MALICIOUS
66
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file contains embedded JavaScript, indicated by multiple PDF_JAVASCRIPT and PDF_JS heuristic firings. The presence of a PDF_EVAL heuristic suggests that the JavaScript code is likely obfuscated and uses an eval() call to execute arbitrary code. This pattern is commonly used to download and execute a second-stage payload. No specific URLs or hashes were extracted, limiting further analysis of the payload.
Heuristics 5
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0255_000.js8e24728dd72cc6d856a00271ca83cb3601a340e9805de8bd0145b0a9e4093612 |
pdf-javascript-stream | PDF /JS object 255 at offset 0x1901 | 3707 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
javascript_obj0313_003.js297f7ef1acc66d59f150d7921e030167354f71a3264213d996ed04875b950bb4 |
pdf-javascript-stream | PDF /JS object 313 at offset 0x4980 | 100 bytes |
javascript_obj0313_004.js73c3cd745281fc73949579469a39bc3c95328cc7bd283bb4494656a94b016aac |
pdf-javascript-stream | PDF /JS object 313 at offset 0x4980 | 39 bytes |
javascript_obj0320_005.js02040bd3235ccebf63d73ea06f78aa77f01e1b5fb566677ea93b5ff57dcc4d4c |
pdf-javascript-stream | PDF /JS object 320 at offset 0x5031 | 165 bytes |
javascript_obj0321_007.jsdd0d1903cfe9d8e2784163b0add052b3304a5f0584b5d488d7030a22f9e5c73c |
pdf-javascript-stream | PDF /JS object 321 at offset 0x51A9 | 184 bytes |
javascript_obj0338_009.js3716cc42f02bb2d6fe1d6b9fab1f1ee745ca0311162ff8de869cedb5329548e4 |
pdf-javascript-stream | PDF /JS object 338 at offset 0x61FF | 549 bytes |
javascript_obj0339_011.js16ab17e1bb4905351f8e46a5fc5052860f2b7b5622b52c5c13019a65ba5e5d80 |
pdf-javascript-stream | PDF /JS object 339 at offset 0x64FA | 543 bytes |
javascript_obj0340_012.js6669cb2a7b58e5a2d9d705be4b643da896d6157cad6aa63c5f330df3945c98c2 |
pdf-javascript-stream | PDF /JS object 340 at offset 0x67F1 | 501 bytes |
javascript_obj0341_013.js7a454b7461fbb6c696686305eb22004a3a56f617b08759c5209aa60108afb5b7 |
pdf-javascript-stream | PDF /JS object 341 at offset 0x6ABD | 1469 bytes |
javascript_obj0341_014.js0f5a703e2820c002eb6fada79d57e76acb88f36d0495f03929ec9dafaf3e0f3b |
pdf-javascript-stream | PDF /JS object 341 at offset 0x6ABD | 40 bytes |
javascript_obj0354_015.js425bfdd9b64fe48042f2eb9d8cd4cad558492505182b4878c451a5d9bc7a2c45 |
pdf-javascript-stream | PDF /JS object 354 at offset 0x802E | 173 bytes |
javascript_obj0363_017.jse38e598e4146dde05b34b4477d3a63a7e0fb562a774f6a1da7bc1f918b8e47ab |
pdf-javascript-stream | PDF /JS object 363 at offset 0x8375 | 181 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
javascript_obj0368_019.jsef0cdf6ca0f6ecf0a86643248e52a7a496a527380de64133317ce1ef69a64613 |
pdf-javascript-stream | PDF /JS object 368 at offset 0x8892 | 198 bytes |
javascript_obj0371_021.jsce1644552f9a2d4a199ae140f8d9abd038710ca7bab7f07a15083c618ae00667 |
pdf-javascript-stream | PDF /JS object 371 at offset 0x8BF8 | 224 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
javascript_obj0371_022.jsa68fba70202c12150aef5f725554a6077a1d503390bcb96c20d4da046d49f000 |
pdf-javascript-stream | PDF /JS object 371 at offset 0x8BF8 | 34 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj0376_023.js1194bb2da97e6331fc7ad159fe2e6d6413cd5741d1481e92f364e91a72864486 |
