Malicious PDF — malware analysis report

Static analysis result for SHA-256 8fb382a32469e238…

MALICIOUS

PDF

4.8 KB Created: 2010-08-01 07:24:26 Authoring application: Xogouueiydke (via 12ca7 bawoxelo)
MD5: dc7ba32d59082cb4f2ef5eb5affafced SHA-1: c3a22168d875ca7d5caa3b7770a8fb3864b68812 SHA-256: 8fb382a32469e238ab9859e597f26e16e1b22727f9e3e95bad58f779211d249e
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript, indicated by multiple heuristic firings including 'PDF_JAVASCRIPT' and 'PDF_JS'. The 'PDF_PAGE_WORD_XOR_EVAL_STAGER' heuristic suggests the JavaScript is designed to be obfuscated and executed as a stager. The ML classifier strongly flags this PDF as malicious. No document body text was available for analysis, but the presence of obfuscated JavaScript points to an attempt to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER
    PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js
f8d11a8a79f2a0d1dc2add0164dae101f7de12d40f0f67c3614e7038541b189d		 pdf-javascript-stream PDF /JS object 11 at offset 0xE63 530 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.