MALICIOUS
138
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The PDF file contains embedded JavaScript that utilizes eval() calls, indicating an attempt to execute arbitrary code. This is further supported by the 'PDF_JS_EXPLOIT_CLUSTER' heuristic. The script functions appear to be related to data formatting and validation, but the presence of exploit-related heuristics and external URLs suggests the primary purpose is to download and execute a malicious payload. The external URLs, particularly those related to PDFSmartForms, are suspicious.
Machine Learning
- Nyx PDF Classifier clean score 0.1998
Heuristics 9
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENTOptional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
External URI info PDF_URIPDF contains an external URL action
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.nucc.org
- http://www.nucc.org)/S/URI
- http://www.PDFSmartForms.com
- http://www.pdfsmartforms.com
- http://www.pdfsmartforms.com/processor.html#FDF
- http://www.PDFSmartForms.com\r\n\r\n
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/g/img/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://ns.adobe.com/pdf/1.3/
- http://www.adobe.com
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0015_000.js7eef98edd46b417aaf17f9dfd81fbf0411c4a38daa3b8eda5776cb41569ec025 |
pdf-javascript-stream | PDF /JS object 15 at offset 0x7522 | 182 bytes |
javascript_obj0019_001.js262ea0863282e45ba7dcd8b1b8a39024fbb343e2852f7a61b0fc4387b208c757 |
pdf-javascript-stream | PDF /JS object 19 at offset 0x76A7 | 226 bytes |
javascript_obj0024_002.jsb54acfc1a16f2e26299be20a84f9ad89f90247710e5e2d22a060c2b6bff9bc8a |
pdf-javascript-stream | PDF /JS object 24 at offset 0x7896 | 74 bytes |
javascript_obj0034_004.js8b3f344e1eccedfb2cebbee9aa18243ad59fdaed87fcaecc51560d8bb3d0ebc2 |
pdf-javascript-stream | PDF /JS object 34 at offset 0x7AA3 | 658 bytes |
javascript_obj0035_005.js9ae6308d4233375cc97032411e05f38eedb5d7da369bc6ea08182843fe752179 |
pdf-javascript-stream | PDF /JS object 35 at offset 0x7C16 | 1060 bytes |
javascript_obj0036_006.js06fd975d3fc5be40d5b4aede4f06f916d9648be64be919a6ef24ef06c7b3a24d |
pdf-javascript-stream | PDF /JS object 36 at offset 0x7DD7 | 575 bytes |
javascript_obj0037_007.js46ba931e413762748287576f37600ad4aad72574b7cd4ef42f5ea564fbe92421 |
pdf-javascript-stream | PDF /JS object 37 at offset 0x7F20 | 710 bytes |
javascript_obj0038_008.js759fd9851380966d72453ca4e81650196a2771c911b1bc66afdc05b7459fab88 |
pdf-javascript-stream | PDF /JS object 38 at offset 0x807B | 703 bytes |
javascript_obj0039_009.js3cb1d4c4242187880f8f07bca4e3e7f25bf81ce1c3fd4a99675f3a11368920d4 |
pdf-javascript-stream | PDF /JS object 39 at offset 0x81CE | 713 bytes |
javascript_obj0040_010.jsfd99a9fbddbcbdada0bf8061406be62a6f1a98f216599d574d4adba24046596b |
pdf-javascript-stream | PDF /JS object 40 at offset 0x8320 | 1872 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 8 eval/decoder/string-building token(s).