pdf-javascript-stream | PDF /JS object 376 at offset 0x913F | 173 bytes |
javascript_obj0379_025.js5cd7632b35d603b151b7e3ac1ca5c5e4ecb6137e156ddaca6c2458d00ea083a6 |
pdf-javascript-stream | PDF /JS object 379 at offset 0x9491 | 194 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
javascript_obj0379_026.js3dc6da1f709f387acc719773ee3abd391b7db88a8c07bb88caf3d00abfef78f5 |
pdf-javascript-stream | PDF /JS object 379 at offset 0x9491 | 34 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj0385_027.js5ce3e6055c79463071dd273f44ac2aa7da66d35f163c975e210541d46e61f3ec |
pdf-javascript-stream | PDF /JS object 385 at offset 0x97A7 | 103 bytes |
javascript_obj0388_029.jsbfc3efc3f8c1f1ba9e8945ec13bbd0cfc1db68cb817557e0a40776e6fa4ba06b |
pdf-javascript-stream | PDF /JS object 388 at offset 0x9AB1 | 129 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
javascript_obj0388_030.jsaaf42f89f377b6b8e3b674022212eab2f0c7ce6a3c7f09e93a208e0b286bb22e |
pdf-javascript-stream | PDF /JS object 388 at offset 0x9AB1 | 34 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj0396_031.jsd053e1f9d80ff7f2f765c56ea9943a9a91c2b7cd9f3b1a698420b135a3a07ec8 |
pdf-javascript-stream | PDF /JS object 396 at offset 0xA791 | 243 bytes |
javascript_obj0400_033.js110fa0101df56fb9908731f6daab3fd41bcdb0179bdf4dafe57d71d8a9fff084 |
pdf-javascript-stream | PDF /JS object 400 at offset 0xAC05 | 260 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
javascript_obj0407_035.js58cbadf7da7945bd7b9979d5eeb1bebf1fb3e39c008b10dfe21d2019e4a09c66 |
pdf-javascript-stream | PDF /JS object 407 at offset 0xB33C | 297 bytes |
javascript_obj0411_037.jsd10379f48d1bcb995969aa97463eb1cb3ad4963af6782455d32623d38b2ccd13 |
pdf-javascript-stream | PDF /JS object 411 at offset 0xB7EA | 336 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
javascript_obj0411_038.js054d9e77873c4a9930a7bedc13a4db1535b18adc558ef2f5b30cabe7a929d839 |
pdf-javascript-stream | PDF /JS object 411 at offset 0xB7EA | 34 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj0418_039.js5a95687f374ca49f553db9606ec6f85ad024e224bcb1a177eb3191edb22fe3ef |
pdf-javascript-stream | PDF /JS object 418 at offset 0xBF69 | 243 bytes |
javascript_obj0422_041.js9e9eabeff7b682844388655bbc9f98728f6b183cdacc1609ab157cfac8edee8b |
pdf-javascript-stream | PDF /JS object 422 at offset 0xC3E4 | 276 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
javascript_obj0422_042.js55f220bff0a564d3e6c97dc91c85a2acaf930c80509f2e5d2a1a2b1ea35cea2a |
pdf-javascript-stream | PDF /JS object 422 at offset 0xC3E4 | 34 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj0424_043.js57824b2b34e18e720b4b14287f2e78e856584657f0000322ebd1d79aa8c5e497 |
pdf-javascript-stream | PDF /JS object 424 at offset 0xC6B4 | 138 bytes |
javascript_obj0428_045.js71a52d1870116d98537e1a1001db66d206814aad2fce132385b16cbcfbd6221f |
pdf-javascript-stream | PDF /JS object 428 at offset 0xCAC2 | 173 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
javascript_obj0428_046.jsb8d4d3a1141c6be3b5617741c176bdcb0d8d2004bb42cc7dc6f51c0860e8d11f |
pdf-javascript-stream | PDF /JS object 428 at offset 0xCAC2 | 34 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.