MALICIOUS
64
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file contains multiple embedded JavaScript streams and an embedded file, indicating an attempt to deliver a malicious payload. The presence of JavaScript actions and embedded files strongly suggests an exploit attempt. The specific JavaScript content could not be fully analyzed due to obfuscation, but its presence is a significant indicator of malicious intent, likely to download and execute a second-stage payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.7050
Heuristics 5
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.color.org In PDF document text
- http://crl.adobe.com/prodSvce.crl0In PDF document text
- https://www.adobe.com/misc/pki/prod_svce_cps.html0In PDF document text
- http://crl.adobe.com/cds.crl0���~�|�z0x1In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/iX/1.0/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
XMLOutput.joboptions |
pdf-embedded-file | PDF EmbeddedFile object 10 at offset 0x262B | 3412 bytes |
SHA-256: 3e7bc6c5c0000086044717232136750cad4f6b3c0788ebd37b8065f3639cb3ab |
|||
javascript_obj0038_000.js |
pdf-javascript-stream | PDF /JS object 38 at offset 0x374F | 146 bytes |
SHA-256: d30ce0ae4fb8d03f97907d3b7bfe1b2969fe93bdc87041b9e47a33527d5c7723 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if ((app.viewerVersion < 5) && (app.viewerVersion > 0) && (this.getField("BarCode1") != null))
this.getField("BarCode1").value = " ";
|
|||
javascript_obj0045_001.js |
pdf-javascript-stream | PDF /JS object 45 at offset 0x391F | 252 bytes |
SHA-256: 4d6cf70ecd005f6bd3753f674e0d3f7d2b300b6010c25e46351f9cfd52857bc6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
function decimalLength (str) {
var decimalLen = 0;
var decimalPos = str.indexOf(".");
if (decimalPos != -1) {
var decimal = str.substring(decimalPos+1,str.length);
decimalLen = decimal.length;
}
return decimalLen;
}
|
|||
javascript_obj0048_002.js |
pdf-javascript-stream | PDF /JS object 48 at offset 0x3AC5 | 161 bytes |
SHA-256: 97739d9691f875873774e877d5e9a5eb0aa173e9c54660797e0d289c1cd17bee |
|||
Preview scriptFirst 1,000 lines of the extracted script
function formatChkBox (fld) {
var str = "";
var chkBox = this.getField(fld);
if (chkBox.value != "Off")
str = chkBox.value;
return str;
}
|
|||
javascript_obj0054_003.js |
pdf-javascript-stream | PDF /JS object 54 at offset 0x3C81 | 80 bytes |
SHA-256: b14e5079ef90a7ecfefb43ee62409c1fcf65d4f7fe765e0fc99434fd541852ee |
|||
Preview scriptFirst 1,000 lines of the extracted script
function setFld (fld, val) {
this.getField(fld).value = val;
}
|
|||
javascript_obj0055_004.js |
pdf-javascript-stream | PDF /JS object 55 at offset 0x3D0D | 194 bytes |
SHA-256: b05b985f80c809cbe72a6519393047cfe482425b2a593c9549f2bf1f76d62ce4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
function trim(str) {
if (str != "" || str.length > 0) {
str = str.replace(/^\s+/,"");
str = str.replace(/\s+$/,"");
str = str.replace(/^[-]/,"");
}
return str;
}
|
|||
javascript_obj0056_005.js |
pdf-javascript-stream | PDF /JS object 56 at offset 0x3E17 | 135 bytes |
SHA-256: e1a21f3039b73bc4fd5f33495875c38be18ccf54e67cf19522988886ee574bf2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
function trimLeadZeroes (str) {
while (str.charAt(0) == "0") {
str = str.substring(1,str.length);
}
return str;
}
|
|||
javascript_obj0057_006.js |
pdf-javascript-stream | PDF /JS object 57 at offset 0x3EE2 | 214 bytes |
SHA-256: dfd361c2554ba1fc7bc684636338e3cee4ca65f341593f68105ea84b0feb837b |
|||
Preview scriptFirst 1,000 lines of the extracted script
