MALICIOUS
204
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
T1566.002 Spearphishing Attachment
T1071.001 Web Protocols
This PDF sample contains multiple high-severity heuristic firings indicating embedded JavaScript with obfuscation techniques like eval() and unescape(). The presence of U3D/3D content also suggests a potential exploit vector. The embedded JavaScript streams are likely responsible for downloading and executing a second-stage payload, although the exact nature of the payload cannot be determined from the provided evidence. The ML classifier strongly indicates malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9796
Heuristics 10
-
U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high PDF_U3D_CVE_RELATEDPDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
unescape() call high PDF_UNESCAPEunescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
-
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENTOptional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/g/img/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
Extracted artifacts 30
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0256_000.jsf180e9c2a491686a53f8958784c0564b894e421d9af9f06a38358e067ef565a7 |
pdf-javascript-stream | PDF /JS object 256 at offset 0x3F0D1 | 277708 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_036_off00026b35.js5c8b515f8fb35d2cc50e300d03f0203980fba1aa3a80728eb5408e4a9ef5211b |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x26B35 | 22212 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_037_off00027bd2.jsf8b13a3863af702dcd7e3941443dec10025d7a2a53f54e108dfaf2b8e3f2695f |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x27BD2 | 17918 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_038_off000289d5.js67fdedd6cb9a0e0b6e0eaba2f238ca5c983512f99a2092d586e4edea586be475 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x289D5 | 10626 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 9 eval/decoder/string-building token(s).
|
|||
stream_042_off0002b130.jse268c3fa8753a7b53b3db467a54c42b8f9036543a6f7b6d4f1d02ccd59df16d3 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2B130 | 7253 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_043_off0002b8a8.js77066a7a37b3af6ad53791d7f9457b7dfed3a8d84d4feaa7031d8ae355636408 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2B8A8 | 2855 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_044_off0002bccd.jsa1069b624d829f9ed15ef9dc70c98d2a23233bb0b080385f34e121a533ca365a |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2BCCD | 10387 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 9 eval/decoder/string-building token(s).
|
|||
stream_048_off0002e15f.js09a1f6366bade2c781cbaf923095ea7085f8de7adb3a8c0b0b708123787b545f |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2E15F | 7240 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_049_off0002e8e6.js962623957d02896ce50ac303e11139789b7c547ef6f635834872fbf3a740a5c4 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2E8E6 | 2629 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_050_off0002ecf3.js252ea1aa6e45985d77ac5ab2582980690ed57e9f198ae81a80a56806c03a8ae3 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2ECF3 | 10231 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 8 eval/decoder/string-building token(s).
|
|||
stream_054_off0003221c.js9796998ca2c32756bf181ff5f4a60580d6fd55561b2050ddebc355d20055f667 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3221C | 7036 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_055_off00032991.js2a7255a2847947efcf8ff75cb73e57c1238de0b56ef725e3acb574238a620505 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x32991 | 2680 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_056_off00032da8.js34e199a7c93f33d1bb6f18620c86cff5d7bc5c68e1809e942ed0f3c0dc1515f9 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x32DA8 | 10563 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 9 eval/decoder/string-building token(s).
|
|||
stream_060_off0003529b.js12da33232a02682161413374f6f05c0210833edfde1a8ef6373b058eab29c831 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3529B | 7349 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_061_off00035a45.jse35d38f817cd62db5a1f4554fb99f1e4ac0bd5e7e17c19dc1ad0afd56261c2cd |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x35A45 | 2699 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_062_off00035e58.jsf99b25026b97bbf0ee754128febcbd6731b4870a0b207a825858361537edb519 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x35E58 | 10656 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 10 eval/decoder/string-building token(s).
|
|||
stream_066_off000381bf.jsf61d6d78585bf688bcd9976ab48d95b3ceeff76f145e26142d53f0c3f6f91422 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x381BF | 7516 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
stream_067_off0003896a.js835ae1930debae0ff9f45f4d3af42c9838d14fc0ce7262bdf9b42f507a2f12bb |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3896A | 2623 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_068_off00038d7a.js0d67705a6bb1b0b689ce8dc5c8e2647f9ac5b389b7b962dac06623e78c805ec9 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x38D7A | 10376 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 8 eval/decoder/string-building token(s).
|
|||
stream_072_off0003b4be.jsf1b809fcabd36a7b044d90b6113a89fff86070ac264f8499b1c49f20c8e11036 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3B4BE | 7139 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_073_off0003bc5c.js8cf818474745e275d3a361ee51a325ca2da34fa2d6266b93bd6469334fb63052 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3BC5C | 2719 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_074_off0003c07d.jsedf99511724f2fa86783da015818f61810939ca447b807b0b8c274f911c20ef9 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3C07D | 10455 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 10 eval/decoder/string-building token(s).
|
|||
stream_078_off0003e3a4.js0e39b508c23e49751ef8144517c5ab068efcd2c2e8347b74a648b3adeb7cf172 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3E3A4 | 7219 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_079_off0003eb3c.js575b0ab544d9a1d0fd5b4052fc85e291b9e65138e37005f64035bcb6a2a084bd |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3EB3C | 2721 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_081_off0004c0ca.bin1d949b4321e72a941028eedee52035a8ed5590fec17ffb3c67b4d01837e6c025 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x4C0CA | 2859872 bytes |
stream_082_off0023df41.jsdbc1dbabdc2baf9bc8781d47cac49ae28057fb9c8f16acebe21aed846f3a46bb |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x23DF41 | 172124 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
objstm_0267_00.bin0b0d272b75744fd65991a38e8edb55466d01fd4d5d2b1b775dca99da7e73f4d9 |
pdf-objstm-decoded | PDF /ObjStm 267 0 obj (inflated) | 524 bytes |
objstm_0268_00.binb14cf8625cf28a62dd3ffa238b71372931928293b97cb4018cae9e713c2ab27e |
pdf-objstm-decoded | PDF /ObjStm 268 0 obj (inflated) | 3871 bytes |
font_00_sfnt_off000010ef.binf39f99e2d4b021d4eac703afe26d32ad26f128c442f2089910c21b1f323fc85d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10EF | 79301 bytes |
font_01_cff_off0000ed7f.binff2bd39b1311329d9bedf20dcc32a5c5691647192c7f1c6f455126503a909ee9 |
pdf-font-stream | PDF embedded font (cff) at offset 0xED7F | 1558 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.