MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
This PDF file contains multiple JavaScript streams, with high-confidence heuristics indicating the use of eval() and unescape() functions. These functions are commonly used to deobfuscate and execute malicious code. The presence of 'Fake invoice / payment lure' heuristic suggests a phishing or scamming intent. No specific IOCs like URLs or hashes were extracted, and the JavaScript content was too fragmented to reconstruct specific actions.
Heuristics 8
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
unescape() call high PDF_UNESCAPEunescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/g/img/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/t/pg/
- http://ns.adobe.com/xap/1.0/sType/Dimensions#
- http://ns.adobe.com/xap/1.0/g/
- http://ns.adobe.com/pdf/1.3/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0680_002.js04131a026bcf4a3f696506d167971b09f0f994442547f66b25f85593bf2ceab2 |
pdf-javascript-stream | PDF /JS object 680 at offset 0x26821 | 47 bytes |
javascript_obj0708_007.jsba6cfbc4aa1fb14717b85aa1e76db04dfbdaecf7631cb0b02901ebbc3906cfa4 |
pdf-javascript-stream | PDF /JS object 708 at offset 0x27585 | 42 bytes |
javascript_obj0709_008.js4c25201a58836b8cacf6debc4d7efb51a76c5c5e5eeab8aac2aca665dd15d0c3 |
pdf-javascript-stream | PDF /JS object 709 at offset 0x275DF | 41 bytes |
javascript_obj0721_009.js83bc7f9bd52513f0ba8ff544096a8f1412074d3173d749a7477c32b449beed0d |
pdf-javascript-stream | PDF /JS object 721 at offset 0x27921 | 42 bytes |
javascript_obj0741_012.js9e0ccae711ec8ae7f208c7d4c6326b0f96b8127bb6fa0f6eb34f9f10ad66c5b7 |
pdf-javascript-stream | PDF /JS object 741 at offset 0x27E4B | 42 bytes |
javascript_obj0742_013.js4e818ff69288c4a30713246a7b83f305a77963cbe104d5708788f46fd0ae7021 |
pdf-javascript-stream | PDF /JS object 742 at offset 0x27EA5 | 41 bytes |
javascript_obj0754_014.js76b45b9cb0925fdb7c491cd619bd377ef51eef68387deb7638ca29d4a57a3299 |
pdf-javascript-stream | PDF /JS object 754 at offset 0x2820F | 42 bytes |
javascript_obj0774_015.js3a09ade3378df32ab17c2b55a5dc43bb6f6b5076a62abbe128a7c20647289626 |
pdf-javascript-stream | PDF /JS object 774 at offset 0x28739 | 42 bytes |
javascript_obj0775_016.js72135b68e0e54d6ac0f5ba0087e3d84fc794d45c3419dea8d21fed094d6d29bb |
pdf-javascript-stream | PDF /JS object 775 at offset 0x28793 | 41 bytes |
javascript_obj0787_017.jsdc6a465811ce3a787ff3c51b417e826466232be3e68bdce2b16b1f4ec51c5caf |
pdf-javascript-stream | PDF /JS object 787 at offset 0x28AFD | 42 bytes |
javascript_obj0807_018.js7839a347611ac2931339434b7ddc0179b750d695d07351f0059d0d1d275d16ae |
pdf-javascript-stream | PDF /JS object 807 at offset 0x29027 | 42 bytes |
javascript_obj0808_019.js04f48071e670c0ba2587403ec00bff41685b76081219508c3c4390b5aba87d96 |
pdf-javascript-stream | PDF /JS object 808 at offset 0x29081 | 41 bytes |
javascript_obj0820_020.jsaf3b13a7acd9d59f853da31ce1534573aeba7cb744f71ada8b271ee96e4469f7 |
pdf-javascript-stream | PDF /JS object 820 at offset 0x293EB | 42 bytes |
javascript_obj0840_021.js00b59df776321ec23b4852c4bb92f6580cf5105c904184ea223ca5e9e2d9e3e0 |
