MALICIOUS
88
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
The PDF file contains embedded JavaScript that attempts to download a second-stage payload from the provided URLs. The ML classifier strongly indicates maliciousness, and the JavaScript shellcode heuristic confirms the download functionality. The embedded URLs are the primary indicators of compromise.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URLDecoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://spicexpert.com/stats/l.php?i=4
- http://spicexpert.com/stats/l.php?i=5
- http://spicexpert.com/stats/l.php?i=6
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
legacy_pdfkit_stage_000.js42042c8a97c0aa249c3bafbc4b9bce31d6c6f8fa090fa3b1821a98b4c3d609b0 |
deobfuscated-js | repeated-marker hex decoded JavaScript at offset 0x191 | 2429 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.