Malicious PDF — malware analysis report

Static analysis result for SHA-256 c1ab9581259b3c95…

MALICIOUS

PDF

29.0 KB Created: 2012-09-22 12:18:12 +04:00 Authoring application: Wordpress.com (via mPDF 5.0)
MD5: a32c4a3ca49b41da0ebb1b1bddbb2269 SHA-1: e6a4ad1a034f911947c05de617cef760f466da22 SHA-256: c1ab9581259b3c95918623e5823a421a5930d092a4b1223fcfafdf653e5cc673
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The ML classifier strongly flagged this PDF as malicious. The JavaScript stream was obfuscated using unescape(), suggesting an attempt to hide malicious code. The primary attack vector appears to be the execution of this JavaScript, which is likely designed to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0024_000.js
be63095b36d2a7a6bb2354eee6ea8f866bd67eb57984a872fcac65a5a9d7a885		 pdf-javascript-stream PDF /JS object 24 at offset 0x6C1C 136 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).
stream_004_off000016a7.bin
ded1520fd68b91798ef4502ba393be29e6762be445da6319489229b957e57958		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16A7 17756 bytes
font_01_sfnt_off000044b9.bin
a8ed3909966b10c026f46212f55dce68c94667ce1ac039797d3ebfa1d644dacf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x44B9 17892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.