MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains obfuscated JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_EVAL, and PDF_UNESCAPE. The ML classifier also flagged the PDF as malicious. The extracted JavaScript artifact, stream_012_off00012612.js, is likely responsible for downloading and executing a second-stage payload, a common technique for malware delivery. Due to the obfuscation, the exact download URL or execution method could not be definitively determined.
Machine Learning
- Nyx PDF Classifier malicious score 0.6101
Heuristics 6
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
unescape() call high PDF_UNESCAPEunescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
Extracted artifacts 8
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_001_off00000513.bin56f452df7b83f0ed695ee9affcde3cf4220862739beb411277b1e547f0b0a627 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x513 | 65636 bytes |
stream_003_off0000e4d5.bina48fb7edde0e1a38516c51f75239d5cc349fe4bccd681dfe7fdadc3dbd62411b |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xE4D5 | 21917 bytes |
stream_012_off00012612.js902de42f282d38710854dd990f0206d488e393b043422e515f16b80ead87e65c |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x12612 | 156076 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 90 eval/decoder/string-building token(s).
|
|||
objstm_3088_00.bin93924f5357147ee5a452ef2acf11925ba5b8cd7f538b7f4c49001f43dd942ad8 |
pdf-objstm-decoded | PDF /ObjStm 3088 0 obj (inflated) | 31381 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
objstm_3089_00.bin2127998f3cb0bb4dfd9e06b3b786fc2f23f6216dd492c5efd9faa825570a23ae |
pdf-objstm-decoded | PDF /ObjStm 3089 0 obj (inflated) | 20435 bytes |
objstm_3090_00.binbdb0f1afdad20ef9336951b8e88439aa0376a71261c23ed4381ca60260285b74 |
pdf-objstm-decoded | PDF /ObjStm 3090 0 obj (inflated) | 21338 bytes |
objstm_3091_00.binec663ee09a2efe57320ce5b6f3ab12e89791e561d921314d4e9b3193710aac84 |
pdf-objstm-decoded | PDF /ObjStm 3091 0 obj (inflated) | 19865 bytes |
font_00_cff_off0000b4e9.binca340ab24683d0160fac4c6274b951d8fb5acca7200e57c96246ed3f13e8abe3 |
pdf-font-stream | PDF embedded font (cff) at offset 0xB4E9 | 19028 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.