheASmbsSileOJCBZTACFCnyPmbA8tToK7ZCs04kspzf8bQ74qIJ25gQrrqyViXFoVgR5jbwIKLPWBVZ1DH3IYS9oiGjADYZxdPBw18eKT4FtZEuBkwjiorHG8fKXeh03SG3ZVNRYskW6PwqkQJIgponoE8kSouVgaXf5K72crXhftIziqhzPGXdj5yas35Jc2YhM5jYvffKJXj2nABcgxpzBXK4PMbQKtBPMzj2O4LKmM8XnjcUJMvGvzFjlR05jLU5jc67fQRCCYyZhKTvoG1XkjhbsmucfzvsFCHvsi8pR6HBZG6nl6jGpBRRYl4cUzFzal4CEa2vgI6eoaCKgVqGwgxtCAGv0k5jG8WkhYPxFUM45nNlic1Ptxh58XAghEAXMwg3t5A8Zmb3KYn2aoQEW8J35ijlXUiIpyLTDl1CHbEq02sjpiYkqGnuZHQWA8EGoSiKSVq3yRcAjvBtk29Iv7ok3ZsGY84QqNIkdLT5XsnssZVM3uv0SPbRhRPoVEOIm9W713tmuVloHkraPB3EMTVDIiyl7fHebOfaQIxjDSIkb0v1KyEwrz99SGuYWac7YrhO0O8NGP7SZCSI0wdA5mIW2bUYm65kxl9H0ftP5AG3bxKl3YV8jD3lPWib2mwyIEeRTIFXhltTKOWHJ3m6ka1Dm3ZSAGvPxowclOxkgq44lKMoK8t5iuHFwFw7l2VTqr5LeC5u29ynTkLCsdGKImpd2VjnXefmFk8UWcnXkWjdf5PHhvrSQcULwhHKw4pRbiMnGJIB3VR7KxoeYn7Nzx6geQNieDtxpRc8yOatEgcbFr92xWBwtGNHvzKcsgBjtJShTkW0x7OYeQuaq1D7NkCljlxLC955RWlKfgTMnGJCvdMWdo2IDl2ZSMARFRM1A1hsNE9wfEJ1AWpBW8eg9d9VO8LsYxsyxJkm9QCNyDmu3Yp0cGipOdcVZFTv7r2QqlczbOlJrIdtFDDSiVh69t179UBekC5LYgk05GSvn6Y3IBU1va6DE7JMj1kW55Ukp3p5VUr1StIsnIYxOBaUkXUEXdz1itlIwLMrEcrwG9Y3RVzEwKyQGstDF3DYvZF2JrsnDTTj2RlTLVxhF57kwzYbBA07zP8ifAGTtybvoxn0sUq7Zwrv6oHGZRNyFUQVtvNX4ZrsvOCXI24HyucDTUjRK6ppejtK7pO5QfAERwmTA3r4f5X9nOStchsrBWbHkZLaekO6RaZrcpvrtrARerkqJNRjI231Lce61kXainnHSPaio2wQlXy9ORQPRSQB55H6oDfGDnRry0PzGFVCc3p4TeVL4vP8cVwP0bPNzFd8P3GuHB7UEwXwKRhOm6Wy1rnaDbXbRaiFcZ0TAfMdMJKvA1jW7eu7GSgi3duTnNyzLIslYezJYiexjytqMXxsOOKR1eKn1iXMp7YDFGAYU8hsAHdxdGl1pb2EWpEdlpdLwanbQY9K5qbE7pbk5wluIm8DLMR7a4RHeeS5b1PgqVxp6RuCbZjy7XjSOq3RhJ6vB0HBYX1YSynYoRzAQT9WPrOCRQt9zyD0IkKFgLC9j6HQEhGwpClRpYIfrQOZsYHMIl3tYbMXgtNVKsr05MtKHJaxw0uQMbaPE9p5gSSaCkBLonLS7sAgZ7pYAeJLpxoyxODNGuXhOy3cVN41fEgdKGbjUV5jstRZgtLWYIdLfgY0320hFqvo6GIBNi3f01wCMsztFkJViSYj2fYsLmxr5x2RP47Z5CAQ40jJu2EMUC6VR4nCpV3tr4kf8qdb2O16YjPslsee4j0VmwwMqyfRCA7JkU29V87eWyznNNr7XlstSeTptK23RK3aE5jzbpN7YmuK0VQ6giy8wrxay31i6bX0vvkUhqSDUBMPrS5JpbfQJf1gh2zncvwHQBggsUa4GZux4dXfsMYHNeZONl1hSIgHixYLr8O77iE0vAoYmlF9ADWmZWDQDUxWruGTCuIMDRhceeyATG0wCwvx0la3T6umMmYflF2ZwiaLxJkqpuW1ry9MIbEOF1z2ZPnDRl00wUGee6EI2EIscRdV2SIHShJQ66tWrC5XwLaKQOsRsajF1wz3ngKfxs5DyyzZ0DVGo6peUS6m2o12Uz5hPOxmgBZP0yNibIZzOnNHeS3gf3h0Clrr0YNpzMeIj11uJZ4wlQdAHgQXj86VtxlDu933VgKdhKIILw4BKEiueiCkc5RyHlHJnB8PgSxgAhMDTvhavMpNnKsBx0WeTjPSqD8h0nRr0ujFMu0xUWUDWmdtv9HnrveS8m0hKITu2xfwGNpCH2x3exnGVPb0GivPAePi8ijEyQkleX2gt5vtCS0wGkFlDaacoZuvhO0PEu0Sqb9UfDnRuwmaR2vtbFGAEa5VYeKCIUt95C2keoaIVxTLyneK3UjH4oB2DkDkd7siIuCWTMENjwySUMBXGVDJjeKWzmgMtI5acG75sLSMgqDabe8R0LAsZjoxGEj0mnjy4qDwavhqVVB79IYisxKrR8YxLhG8FFIpiezNwHqANziKRLhAb8I0EtqkA5jfNIx2hjxg1XRNv0xlUOW6WDeA7EUGJdWwWsxcM4tMkyvu6QnULtPoHpulia4v6zry6Dj0759rDDVItiCeLrDrQ8M8hQDno4WuHeDOjMeWp9ESqf7aGJCvQoD8dgvCjq61EJOYu3TTaxLBMRMsznYoMBvZRAaqGb5oZ2T1ULbqwMcmxFWVDjGdPF4PfefVpjjokbodXAEslRPTvKO94ulT9pInDXi3fBqzNPNJorbKh1DNKqVOVgG3FnqijIkzjK86zVPXl1GD1ipKJkxDAdGeA6xUORs8BAd0v26Q2Ms35SMNbjqMw617bx1nt8Y3k8xlcnnZQp3IbQTvgF2mF8xb9xyBEwDYDajQyHPn7R6iHYNXCPjhXRs5n1F2wi0si1Oo6Ftolrbi4BkWrMPMERiWQro9qo8dMdSeBdFMwJL83HzOGoAkeSf4iDbJ2jXOwP383IUyqFFslef1CQkQHATd5JenF3Tu51wMU5byKDTYTUzIeppOhp2m8gJNiCgmCM8vRj4AWWxPQ7x4vWSNkT9s9RersuN4gVz7dCG0ydY ... (truncated)

