MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
The PDF contains embedded JavaScript that displays an alert box to the user, prompting them to download a newer version of Adobe Reader from a specific URL. This is a common lure to deliver malicious content. The ML classifier also flagged the PDF as malicious, supporting this assessment.
Machine Learning
- Nyx PDF Classifier malicious score 0.7502
Heuristics 6
-
Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LUREDocument describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.adobe
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/t/pg/
- http://purl.org/dc/elements/1.1/
- http://www.adobe.com/products/acrobat/readstep2.html
Extracted artifacts 30
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0002_000.js16349adf2fe4b8cd1b7f4b54d811d6bf976f834574bd0a36363f4abf99239587 |
pdf-javascript-stream | PDF /JS object 2 at offset 0x38D | 1074 bytes |
javascript_obj0052_006.js811b37cc5d88d3fdcaf17a71101e986209e76be21f7722fe32d445f643b23343 |
pdf-javascript-stream | PDF /JS object 52 at offset 0x2DC4 | 38 bytes |
javascript_obj0281_009.js15162f6ae56cf1ac28ac4871ac1ecacf94bcaaf3fa68ff10d4cc21be443f358f |
pdf-javascript-stream | PDF /JS object 281 at offset 0x7E8D | 1145 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 7 eval/decoder/string-building token(s).
|
|||
javascript_obj0283_010.js39beac7c82470073090a12dfa18db090713df8d8ac2763a2bfcbee11274d4c91 |
pdf-javascript-stream | PDF /JS object 283 at offset 0x80F7 | 10876 bytes |
javascript_obj0285_011.js5ec8da76d676dd333bc8ae2a2b98bd60646eae47a844f31637cc139b78f5cd8d |
pdf-javascript-stream | PDF /JS object 285 at offset 0x8E3A | 2092 bytes |
javascript_obj0287_012.jsd5d0891ac1be81c8b752a442b23cdfbad6371db80f2267f442e29ccfc8c6382e |
pdf-javascript-stream | PDF /JS object 287 at offset 0x9146 | 6836 bytes |
javascript_obj0289_013.js808c684c6f98ffc90cd194b3ff2b549c296c326f9d54dd9bf7f206ccedbd9e39 |
pdf-javascript-stream | PDF /JS object 289 at offset 0x9AE3 | 2390 bytes |
javascript_obj0291_014.jsa039de835df1ab680c5a3f7bd1726b4dc29e82f2df86dc93164a5f7efbdd5927 |
pdf-javascript-stream | PDF /JS object 291 at offset 0x9EC1 | 1025 bytes |
javascript_obj0293_015.js226170ae4d62738ffdc38d6b7e43baddcf809a49a2e76510fd0024ff738fc933 |
pdf-javascript-stream | PDF /JS object 293 at offset 0xA098 | 4127 bytes |
javascript_obj0295_016.jsf5a7524363feab60bcd065e260fff4530d695e7b3c0bfd8e2349afc46cec93af |
pdf-javascript-stream | PDF /JS object 295 at offset 0xA506 | 14143 bytes |
javascript_obj0297_017.js32f13d6810aaac911a7297ba6547ca053adae371d4f67923a82a16ea3add4311 |
pdf-javascript-stream | PDF /JS object 297 at offset 0xB26F | 4603 bytes |
javascript_obj0299_018.js2f2260d8118df1fc15df2d4361befc0ff2dcb186a26d4b2b960511fa49cf7877 |
pdf-javascript-stream | PDF /JS object 299 at offset 0xB86B | 6492 bytes |
javascript_obj0301_019.jsae82ed22803c9e2d4c6c211368e684ed61e15325bc676bdddf7bfe1d26a3a323 |
pdf-javascript-stream | PDF /JS object 301 at offset 0xBF2E | 5759 bytes |
javascript_obj0303_020.js2f1d2f81f4c0e6c201815c4dff2998d050938e468e266f952d6cd7e47be7af88 |