pdf-javascript-stream | PDF /JS object 840 at offset 0x29915 | 42 bytes |
javascript_obj0841_022.js9729e71122989affcd3b1ba4eabc40632fa95803463e328e755f16219b6a0964 |
pdf-javascript-stream | PDF /JS object 841 at offset 0x2996F | 41 bytes |
javascript_obj0853_023.js8c8b070b561684f44b793465b8342faf4cac6368bd682bdce91190c182808802 |
pdf-javascript-stream | PDF /JS object 853 at offset 0x29CD9 | 42 bytes |
javascript_obj0873_024.js851bef9cba60a2a5d323c79d0fb1bf9ba73486b2cc7cbe06177e893d1b2831e4 |
pdf-javascript-stream | PDF /JS object 873 at offset 0x2A203 | 42 bytes |
javascript_obj0874_025.js22acba758bb65f327dcf0766dbc938f291cbe534eeeacd22806a6c5ab16a875b |
pdf-javascript-stream | PDF /JS object 874 at offset 0x2A25D | 41 bytes |
javascript_obj0886_026.js7c50c615eb6851496aa7fffb49921abed37aba06a57d2c757e0c0ba018e5f1d5 |
pdf-javascript-stream | PDF /JS object 886 at offset 0x2A5C7 | 42 bytes |
javascript_obj0906_027.jsecaa75f6c68ea1a53bba588bb74a02a078d10c7bd501f5cec8c19c735e7abbba |
pdf-javascript-stream | PDF /JS object 906 at offset 0x2AAF1 | 42 bytes |
javascript_obj0907_028.jsc73a51a6e30a07a8726a03d00625536e99778c4dc15f2a073173333b3cad08de |
pdf-javascript-stream | PDF /JS object 907 at offset 0x2AB4B | 41 bytes |
javascript_obj0919_029.jse824f0f609ff943b97605a780b95ae6b7637b0facf38a0e28c51e790c4a36a29 |
pdf-javascript-stream | PDF /JS object 919 at offset 0x2AEB5 | 41 bytes |
javascript_obj0939_030.js4718b22d7636ee4ad55f6c4fdf5611b544c6d1a433be6c4b6d600e723bddfdd3 |
pdf-javascript-stream | PDF /JS object 939 at offset 0x2B3DE | 41 bytes |
javascript_obj0940_031.js22e4bc40256a34808ce76df343199547429aade7d9da2d56eae85f46ea3e7cd4 |
pdf-javascript-stream | PDF /JS object 940 at offset 0x2B437 | 40 bytes |
javascript_obj0961_032.js2fa104f77754027dc54ac5253dcf92e55b793a67cb31700583cad2d52b5071f4 |
pdf-javascript-stream | PDF /JS object 961 at offset 0x2B9EB | 41 bytes |
javascript_obj0962_033.js2040444213d79f42ba0ce85fa40d3a8d5492b0e45e6621479d21f911fdb5adf5 |
pdf-javascript-stream | PDF /JS object 962 at offset 0x2BA44 | 40 bytes |
javascript_obj1001_034.js13de35280841b1f7fb23e80bcef866815413203d619dcd797a89cac687f31ec4 |
pdf-javascript-stream | PDF /JS object 1001 at offset 0x2C43D | 41 bytes |
javascript_obj1002_035.js58ad178085fb860c64cb458af00a3cfe3f16872c64d526260f3cb898d8fa0a87 |
pdf-javascript-stream | PDF /JS object 1002 at offset 0x2C497 | 40 bytes |
javascript_obj1005_036.js6a2411d60acad66d0c16e14bcc7bebfd7aabe46b348f7c001828dc667f9b96a3 |
pdf-javascript-stream | PDF /JS object 1005 at offset 0x2C58E | 42 bytes |
javascript_obj1017_037.js48fbe34688e2e1f4559dc8cd5b803e42e0432ef25de2f0851a90d62d7bb847c0 |
pdf-javascript-stream | PDF /JS object 1017 at offset 0x2C908 | 42 bytes |
javascript_obj0023_040.jsdc37fded7df2b80cf6ec22775a0ba7ba8734d56e28c12e57013964507ac752f9 |
pdf-javascript-stream | PDF /JS object 23 at offset 0x40791 | 40 bytes |
javascript_obj0054_041.js070f45b823893bb8057ae8421a77419a152333fd2466f0222a9dcf7df78c9657 |
pdf-javascript-stream | PDF /JS object 54 at offset 0x4252D | 41 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.