function trimWhiteSpace (str) {
// trim leading whitespace
var newStr = str.replace(/^\s+/,'');
// trim trailing whitespace
newStr = newStr.replace(/\s+$/,'');
return newStr.toUpperCase();
}
|
|||
javascript_obj0058_007.js |
pdf-javascript-stream | PDF /JS object 58 at offset 0x4000 | 218 bytes |
SHA-256: 136a71a8967041ecb520ee9bd0fd9205abaeea86711a84a745d8b2d92cff7706 |
|||
Preview scriptFirst 1,000 lines of the extracted script
// valid characters include a-z, space, and dash
function validAlpha (str) {
var validity = false;
var alphaExp = /^[a-z \-]+$/i;
if (alphaExp.test(str))
validity = true;
return validity;
}
|
|||
javascript_obj0061_008.js |
pdf-javascript-stream | PDF /JS object 61 at offset 0x417D | 242 bytes |
SHA-256: 54753861e389027af70afabfb406889426cc252e0844eaca7a4a618c95a39a59 |
|||
Preview scriptFirst 1,000 lines of the extracted script
function validateForeignTrans (fld,lineNum) {
var str = trimWhiteSpace(this.getField(fld).valueAsString);
if (!validAlpha(str))
validateMoney(event.targetName,lineNum);
else
this.getField(fld).value = str.toUpperCase();
}
|
|||
javascript_obj0364_009.js |
pdf-javascript-stream | PDF /JS object 364 at offset 0x17C6E | 75 bytes |
SHA-256: 88d94543203ee65f664e0cd3e2079b205718ce4c6742f68a2cbc5c8cb72d29ce |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateCode(event.targetName,"13"); |
|||
javascript_obj0365_010.js |
pdf-javascript-stream | PDF /JS object 365 at offset 0x17CF4 | 66 bytes |
SHA-256: ac5d94ba1fcf165457f166f832a90518b555d68648636ce024bff5231219c231 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateMoney(event.targetName,"13"); |
|||
javascript_obj0369_011.js |
pdf-javascript-stream | PDF /JS object 369 at offset 0x17ED3 | 75 bytes |
SHA-256: 3513e03e7606b6d203146f141d26fc2fe0f2e9eb39e73e962d89d919cee5677f |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateCode(event.targetName,"14"); |
|||
javascript_obj0375_012.js |
pdf-javascript-stream | PDF /JS object 375 at offset 0x181D1 | 68 bytes |
SHA-256: 0a4ed17afd1d11fd30e027675325b03521a64fd4e0551219b01a6381921d301c |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateMoney(event.targetName,"10"); |
|||
javascript_obj0376_013.js |
pdf-javascript-stream | PDF /JS object 376 at offset 0x18248 | 75 bytes |
SHA-256: e27f14f0303e316006486422b270fa616bae565f2b091f35d74c9f8e714c9bb3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateCode(event.targetName,"10"); |
|||
javascript_obj0377_014.js |
pdf-javascript-stream | PDF /JS object 377 at offset 0x182CE | 66 bytes |
SHA-256: a5dfefe5c48f19d0827530d2ad33cf110dccc7a5a99178e2c99343611f8cff20 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateMoney(event.targetName,"10"); |
|||
javascript_obj0380_015.js |
pdf-javascript-stream | PDF /JS object 380 at offset 0x1843A | 77 bytes |
SHA-256: 003d04735566d4d9727689ca4f66900a8c5584fa326d6df770fe3fa3b5beb727 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateCode(event.targetName,"10"); |
|||
javascript_obj0383_016.js |
pdf-javascript-stream | PDF /JS object 383 at offset 0x186A1 | 66 bytes |
SHA-256: 3044a9ef1e826172fda6dab4828863268a76cf18d68b554f851750fdb2c29398 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateMoney(event.targetName,"15"); |
|||
javascript_obj0384_017.js |
pdf-javascript-stream | PDF /JS object 384 at offset 0x18714 | 75 bytes |
SHA-256: 40501e73675595d0c2851e4a36e8cf0bd7ae27e4129b2087bc1df2c4984d53d0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateCode(event.targetName,"15"); |
|||
javascript_obj0389_018.js |
pdf-javascript-stream | PDF /JS object 389 at offset 0x1898C | 81 bytes |