|
|||
javascript_obj0041_011.jsf6176b301677eafad95a6ecc43494f6aa57f5ef84cf612ac155c9d820b4a02f6 |
pdf-javascript-stream | PDF /JS object 41 at offset 0x857E | 1327 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj0042_012.js83626b9ba41da305f40e070bb6bd476619917bc71c12484c09e8f165a812b817 |
pdf-javascript-stream | PDF /JS object 42 at offset 0x8792 | 1312 bytes |
javascript_obj0043_013.js2dd4d3ba8eac5098a9b6d0ac368ec95eccdfab7afda5bd32678442969f4182d3 |
pdf-javascript-stream | PDF /JS object 43 at offset 0x8972 | 14985 bytes |
javascript_obj0044_014.jsf098bd02f4e5502464c1105a53b3304e272415ac8fb96f46c622383597ad7fb1 |
pdf-javascript-stream | PDF /JS object 44 at offset 0x9F42 | 1433 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj0045_015.jse6d858d5b681d175975cae8d44c6e13804d20c7c5d04aa9ee065f1b637d06e9c |
pdf-javascript-stream | PDF /JS object 45 at offset 0xA1F5 | 1549 bytes |
javascript_obj0046_016.jsfa905d35c161fb8908bcabdd16003b5c3887708380779516dfb0746da2ee329f |
pdf-javascript-stream | PDF /JS object 46 at offset 0xA453 | 853 bytes |
javascript_obj0047_017.js9f1f844d836ef05fa966b6ff77a9584a5aa816c5aff3e3c9ed82717bf0c8063a |
pdf-javascript-stream | PDF /JS object 47 at offset 0xA603 | 3630 bytes |
javascript_obj0048_018.js544a09a5da37961c8d6b7ea9091023d5c0b89e6afe8444cd6762e1ac8f4d044e |
pdf-javascript-stream | PDF /JS object 48 at offset 0xAA8F | 1687 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj0049_019.jse672b797064a7e2f533c7c571eadcfab273da8ca2c62c67413a5790469f61947 |
pdf-javascript-stream | PDF /JS object 49 at offset 0xAD2F | 326 bytes |
javascript_obj0050_020.jse5057faec606ee59db4dfee38f8f845346ad38542590ae8973c37ed773183eae |
pdf-javascript-stream | PDF /JS object 50 at offset 0xAE44 | 1051 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
javascript_obj0051_021.jsc92e7bc590800ef17262c82528a99e1f00aebbc77a461dde5ce60fb80090ab57 |
pdf-javascript-stream | PDF /JS object 51 at offset 0xB00C | 1201 bytes |
javascript_obj0052_022.jsc657e79d9c912422d74be018f5babd545c5bcf59ca96790ad1e97dc92f4e6c36 |
pdf-javascript-stream | PDF /JS object 52 at offset 0xB1E1 | 25126 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 15 eval/decoder/string-building token(s).
|
|||
javascript_obj0676_023.jsa8b71f5c7a59307223558df0878b0e9efbe441a124a82d46c653d56e0b863465 |
pdf-javascript-stream | PDF /JS object 676 at offset 0x39F0B | 6773 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
javascript_obj0678_024.js4d36bf9a4515943d6dd01bbe8bd7670d71c95b12361c73795e8147d45af270c7 |
pdf-javascript-stream | PDF /JS object 678 at offset 0x3A625 | 19974 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 54 eval/decoder/string-building token(s).
|
|||
javascript_obj0680_025.jsddca75e3a437e554f07a791e3f9d2a0d18398853e05222da457e89195bed941c |
pdf-javascript-stream | PDF /JS object 680 at offset 0x3B402 | 28575 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 58 eval/decoder/string-building token(s).
|
|||
javascript_obj0682_026.js2ac3affbf00f9f60d084f8c7d7f242601ea0142b70cdd1332f0fc8989d47d393 |
pdf-javascript-stream | PDF /JS object 682 at offset 0x3C6FF | 17611 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 38 eval/decoder/string-building token(s).
|
|||
javascript_obj0684_027.js0dd34d0e256c9afb8ed17276999af533c692badbcbb8fbba64300d558a9c85c8 |
pdf-javascript-stream | PDF /JS object 684 at offset 0x3D59F | 8187 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 16 eval/decoder/string-building token(s).
|
|||
javascript_obj0686_028.js9710281ca5c008ccf230406486b30f5084963237230f81ca89cd8d2a98c998c6 |
pdf-javascript-stream | PDF /JS object 686 at offset 0x3DD34 | 33604 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 110 eval/decoder/string-building token(s).
|
|||
javascript_obj0688_029.js67a4396788386fdb5f6b2251ba2a37aae7952858f917f86860f9b006a0528e22 |
pdf-javascript-stream | PDF /JS object 688 at offset 0x3F7C3 | 8112 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 14 eval/decoder/string-building token(s).
|
|||
javascript_obj0690_030.js9954a2d21346ccb01cef5209f2f89d4dcdf3c49f633e392854addef8632d04bc |
pdf-javascript-stream | PDF /JS object 690 at offset 0x40045 | 11667 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 17 eval/decoder/string-building token(s).
|
|||
javascript_obj0692_031.js8c45b55ecdabd126ac043ff51848f487eafec5d0b36955f36a4094cdb05d5b25 |
pdf-javascript-stream | PDF /JS object 692 at offset 0x40B37 | 16196 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 28 eval/decoder/string-building token(s).
|
|||
javascript_obj0694_032.jsa971d48218bd9c8467e390883e0f0ba690e2ffe10024fc2c1a13e68d01b20b67 |
pdf-javascript-stream | PDF /JS object 694 at offset 0x418A4 | 16156 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 40 eval/decoder/string-building token(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.