Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c6ee58d01f73108…

MALICIOUS

PDF

9.5 KB Created: 2009-05-06 20:45:24 +08:00 Authoring application: DocuCom PDF Core Library
MD5: f5678b139a2eabd3423f95d47801eb79 SHA-1: ad1b35d8cf391d54677be6d037f779f775341a39 SHA-256: 6c6ee58d01f731083e1016d180a1d6a52b7909ba83e6c11a8abfbab179f3a373
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that is heavily obfuscated and utilizes unescape functions, indicating an exploit attempt. The critical heuristic firings for PDF JavaScript exploit and ClamAV detection confirm its malicious nature. The JavaScript is designed to download and execute a secondary payload, as evidenced by the generic stage recovery scripts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 9

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV: Pdf.Exploit.Agent-35646 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35646
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0003_000.js
3a63aa1468610780740c9dc83aeeec5b08cb097e75c7162b2fbf08d5be27c95c		 pdf-javascript-stream PDF /JS object 3 at offset 0x883 7299 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
generic_stage_recovery_000.js
7e27c9dd3f52261d7c8018838b81bf9d134d85c09f1c213544554b371747af66		 deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 3 at offset 0x883 5781 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
generic_stage_recovery_001.js
5d41a6961f14341c702c65e133d441c8d420b9c7dbb42e1a9f08b42b606dd5c6		 deobfuscated-js generic stage recovery split-literal-normalize -> split-literal-normalize from JavaScript object 3 at offset 0x883 5778 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
generic_stage_recovery_002.js
ee7394fb02b35ec856df28f2593b5311bb4a174dfa533c756dd1aa5818511382		 deobfuscated-js generic stage recovery split-literal-normalize -> percent-decode from JavaScript object 3 at offset 0x883 5773 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
generic_stage_recovery_003.js
c50bc78d2ca0cbe32e2c9db770b8284aaf7cb60932d2f29852f21b4812b49681		 deobfuscated-js generic stage recovery split-literal-normalize -> split-literal-normalize -> percent-decode from JavaScript object 3 at offset 0x883 5770 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.