Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a67448aa343977e…

MALICIOUS

PDF

11.5 KB Created: 2011-01-19 22:29:24 +03:00 Authoring application: w___A9 (via 8f02e3fa67)
MD5: bb242ef990b347ae0ad0ca9b71494d78 SHA-1: 36f4d33a83b67877f4096da99dd3cd13a8136763 SHA-256: 6a67448aa343977e8c8ace589393246071275c9a2a5e796a751f9710d6292671
164 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains multiple JavaScript streams, with one stream utilizing eval() and String.fromCharCode() for obfuscation and execution. This indicates an attempt to execute arbitrary code. The script `javascript_obj0015_002.js` directly calls `app.doc.eval(ACR_R1__(rdVmK__(TruW62_), 'bPh___J'))`, which is a strong indicator of malicious JavaScript execution within the PDF. The specific values 'GA__LEJ' and 'bPh___J' are likely deobfuscation keys or identifiers used by the script.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 7

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js
01489f2e6f1188723d2d2584e634a005a30cd948f2dc03f19d04db9729a2b5b3		 pdf-javascript-stream PDF /JS object 11 at offset 0x24A3 1101 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
javascript_obj0013_001.js
76ee1508ebab8f6f7f7cb3ca456aa81f043bbdced931296b22963203bff3ff4a		 pdf-javascript-stream PDF /JS object 13 at offset 0x2734 502 bytes
javascript_obj0015_002.js
64611ff7ff747bec802daa2493caf51c28f4d128efca70d252e7e7f74d150dd4		 pdf-javascript-stream PDF /JS object 15 at offset 0x28D5 148 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.