Malicious PDF / .VIR — malware analysis report

Static analysis result for SHA-256 7c6e8f11d944ba21…

MALICIOUS

PDF / .VIR

4.9 KB
MD5: b859c5b288bf5859f22d9192635424f6 SHA-1: 25f8fc1e043997ad595ee3c95145871d7ca548cd SHA-256: 7c6e8f11d944ba216484ef13d8aa80a6014db281aae1d0f7a9c4cbb3c762698a
112 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 User Execution: Malicious File T1059.007 JavaScript

The sample is a PDF containing heavily obfuscated JavaScript designed to perform heap spraying via the creation of a large array of buffers (up to 0xD0000 bytes). The script uses unescape() to decode a large blob of shellcode and attempts to trigger a vulnerability through memory manipulation. No specific C2 URLs or second-stage payloads were extracted from the truncated scripts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9547

Heuristics 3

  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off00000324.bin
1030e911e38f34c8c988d6c81d4986f38e202da90a2fc75d799f22b048653057		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x324 1779 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
generic_stage_recovery_000.js
df0a02cbf75119d9653fb5fab3afb407d460f1ca5bff66967ecfaedc3293810e		 deobfuscated-js generic stage recovery percent-decode from decompressed stream at 0x324 at offset 0x324 1741 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
generic_stage_recovery_001.js
ac1c6b6facb12e03bd53c3aed4b915ff582f1aa4d82fb2c29b7cdaf9c98e139e		 deobfuscated-js generic stage recovery percent-decode from decompressed stream at 0x34B at offset 0x34B 1234 bytes
generic_stage_recovery_002.js
1dc607dbb532ec0cc8e08755f9272a51188c5a3d3850304317c354f0884c1eca		 deobfuscated-js generic stage recovery percent-decode -> percent-decode from decompressed stream at 0x324 at offset 0x324 1735 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.