Nemucod — PDF malware analysis

Static analysis result for SHA-256 a8684007004ee142…

MALICIOUS

PDF

36.4 KB Authoring application: PyPDF2
MD5: f11cb88743a74996cab43cf4529b8a98 SHA-1: 786ae86ab8a61e2da28cabd651b1155ceeab6be0 SHA-256: a8684007004ee142b7c26337ece84e1d4998b33bcddc393ad0ee2df6df75532f
216 Risk Score

Malware Insights

Nemucod · confidence 95%

MITRE ATT&CK
T1059.001 PowerShell T1059.007 JavaScript

This PDF file was flagged by ClamAV as Txt.Malware.Nemucod-6780606-0, indicating it belongs to the Nemucod family. Static analysis revealed embedded JavaScript streams, one of which contains obfuscated code with an eval() call. This script is likely responsible for downloading and executing a second-stage payload. The presence of multiple JavaScript streams and the ML classifier's high confidence further support this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 7

  • ClamAV: Txt.Malware.Nemucod-6780606-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Txt.Malware.Nemucod-6780606-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js
c13d7ea945b43177c127a0f1ffce99eb7ed3d88f915ac0b9172221a51a56771a		 pdf-javascript-stream PDF /JS object 4 at offset 0x17E 1375 bytes
Detection
ClamAV: Txt.Malware.Nemucod-6780606-0
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0143_002.js
6ec6509be655ad55d7f043dd30a57424b3e40e0dcc056cf0d9c53cf4255c07fb		 pdf-javascript-stream PDF /JS object 143 at offset 0x7FB3 808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.