MALICIOUS
66
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains multiple embedded JavaScript streams, with a high-confidence heuristic detecting an eval() call. This indicates the script is likely obfuscated and designed to execute arbitrary code. The presence of JavaScript actions and AcroForm buttons further supports the malicious intent. The script's primary function appears to be downloading and executing a second-stage payload, though the exact URL or payload could not be reconstructed due to obfuscation.
Heuristics 6
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/pdfx/1.3/
- http://ns.adobe.com/xap/1.0/mm/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0042_000.js86fffb8d4e8265b3fc37bafab0b19373f197c61c544091ee5c9a7f08c2310613 |
pdf-javascript-stream | PDF /JS object 42 at offset 0x2DA7 | 133 bytes |
javascript_obj0315_001.js23be8bc3f4bf0ba4a37f1053ddaa9fe36695c732d3ee0c4a4a163a8528f46406 |
pdf-javascript-stream | PDF /JS object 315 at offset 0x1820C | 221 bytes |
javascript_obj0318_002.js13b41a553f956c35387292f2e3108b93b9d7234a901b336f7ca01e8adaf40fc3 |
pdf-javascript-stream | PDF /JS object 318 at offset 0x18530 | 216 bytes |
javascript_obj0334_003.jsfc0d40578dc4f8bbb0dcf4777bc7e3f64eb1e8bc4595fe48b8e0a1f8aeb24159 |
pdf-javascript-stream | PDF /JS object 334 at offset 0x1954F | 38 bytes |
javascript_obj0341_004.js3328eab8501405fcffcc95bb30fbb8bcb963b88928e4a40bd4be3a45d3e80107 |
pdf-javascript-stream | PDF /JS object 341 at offset 0x198AA | 39 bytes |
javascript_obj0342_005.js1829f93c988f1bfcd4bf6a74fc06fa5705171ae9bf3ac877b13813c6b492c742 |
pdf-javascript-stream | PDF /JS object 342 at offset 0x198FB | 42 bytes |
javascript_obj0354_009.jsc4287c5c3e37d48b98ace11b04930d19e8be4d405af6749d7e51f8d70a59029e |
pdf-javascript-stream | PDF /JS object 354 at offset 0x19F90 | 33 bytes |
javascript_obj0359_012.js8027e20dc5159f434cbe123a98e1a41d00443a399bb81cdf469636c48f45da27 |
pdf-javascript-stream | PDF /JS object 359 at offset 0x1A360 | 146 bytes |
javascript_obj0361_013.jscf3ef38cead83f4b1b39c7a061c8fef2c62d068861252a2b5ba7c0b959eec058 |
pdf-javascript-stream | PDF /JS object 361 at offset 0x1A536 | 39 bytes |
javascript_obj0362_014.jsa22e7a3e6dbfb6427839e3a2fdcab1be9d58bdd666536d5308358ec98c59feed |
pdf-javascript-stream | PDF /JS object 362 at offset 0x1A587 | 42 bytes |
javascript_obj0433_015.js3bc80ec40ddc2a11c8e2fe6adcd0b03351c4b296889df91d41bcbfba1fd9d4ad |
pdf-javascript-stream | PDF /JS object 433 at offset 0x1D110 | 39 bytes |
javascript_obj0434_016.js38771303e5b133f65b24c6712ec9e6df4c1e3ff95fa802e5cb4ed740e2d70e27 |
pdf-javascript-stream | PDF /JS object 434 at offset 0x1D161 | 42 bytes |
javascript_obj0439_017.js6b7cde5083353dc94a728e784406248df1e3c34b8a1b86c325dca7d6822fc92b |
pdf-javascript-stream | PDF /JS object 439 at offset 0x1D94C | 39 bytes |
javascript_obj0440_018.jsd7feabbe96d6239a4e68846c17660c84111cd34df235720909593806041f8a24 |
pdf-javascript-stream | PDF /JS object 440 at offset 0x1D99D | 42 bytes |