Detection

ClamAV: No threats found

Obfuscation or payload: likely

Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 42 long base64-like blob(s).

Preview script

First 1,000 lines of the extracted script

function xnK(hNF){ /*0JbX3QOhijqOPBfpe8A8vomFJQHpsGqBpCysrlKJFaxtLNSUr7pPt4yjLYLromRUiqf20UcHmXteWmF2MuvQ3OA1y1oVRnP0O4bYXnFjj8xfucgfHL5KzFK8F92wwQFkUQhRcX0w4HLyU2OANTklx5sbctHIjm3cbk4ogcUkUFTNGGnsyHN6LfgYJYG2kIev2hUhuNCorua80yzIemNC4Xk2CmljBRlTKCnxeLZIW6RtFzI2lHDpDYqejMyVCTNmv0TJVSqQYhjDQ1EbHhAjfyyM6snYfJsoCajuA9rSr4HrIS8sresZNd4fA2ujtTWEbpekR6MVMcCEkC6MQxKCLOSkPlEidAWpZaJQfuK2HlF2YLNNixp3kgn0C1rQBnezyYoNs9O0ttaqdXdwuDyOUVYvWpkwMz6jxu7CV96niwBfK7JmFxfAuLvT62FE8ZbC5aeZijmBQXRz4zWI7ahAVNs1P7FX6Qy0M9i6uTWrJuvipdoAvZvhqv7x03CZBMZnUgso0nQTSkbgyAR3yljYQqvs7Y4SXqMdSamff8kqnS1eUyzdvpD1o67m9ZizKvrVSGU8Ndya6ypZ6YbBmPBLVI74GpCqU3kMJeUwsrHx6v53HGpwg0qZguEF65z8pkRDdm5F3BE87JaNoAjFKKDdhEilcqLxgnLDrpF34N9MYWaxeQgYsgbKUu67UQDacnNENsGQfOCdKNKZC1X4g8OaBTgvIUFVhsy4VeU03vmMi7KU8GXnNLyoDOTlIxfZO2U2W44rpQJwzCDfz13jzqWmig5Qw3Qj5JlMpqbe9IOLk3jl6CUvygOPkEkntErbZqYoR0CRqKbs3wyFq3cGR11ulnXZO9Ye6l5eX46mNgPQMnubpGSfHTK2fG4OXhUim9eqdBdtq3eNwqccisTabUqRUtFRLy98GnxTZKlpNAcj1ovjRot2iUTcnx386beMyMExwWiA8CBw8UmvnoOggDN2LTdEMLhihheASmbsSileOJCBZTACFCnyPmbA8tToK7ZCs04kspzf8bQ74qIJ25gQrrqyViXFoVgR5jbwIKLPWBVZ1DH3IYS9oiGjADYZxdPBw18eKT4FtZEuBkwjiorHG8fKXeh03SG3ZVNRYskW6PwqkQJIgponoE8kSouVgaXf5K72crXhftIziqhzPGXdj5yas35Jc2YhM5jYvffKJXj2nABcgxpzBXK4PMbQKtBPMzj2O4LKmM8XnjcUJMvGvzFjlR05jLU5jc67fQRCCYyZhKTvoG1XkjhbsmucfzvsFCHvsi8pR6HBZG6nl6jGpBRRYl4cUzFzal4CEa2vgI6eoaCKgVqGwgxtCAGv0k5jG8WkhYPxFUM45nNlic1Ptxh58XAghEAXMwg3t5A8Zmb3KYn2aoQEW8J35ijlXUiIpyLTDl1CHbEq02sjpiYkqGnuZHQWA8EGoSiKSVq3yRcAjvBtk29Iv7ok3ZsGY84QqNIkdLT5XsnssZVM3uv0SPbRhRPoVEOIm9W713tmuVloHkraPB3EMTVDIiyl7fHebOfaQIxjDSIkb0v1KyEwrz99SGuYWac7YrhO0O8NGP7SZCSI0wdA5mIW2bUYm65kxl9H0ftP5AG3bxKl3YV8jD3lPWib2mwyIEeRTIFXhltTKOWHJ3m6ka1Dm3ZSAGvPxowclOxkgq44lKMoK8t5iuHFwFw7l2VTqr5LeC5u29ynTkLCsdGKImpd2VjnXefmFk8UWcnXkWjdf5PHhvrSQcULwhHKw4pRbiMnGJIB3VR7KxoeYn7Nzx6geQNieDtxpRc8yOatEgcbFr92xWBwtGNHvzKcsgBjtJShTkW0x7OYeQuaq1D7NkCljlxLC955RWlKfgTMnGJCvdMWdo2IDl2ZSMARFRM1A1hsNE9wfEJ1AWpBW8eg9d9VO8LsYxsyxJkm9QCNyDmu3Yp0cGipOdcVZFTv7