MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
This PDF file contains multiple embedded JavaScript streams, several of which were flagged for obfuscation techniques like eval() and unescape(). The presence of these JavaScript actions and embedded script payloads strongly suggests the document is designed to execute malicious code. The primary intent appears to be downloading and executing a second-stage payload, as indicated by the heuristic firings and the nature of the embedded scripts. No specific family could be confidently identified due to the generic nature of the exploit.
Heuristics 11
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
unescape() call high PDF_UNESCAPEunescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Additional-actions dictionary low PDF_AAPDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
-
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENTOptional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/g/img/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
Extracted artifacts 24
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0197_000.jsacd6244460873bfdf8c84155b55e9873f457aed088cf4e27f87aa67a1a5f0137 |
pdf-javascript-stream | PDF /JS object 197 at offset 0x49A82 | 23881 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
javascript_obj0200_001.jsc37678945a32ddd6d14330812f6555e409e97a7d6be74c29298245d527cea542 |
pdf-javascript-stream | PDF /JS object 200 at offset 0x4B4DC | 7131 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
javascript_obj0202_002.js60f7dc10ce4582ab06e8dba17c351f255e7f4e9909d88d50ec31213cdf9b6be0 |
pdf-javascript-stream | PDF /JS object 202 at offset 0x4CE1C | 12428 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
javascript_obj0203_003.js1c80b1fcfa1a882440def46b1e6406af32dd4a56499b144c09c13572bed8879c |
pdf-javascript-stream | PDF /JS object 203 at offset 0x4D924 | 5368 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
javascript_obj0207_004.js70e19c3af78739072cf0c51dfe5e6d2d74ba439663b3b3757c66446c7ef081d2 |
pdf-javascript-stream | PDF /JS object 207 at offset 0x4F47C | 8402 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
javascript_obj0208_005.jsec51594e4b6802de4c6d4cb9a3c0b77804bd8b541ea779adadc994ae123b0501 |
pdf-javascript-stream | PDF /JS object 208 at offset 0x4FCB4 | 12178 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
javascript_obj0209_006.js6caa7dd98eb42d21b7ee6ae5fc317a8bfdb2e8983d02710a0b5928bc4c878992 |
pdf-javascript-stream | PDF /JS object 209 at offset 0x506D3 | 1632 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
javascript_obj0219_007.js4d7c4e5dc99001e77d0dea36f8cb3703c863ddc6ad281286d72a2f41f59ae98b |
pdf-javascript-stream | PDF /JS object 219 at offset 0x58783 | 44812 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
javascript_obj0220_008.jse2290a81b586bac2c892ba2299416d09668e12e9e0e98958692a38354c69721d |
pdf-javascript-stream | PDF /JS object 220 at offset 0x5A62D | 9013 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
javascript_obj0221_009.jsacdd026b272c4fcf9dcbfa94681436b9c70cf2805369bdb363ed10c3e4161b75 |
pdf-javascript-stream | PDF /JS object 221 at offset 0x5AE23 | 1796 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
javascript_obj0223_010.js265a639a8cbe3cfd38ecad67b2efc469e897aa02dfacdb3d3084587b464cb618 |
pdf-javascript-stream | PDF /JS object 223 at offset 0x5BFFC | 17210 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
javascript_obj0225_011.js4c00428ae36f5ca7a5c5c499a71c521009015460210cae87312362c2443321da |
pdf-javascript-stream | PDF /JS object 225 at offset 0x5EAE7 | 29588 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
javascript_obj0226_012.jscdf52350da1741bfffa96552d7abc9b2fa3ed2fcd7f6dbba6eeb747d9bd5d07a |
pdf-javascript-stream | PDF /JS object 226 at offset 0x60012 | 5859 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
javascript_obj0227_013.js37f8a07e2b4ad30ea896a939ff158bfa56c47ebf7db14a1e7960aae4569b20f5 |
pdf-javascript-stream | PDF /JS object 227 at offset 0x6065B | 1912 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
stream_050_off0004864d.jsd9a00bae7f9b4a73d28810c0596afc4684ed9b978ed91afc480c36218b32340d |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x4864D | 28204 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_052_off0004ac80.jsa6ad86a483aebeef23a7a78a561460281eaa4044d00d1444d58691b626f4b0b8 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x4AC80 | 7720 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_054_off0004bccd.jscb36499b7c0a124d929629c2cc1bff04fb13abc77a80ad168c858bf459b6220f |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x4BCCD | 18421 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 10 eval/decoder/string-building token(s).
|
|||
stream_057_off0004dfbc.jsaf85a00d5afdac67c61116cfb59f33c5720abbdd7dab1e81ecd6278b0ca3ff7f |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x4DFBC | 26144 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 11 eval/decoder/string-building token(s).
|
|||
stream_069_off00055f31.js20813868ff5924a446b9a1ca93a0f8ca1937ae3a86932db3b02a61aed190f58f |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x55F31 | 56410 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 14 eval/decoder/string-building token(s).
|
|||
stream_073_off0005b1a4.js1c2f8fa58b8f5992b85b8bcec7fcdca2948e972bc8a7c32103c96cc2690ff776 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x5B1A4 | 17888 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_075_off0005cdd8.jsc0ea2ae0aa0256cb6262856194675d8f3506242b0c10dad1b02c3d058de4a98a |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x5CDD8 | 38073 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 16 eval/decoder/string-building token(s).
|
|||
font_00_sfnt_off000026cd.bind6c87a9ca199ae8ba090d0572b93dd998834c9c653719de43d2ecc5b209048e7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x26CD | 80690 bytes |
font_01_cff_off00012ebc.binff2bd39b1311329d9bedf20dcc32a5c5691647192c7f1c6f455126503a909ee9 |
pdf-font-stream | PDF embedded font (cff) at offset 0x12EBC | 1558 bytes |
font_02_sfnt_off0003a051.binf39f99e2d4b021d4eac703afe26d32ad26f128c442f2089910c21b1f323fc85d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3A051 | 79301 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.