Nemucod — PDF malware analysis

Static analysis result for SHA-256 97587a93b8842f4e…

MALICIOUS

PDF

131.4 KB Authoring application: Acrobat040PDFMaker04080561040for040PowerPoint (via PyPDF2)
MD5: facab9d1ba68c680cfc60332067c4bee SHA-1: 3ec03a22e5f565ae98b7cefdc33538de07080087 SHA-256: 97587a93b8842f4e88a295697ad0a1a764bfcb85f75255795804b843f2740806
342 Risk Score

Malware Insights

Nemucod · confidence 95%

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1071.001 Web Protocols

The PDF file contains multiple high-severity heuristic firings related to embedded JavaScript, including ActiveX downloaders and eval() calls, indicating malicious intent. The ML classifier and ClamAV detection strongly support this, identifying the file as Win.Downloader.Nemucod-6769668-0. The embedded JavaScript, particularly the deobfuscated acroform_b64_00.js, likely attempts to download and execute a secondary payload. The presence of a User-Agent string 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)' within the obfuscated script further supports the downloader functionality.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9939

Heuristics 10

  • ClamAV: Win.Downloader.Nemucod-6769668-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Downloader.Nemucod-6769668-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • PDF JavaScript ActiveX downloader high PDF_JS_ACTIVEX_DOWNLOADER
    Decoded PDF JavaScript instantiates Windows ActiveX/COM objects to download a payload over HTTP, write it through ADODB.Stream, and execute it through WScript.Shell/rundll32-style process launch. This is commodity downloader behavior rather than a specific Acrobat CVE trigger.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0083_000.js
291a545f1f0635fa3a5b4107c46f3d934ff47953e0dcf04c7acf939b6bcb5e2d		 pdf-javascript-stream PDF /JS object 83 at offset 0x6891 13202 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
javascript_obj0083_001.js
5f51c0aec5fcd0c1622819b5be3e2b043357964617b676275245514efda4120f		 pdf-javascript-stream PDF /JS object 83 at offset 0x6891 7780 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
acroform_b64_00.js
a7132ec71d3510814e863e1380172dfc7fbf035bd25b7ba6ab73f2bfa2adf99c		 deobfuscated-js PDF AcroForm base64 (raw) at offset 0x6B18 5327 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 1 eval/decoder/string-building token(s).
embedded_pdf_script_0000adb9.bin
66654040e3d113f425c7c5db8fc09e6446ccc45fab7dd8d3a33d91a2ea7a04bf		 pdf-embedded-script PDF decompressed stream script payload at offset 0xADB9 134570 bytes
Detection
ClamAV: Win.Downloader.Nemucod-6769668-0
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.