MALICIOUS
118
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 User Execution: Malicious File
The PDF contains embedded JavaScript, indicated by the PDF_JAVASCRIPT heuristic. The presence of ASCIIHexDecode filters with exploit indicators and a high ML classifier score further suggest malicious intent. The primary attack pattern involves leveraging JavaScript execution within the PDF to deliver a payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 3
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript rebuilds a builtin via replace() to run a char-code array critical PDF_JS_REPLACE_OBFUSCATED_CHARCODE_BUILDERDecoded PDF JavaScript resolves a String builtin from a junked literal — e.g. String['eQvoaol3'.replace(/[3oQS5]/g,'')] yielding fromCharCode/eval — and feeds a large numeric char-code array through it to rebuild and execute the next stage. Dynamically reconstructing a builtin name by stripping junk characters has no benign purpose; paired with the char-code payload array it is an unambiguous obfuscated-JavaScript exploit dropper.
-
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEXHex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
Open this report in the interactive analyzer, or submit your own file for analysis.