Txt.Downloader.Nemucod-6769573-0 — PDF malware analysis

Static analysis result for SHA-256 6a7228bc3f650846…

MALICIOUS

PDF

25.6 KB Authoring application: PyPDF2
MD5: 0ebec0b8e370f124f70a95c122041539 SHA-1: e5ccefff84373a8e980c26b6b630a318511194ae SHA-256: 6a7228bc3f65084691b219c93715a2fdd3fd8ebb615df85dc75ef56199d38be9
296 Risk Score

Malware Insights

Txt.Downloader.Nemucod-6769573-0 · confidence 95%

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF file contains embedded JavaScript that utilizes eval() to execute obfuscated code, a common technique for downloading and running secondary malware. The ClamAV detection of Txt.Downloader.Nemucod-6769573-0 further supports its malicious nature. The script's primary function appears to be downloading and executing a second-stage payload from a remote source.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 9

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV: Txt.Downloader.Nemucod-6769573-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Txt.Downloader.Nemucod-6769573-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI low PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.fincen.gov/news_room/nr/html/20120223.html

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js
57078df30e9338064fcb74be6ebcc8197eed31c6917e2c42bfd4dcc47cdf7094		 pdf-javascript-stream PDF /JS object 4 at offset 0x199 17147 bytes
Detection
ClamAV: Txt.Downloader.Nemucod-6769573-0
Obfuscation or payload: likely
Carved artifact contains 48 eval/decoder/string-building token(s). Carved artifact contains 2 long hex-escaped blob(s).
javascript_obj0004_001.js
b9f43901318baef918c7feb33f46b3d32639bca58bd471b499469c5f5f71f59b		 pdf-javascript-stream PDF /JS object 4 at offset 0x199 737 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.