r2QqlczbOlJrIdtFDDSiVh69t179UBekC5LYgk05GSvn6Y3IBU1va6DE7JMj1kW55Ukp3p5VUr1StIsnIYxOBaUkXUEXdz1itlIwLMrEcrwG9Y3RVzEwKyQGstDF3DYvZF2JrsnDTTj2RlTLVxhF57kwzYbBA07zP8ifAGTtybvoxn0sUq7Zwrv6oHGZRNyFUQVtvNX4ZrsvOCXI24HyucDTUjRK6ppejtK7pO5QfAERwmTA3r4f5X9nOStchsrBWbHkZLaekO6RaZrcpvrtrARerkqJNRjI231Lce61kXainnHSPaio2wQlXy9ORQPRSQB55H6oDfGDnRry0PzGFVCc3p4TeVL4vP8cVwP0bPNzFd8P3GuHB7UEwXwKRhOm6Wy1rnaDbXbRaiFcZ0TAfMdMJKvA1jW7eu7GSgi3duTnNyzLIslYezJYiexjytqMXxsOOKR1eKn1iXMp7YDFGAYU8hsAHdxdGl1pb2EWpEdlpdLwanbQY9K5qbE7pbk5wluIm8DLMR7a4RHeeS5b1PgqVxp6RuCbZjy7XjSOq3RhJ6vB0HBYX1YSynYoRzAQT9WPrOCRQt9zyD0IkKFgLC9j6HQEhGwpClRpYIfrQOZsYHMIl3tYbMXgtNVKsr05MtKHJaxw0uQMbaPE9p5gSSaCkBLonLS7sAgZ7pYAeJLpxoyxODNGuXhOy3cVN41fEgdKGbjUV5jstRZgtLWYIdLfgY0320hFqvo6GIBNi3f01wCMsztFkJViSYj2fYsLmxr5x2RP47Z5CAQ40jJu2EMUC6VR4nCpV3tr4kf8qdb2O16YjPslsee4j0VmwwMqyfRCA7JkU29V87eWyznNNr7XlstSeTptK23RK3aE5jzbpN7YmuK0VQ6giy8wrxay31i6bX0vvkUhqSDUBMPrS5JpbfQJf1gh2zncvwHQBggsUa4GZux4dXfsMYHNeZONl1hSIgHixYLr8O77iE0vAoYmlF9ADWmZWDQDUxWruGTCuIMDRhceeyATG0wCwvx0la3T6umMmYflF2ZwiaLxJkqpuW1ry9MIbEOF1z2ZPnDRl00wUGee6EI2EIscRdV2SIHShJQ66tWrC5XwLaKQOsRsajF1wz3ngKfxs5DyyzZ0DVGo6peUS6m2o12Uz5hPOxmgBZP0yNibIZzOnNHeS3gf3h0Clrr0YNpzMeIj11uJZ4wlQdAHgQXj86VtxlDu933VgKdhKIILw4BKEiueiCkc5RyHlHJnB8PgSxgAhMDTvhavMpNnKsBx0WeTjPSqD8h0nRr0ujFMu0xUWUDWmdtv9HnrveS8m0hKITu2xfwGNpCH2x3exnGVPb0GivPAePi8ijEyQkleX2gt5vtCS0wGkFlDaacoZuvhO0PEu0Sqb9UfDnRuwmaR2vtbFGAEa5VYeKCIUt95C2keoaIVxTLyneK3UjH4oB2DkDkd7siIuCWTMENjwySUMBXGVDJjeKWzmgMtI5acG75sLSMgqDabe8R0LAsZjoxGEj0mnjy4qDwavhqVVB79IYisxKrR8YxLhG8FFIpiezNwHqANziKRLhAb8I0EtqkA5jfNIx2hjxg1XRNv0xlUOW6WDeA7EUGJdWwWsxcM4tMkyvu6QnULtPoHpulia4v6zry6Dj0759rDDVItiCeLrDrQ8M8hQDno4WuHeDOjMeWp9ESqf7aGJCvQoD8dgvCjq61EJOYu3TTaxLBMRMsznYoMBvZRAaqGb5oZ2T1ULbqwMcmxFWVDjGdPF4PfefVpjjokbodXAEslRPTvKO94ulT9pInDXi3fBqzNPNJorbKh1DNKqVOVgG3FnqijIkzjK86zVPXl1GD1ipKJkxDAdGeA6xUORs8BAd0v26Q2Ms35SMNbjqMw617bx1nt8Y3k8xlcnnZQp3IbQTvgF2mF8xb9xyBEwDYDajQyHPn7R6iHYNXCPjhXRs5n1F2wi0si1Oo6Ftolrbi4BkWrMPMERiWQro9qo8dMdSeBdFMwJL83HzOGoAkeSf4iDbJ2jXOwP383IUyqFFslef1CQkQHATd5JenF3Tu51wMU5byKDTYTUzIeppOhp2m8gJNiCgmCM8vRj4AWWxPQ7x4vWSNkT9s9RersuN4gVz7dCG0ydY
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.