javascript_obj0443_019.jsa375a48bafb1c40ae55622380be8da4c3fe81500a2f5e40d723fd990ec8ecd82 |
pdf-javascript-stream | PDF /JS object 443 at offset 0x1DB2D | 183 bytes |
javascript_obj0027_021.js96f45e180d258928eb87466eda1b3f7df2cc70588dfd48ef7ca0c26d6240f2d7 |
pdf-javascript-stream | PDF /JS object 27 at offset 0x23C1E | 40 bytes |
javascript_obj0028_022.js16c2812202cd2077c8b8cf1536dd83e33947fecadba51e73d679c52537de1400 |
pdf-javascript-stream | PDF /JS object 28 at offset 0x23C8D | 767 bytes |
javascript_obj0044_023.js7c5ca01424b84f62db88d05d3f07f4db935427d28891d6363b57e2bb4968b40d |
pdf-javascript-stream | PDF /JS object 44 at offset 0x2EE1 | 6940 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj0045_024.jsff20cb0f501b22f004b4e7d90665a002cafa09266468661b315bd5436c2157e4 |
pdf-javascript-stream | PDF /JS object 45 at offset 0x33DB | 382 bytes |
javascript_obj0046_025.js56b88c3e8e8ab2b41fec07fe4d90c145db0707dbf77b98df0c1ad532775ecfc2 |
pdf-javascript-stream | PDF /JS object 46 at offset 0x34DA | 2144 bytes |
javascript_obj0047_026.jsa519d81121d74da9c4f32590eb40c57db4834aa5267f6de7463c1a4987658c92 |
pdf-javascript-stream | PDF /JS object 47 at offset 0x375A | 2327 bytes |
javascript_obj0048_027.jsea5dfc8446cca5a344fcfe941c7eca19e4c9990989480d09d9c9d7559f4fc5fe |
pdf-javascript-stream | PDF /JS object 48 at offset 0x39DC | 889 bytes |
javascript_obj0049_028.js69bc9892d3f321228f316005243e31e72c2484bbd289b398db8a1270b12d5a8a |
pdf-javascript-stream | PDF /JS object 49 at offset 0x3B52 | 844 bytes |
javascript_obj0050_029.js7cd1577d6aafbe58891aa4f57982f899cf32bcce034d17b9d5741a38b35fafab |
pdf-javascript-stream | PDF /JS object 50 at offset 0x3CBB | 356 bytes |
javascript_obj0051_030.js5361c80e920788d5926a13588a36b2cbcde06dce7af839f5fafaf3b6f707b5e9 |
pdf-javascript-stream | PDF /JS object 51 at offset 0x3DD1 | 1012 bytes |
javascript_obj0317_031.js84667b874a29838ebb45931a3baad967c0bbb15be5096426a4c4fda2a7780dd7 |
pdf-javascript-stream | PDF /JS object 317 at offset 0x1836D | 1817 bytes |
javascript_obj0332_032.js0761d0ea577d0f477186cb5a94d71216af129ccb9a08d8b7f8bf1e69f7cb0bbe |
pdf-javascript-stream | PDF /JS object 332 at offset 0x19396 | 1661 bytes |
javascript_obj0339_033.js63b5b34809a443427498cd5e3e39ec8acc67a5b93ef8d88b1d7f345b320c13ed |
pdf-javascript-stream | PDF /JS object 339 at offset 0x196BC | 1419 bytes |
javascript_obj0343_034.js947369daf35a85cbd01f827ae31a20e4e74cdbeae5ff3be9152fc5a460602fcf |
pdf-javascript-stream | PDF /JS object 343 at offset 0x1994F | 612 bytes |
javascript_obj0349_035.js3d5b206c99efc06b188dffe166bde0cdb2f36ecbdf5300bd1eadb715bba514f6 |
pdf-javascript-stream | PDF /JS object 349 at offset 0x19C03 | 2501 bytes |
javascript_obj0355_036.jsd15dcae9fc171abbf550138cfd05816658c070d707c1117b1e3828288f54ecfb |
pdf-javascript-stream | PDF /JS object 355 at offset 0x19FDB | 3311 bytes |
javascript_obj0360_037.js3a67edcd7dfd86abbf19cf40178d46661b70e06f73b86c96c9ea8c7fbdaa86b1 |
pdf-javascript-stream | PDF /JS object 360 at offset 0x1A444 | 373 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.