pdf-javascript-stream | PDF /JS object 303 at offset 0xC57B | 3846 bytes |
javascript_obj0305_021.jsf05a3274e14309fddc36e40be085291b430104e4cd863344960286729fba7d77 |
pdf-javascript-stream | PDF /JS object 305 at offset 0xC8F1 | 15171 bytes |
javascript_obj0307_022.js0b6171df8a6be876f38828ae9322e6ed747a10b5bf079bedf6f66e5da9b17108 |
pdf-javascript-stream | PDF /JS object 307 at offset 0xD159 | 10307 bytes |
javascript_obj0309_023.js660f0723b15e067dc5838d774049ffda080516883f4b6466bb15719767f07303 |
pdf-javascript-stream | PDF /JS object 309 at offset 0xDBCA | 15259 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
javascript_obj0311_024.jsc2bfe103a3a103be980fc232a180611fcfba7933caf36f0098fca28b89d3b679 |
pdf-javascript-stream | PDF /JS object 311 at offset 0xEB7B | 8700 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj0313_025.js6ee4de61433432f8dff05013f06fc4fe4989e3638131af8674fd9ec6d4f0c0be |
pdf-javascript-stream | PDF /JS object 313 at offset 0xF579 | 2496 bytes |
javascript_obj0315_026.jsc31eeeb9c92904fcd0459674942933b43ec40c8369976d36c9f1571c45490b50 |
pdf-javascript-stream | PDF /JS object 315 at offset 0xF96A | 8949 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
javascript_obj0317_027.js598c150946bfd63a5cefc1efbcd70b5920b5867b573a651adef728dacc2ff2fc |
pdf-javascript-stream | PDF /JS object 317 at offset 0x103B6 | 4577 bytes |
javascript_obj0319_028.js24bdaec4f0d2bf33a0078a965387bd925598665f7d32081d087f48f0c89d4117 |
pdf-javascript-stream | PDF /JS object 319 at offset 0x1098A | 5568 bytes |
javascript_obj0321_029.js1edd5a7fec012ca89e3a39b1d23bdca911db91765e5448b7b452df2a1938ee5f |
pdf-javascript-stream | PDF /JS object 321 at offset 0x10C61 | 1169 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
javascript_obj0323_030.js8ca1586335ea7d079d968ae379ff6e7074d53dc7bb9ec034033167ee30460c83 |
pdf-javascript-stream | PDF /JS object 323 at offset 0x10E9B | 13320 bytes |
javascript_obj0325_031.js749efdf836b1db0dfe2710169a872372683116f459d9763df69283bd344076e2 |
pdf-javascript-stream | PDF /JS object 325 at offset 0x11A83 | 2437 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj0327_032.jse3831b8f9a2e9f95f9dea18a0132d9b901dbdaca1fa318d9e74a1c577a561cc7 |
pdf-javascript-stream | PDF /JS object 327 at offset 0x11E32 | 6855 bytes |
javascript_obj0329_033.js393a1e44d83e2715020ab13ba04dc52f74e5041e8cc275186c38ff94a09e34e8 |
pdf-javascript-stream | PDF /JS object 329 at offset 0x125FC | 12191 bytes |
javascript_obj0331_034.js1c92daff8ccee007f82ded39a38c5381d7f93ec928271ae35f799dd933776470 |
pdf-javascript-stream | PDF /JS object 331 at offset 0x12CBD | 13141 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj0333_035.jsca7e0a936815983c0ecb47f54e5479a98ed99b52b2a3cb24bae5f3dd63239626 |
pdf-javascript-stream | PDF /JS object 333 at offset 0x13769 | 10308 bytes |
javascript_obj0335_036.js893c6431809ae49dda3f8f30610d5b8f4535f7866491bffa5b9e38187aaddea7 |
pdf-javascript-stream | PDF /JS object 335 at offset 0x1433A | 166 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.