SHA-256: 1dbe99340d5cb25125166c615fc2b96ad338443dc175a2983f006e6219841e27 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateForeignTrans(event.targetName,"14"); |
|||
javascript_obj0391_019.js |
pdf-javascript-stream | PDF /JS object 391 at offset 0x18A9C | 83 bytes |
SHA-256: 673329b059d1454f484cfce2faec66b06a16fb6649ff59898a181177b52ab1d5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateForeignTrans(event.targetName,"14"); |
|||
javascript_obj0397_020.js |
pdf-javascript-stream | PDF /JS object 397 at offset 0x18DD8 | 79 bytes |
SHA-256: c51040a56352b939daae62ff7a7b4dac8fcc52fbe13cde93d1a17301a9de066d |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateForeignTrans(event.targetName,"14"); |
|||
javascript_obj0402_021.js |
pdf-javascript-stream | PDF /JS object 402 at offset 0x1907A | 73 bytes |
SHA-256: b12dd095d658648cdbd2ecf870f9c83bae27d8c636449e91fd260f21154ef18b |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateCode(event.targetName,"5a"); |
|||
javascript_obj0403_022.js |
pdf-javascript-stream | PDF /JS object 403 at offset 0x190FC | 69 bytes |
SHA-256: 1399b862894e481389d5b100371d974dfe8d5719d36be112fd41be3c05278666 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateMoney(event.targetName,"4"); |
|||
javascript_obj0404_023.js |
pdf-javascript-stream | PDF /JS object 404 at offset 0x19176 | 72 bytes |
SHA-256: 65b5b9043c75eedf5b09b65f1e0cbb682481f5bc09812845a538dac7a43048f6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateCode(event.targetName,"4"); |
|||
javascript_obj0405_024.js |
pdf-javascript-stream | PDF /JS object 405 at offset 0x191F7 | 65 bytes |
SHA-256: e6cd6eee8d02d685f78885ab8f46f20b4eb1e532f8d9f7816419aa8a7d5f4c85 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateMoney(event.targetName,"3"); |
|||
javascript_obj0406_025.js |
pdf-javascript-stream | PDF /JS object 406 at offset 0x19269 | 72 bytes |
SHA-256: 8c2df643409c83b47faa8282d0904837fd202a4932ea9e6808df7970c1219a2d |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateCode(event.targetName,"3"); |
|||
javascript_obj0407_026.js |
pdf-javascript-stream | PDF /JS object 407 at offset 0x192EA | 65 bytes |
SHA-256: fa638be93c2cadb838ba5c151ab00d8c63f4a63721e9cb332ac287e9620107c1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateMoney(event.targetName,"2"); |
|||
javascript_obj0408_027.js |
pdf-javascript-stream | PDF /JS object 408 at offset 0x1935C | 72 bytes |
SHA-256: e0bbc1fd2dae993001dcb97bb86cd796e07095063ca5db010a5867a1fd715fec |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateCode(event.targetName,"2"); |
|||
javascript_obj0409_028.js |
pdf-javascript-stream | PDF /JS object 409 at offset 0x193DD | 69 bytes |
SHA-256: 385df57b06c63a3b4f2e7efa634bf00aefdc016a2017b75484163b5b3e4b3c1b |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateMoney(event.targetName,"1"); |
|||
javascript_obj0410_029.js |
pdf-javascript-stream | PDF /JS object 410 at offset 0x19457 | 72 bytes |
SHA-256: db4b8352532fd9ca7963a76d997b4cf537a7caa3c81027feeabdfd7d8e57554b |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value != "") validateCode(event.targetName,"1"); |
|||
javascript_obj0411_030.js |
pdf-javascript-stream | PDF /JS object 411 at offset 0x194D8 | 126 bytes |
SHA-256: e9a685ca4655c774b39bedbcd05b120b7df7ecc48c83df0ac43d1fd80a7d6fa2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
var c1_10 = this.getField("c1-10");
var c1_11 = this.getField("c1-11");
if (c1_11.value == "X")
c1_10.value = "Off";
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.