Nemucod — PDF malware analysis

Static analysis result for SHA-256 8ab04e4a004ac29a…

MALICIOUS

PDF

126.1 KB Authoring application: PyPDF2
MD5: c4d2e8e6fdfc4656406c5a257289d741 SHA-1: 54e597eee985297187b8da338a4349e61fcc81b8 SHA-256: 8ab04e4a004ac29a4d81ecd8af3721929426f422f3f768e3a31986695482adea
226 Risk Score

Malware Insights

Nemucod · confidence 95%

MITRE ATT&CK
T1059.001 PowerShell T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV with the signature Txt.Downloader.Nemucod-6769573-0, indicating it is a Nemucod downloader. Heuristics confirm the presence of embedded JavaScript with eval() calls, suggesting code execution. The extracted JavaScript artifacts, though obfuscated, are consistent with the typical behavior of Nemucod, which is to download and execute additional malicious payloads. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9888

Heuristics 6

  • ClamAV: Txt.Downloader.Nemucod-6769573-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Txt.Downloader.Nemucod-6769573-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0054_000.js
1fd2e692e922a540bffe9441b909eb465174c37a03c3b9087b268764442341df		 pdf-javascript-stream PDF /JS object 54 at offset 0x4ABE 17479 bytes
Detection
ClamAV: Txt.Downloader.Nemucod-6769573-0
Obfuscation or payload: likely
Carved artifact contains 48 eval/decoder/string-building token(s). Carved artifact contains 2 long hex-escaped blob(s).
javascript_obj0054_001.js
911e35fb203654e4133e341ffbc256107d8a94a4fcb4612071d8e1c4ba3c5882		 pdf-javascript-stream PDF /JS object 54 at offset 0x4ABE 737 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.