MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 JavaScript
T1204.002 Malicious File
T1566.002 Spearphishing Attachment
The PDF file contains multiple embedded JavaScript streams, several of which are obfuscated and utilize eval() and unescape() functions, indicating malicious intent. The presence of 'PDF_U3D_CVE_RELATED' suggests exploitation of a U3D-related vulnerability in Adobe Reader. The primary function of the embedded scripts appears to be downloading and executing a second-stage payload, as evidenced by the 'PDF_EMBEDDED_SCRIPT_PAYLOAD' heuristic. No specific malware family could be confidently identified.
Heuristics 12
-
U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high PDF_U3D_CVE_RELATEDPDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
unescape() call high PDF_UNESCAPEunescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
-
PDF metadata JavaScript eval stager high PDF_METADATA_EVAL_STAGERPDF JavaScript reads document metadata fields such as title, subject, or producer, decodes character data with parseInt/String.fromCharCode style helpers, and evals the recovered stage. This is a high-signal exploit-kit staging pattern.
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
-
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENTOptional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/g/img/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0186_000.jsd195ed478c75654db0d2dfa914d3e596bc9905df956812e62fd0b33e50a4c8fe |
pdf-javascript-stream | PDF /JS object 186 at offset 0x4FA92 | 618457 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_054_off000389e9.js29899ce33096fed9e9be0185e1b887840c5d8c351c7c0430d9e348b8fbe9ff92 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x389E9 | 21908 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_055_off00039b66.js68e45c3e45a9527621d2fb3df9ae49114f751491d9e33e3f95c77e10a4f15884 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x39B66 | 6514 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
stream_056_off0003a36d.js71ef0bdc07fbeae439eb00e475cf301dea965ebe9340cc20af95ff7644d9aec8 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3A36D | 17819 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 9 eval/decoder/string-building token(s).
|
|||
stream_057_off0003b2eb.js8b975557638aa322e9a12aa93832b9007110d5b2ca6a6ab533a6249737a5f728 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3B2EB | 6094 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_062_off0003e57f.js2ad95c61eddf6e922b49612e78290084061319fec1ccc4c337f6ca11a00a14fd |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3E57F | 20034 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 9 eval/decoder/string-building token(s).
|
|||
stream_066_off000401bd.jsf9517eb79e02fdcc8866415b6e20968938f3af628f0a8e7c2185cd8ce86fec1d |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x401BD | 4556 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_067_off0004072d.jsa4c446871051fbec461f3934f67509a23c58e23e742cb4252c26c6db498fede2 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x4072D | 12767 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 9 eval/decoder/string-building token(s).
|
|||
stream_070_off00041b5e.js9f4f98da6a88d8620b0d9c1af28b6ccf9f73a11d85b28565ca61c57485d9d5df |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x41B5E | 6973 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_071_off00042241.js80ce2d866a2fdb4b1b2ba015a26631f38c21b392dc9ecee506555761dc8c4025 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x42241 | 12014 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 11 eval/decoder/string-building token(s).
|
|||
stream_075_off0004394b.js547f9c4f4eb1af2ef02b1afd7c2490121f8cb357a6c2af493ddc150cb8f5670c |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x4394B | 6102 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
stream_076_off00043fc2.jsac1fc98471a4ad25988d3906a0906bcc5f09af8679e9acc62e4928e9997af8b9 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x43FC2 | 14883 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 10 eval/decoder/string-building token(s).
|
|||
stream_078_off000450a1.jsa72a753129062e36be921c70ff3059e518c55f706a12e88bfbe2d5ab057072c4 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x450A1 | 2275 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_080_off00045872.js05316067b29c960e357649f0913d0498a2fc452538db49722fdae2ccc4c9e1d8 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x45872 | 29167 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_081_off00046e3a.jsfa8f5d396a2d387711b38e59057f0f477c00686536106a5935ac3303778ed502 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x46E3A | 29163 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_082_off00048402.js26ccc1d25333913eb5a364ea921278e90c7aa1cd2d1859db4e01882b59981729 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x48402 | 29169 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_083_off00049968.jsb57d512637bdf2b4c52deda3d9fce46dc09fe8cfbc031ad2fec7847b0ebf9045 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x49968 | 61192 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 10 eval/decoder/string-building token(s).
|
|||
stream_084_off0004c3de.jsbdaa400da0bdc47814247ab3d19cdc5972e5101b27660719365ac7fe30a6e435 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x4C3DE | 4821 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_085_off0004c95b.jscc26bb091022a0d419c2e1f7348d6448d6c7e0068e5e25d7f8a582df1e9e4da3 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x4C95B | 50174 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 7 eval/decoder/string-building token(s).
|
|||
stream_086_off0004eee8.jse7bf1f2278e935d12af1cbf4c2bd3f22bb8189ff71c01565d75f640688906848 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x4EEE8 | 12008 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
stream_088_off00073d7a.bin8205ef3e87f40f76f0c708aa8269d20c93502a3b8fff24090dd62d2cc6557b85 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x73D7A | 4071476 bytes |
stream_089_off0026f85b.js590db5579867fd918b694bb155628425ceb35c0a6ddc30cfcd09da4d5f0517b0 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x26F85B | 151076 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
stream_090_off002a3955.js7c2c1502e2d44217635cc0a5baeaf982a03d8826e183b1ca23f5f2869e66b84e |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2A3955 | 37605 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_091_off002a5433.js87df72e09909da810d7ec2aa686a613b12419c21763b9cedc77cdaf358d93b69 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2A5433 | 55708 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_092_off002a78cd.js9db5af61eb6399144d1838eb6e8a6a512d595cc7a361bcbb8595393826e51abf |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2A78CD | 28220 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_093_off002a8cfb.js297a1e8b6ca5ff66d7235839d9acb31682cda559ce3f9d26642ffab49912f161 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2A8CFB | 28214 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_094_off002aa122.jsc962bdff8c8b8429104cd2cb27f66e43a2b6dd4f1b6bc341047a9d13ab971d12 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2AA122 | 28218 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_095_off002ab54d.js20d2f73f53d023fb3b1e7feb3a9ea1a18ea17edfb7824465539a70f17f076c86 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2AB54D | 12142 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
stream_096_off002ac05a.js1e06adbaa0e4cdad14e5db94a83e6b3a3837e99d3f93396bb27d0edfd7e10cb8 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2AC05A | 5443 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_097_off002ac6c1.jsdca1de054f29f50846bac30bad5c32c76339e49e83ddfa65901e938502f49632 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2AC6C1 | 5323 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_098_off002acd0d.js9bb0ea58e72fcaa3d70d8ebc8ebf936dbf6d1eda9e5501e239dd7ded5ab44b78 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2ACD0D | 15014 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_099_off002ad9b5.js23c9f75f1f9ed1627d2be9f28ec9cc1fab2b446e8d39d14c05a077a30fece2d8 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2AD9B5 | 7947 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.