MALICIOUS
70
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ASCIIHexDecode filter with exploit indicators suggests an attempt to obfuscate malicious content. While the specific JavaScript actions are not fully detailed, the presence of these elements points to an attack pattern involving script execution. The embedded URL, though benign, is noted. The document body is heavily obfuscated and does not provide clear user-facing content for a specific lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.7900
Heuristics 5
-
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEXHex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.solvaypharmaceuticals.com/researchanddevelopment/clinicaltrialsdisclosure In PDF document text
- http://www.monotype.comMonotypeReferenced by PDF JavaScript
- http://www.clinicaltrials.gov/PDF link annotation
- http://www.clinicaltrials.gov/)/S/URIIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/pdfx/1.3/In PDF document text
- http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript
- http://www.iec.chIn PDF document text
Extracted artifacts 7
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0213_000.js |
pdf-javascript-stream | PDF /JS object 213 at offset 0xC7D | 108 bytes |
SHA-256: 30fc63e757c5a23a48e8cde70e11995a67948cfd40b862d8c59f5953915af67e |
|||
Preview scriptFirst 1,000 lines of the extracted script
var DatePrinted = this.getField("DatePrinted");
DatePrinted.value = util.printd("dd-mmm-yyyy", new Date());
|
|||
stream_001_off00001649.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1649 | 308015 bytes |
SHA-256: 4735e29f6b4dfaae31ceba3a66c7548a579b3b0ad8f9ec68bc6e90b0597d7de3 |
|||
stream_110_off0005cb21.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x5CB21 | 26904 bytes |
SHA-256: 1a0875e939f6406eb9ec8e9c113ff4b3f21d60615382e6e1a6a17ede91429e3b |
|||
icc_00_off00039ce3.icc |
pdf-icc-profile | PDF ICC profile at offset 0x39CE3 | 3144 bytes |
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
|||
font_01_sfnt_off00035227.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x35227 | 24156 bytes |
SHA-256: 9ebf16e3c59561c5ee5f2e56c961803aa21202da15147f04fd9bd34cc17da1cc |
|||
font_02_sfnt_off0008a15d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8A15D | 51852 bytes |
SHA-256: eccae28eb710ffb5a5a842a2c12745de59ebd03235a771a6d39d3c6e9a992f77 |
|||
font_03_sfnt_off000935bb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x935BB | 4488 bytes |
SHA-256: d14bc243dabc9a79e1b93b740b2267760b826adbcde9581d92d4cd49f1a485f7 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.