SUSPICIOUS
26
Risk Score
Machine Learning
- Nyx PDF Classifier clean score 0.2045
Heuristics 4
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
Extracted artifacts 25
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0139_000.js |
pdf-javascript-stream | PDF /JS object 139 at offset 0x1E36 | 145 bytes |
SHA-256: d8833d79ca45c8ca9ece0ff2063a60b2c245b7bb9f3b52c74c971664b642db07 |
|||
Preview scriptFirst 1,000 lines of the extracted script
var fecha=this.getField("fecha");
var today=new Date();
fecha.defaultValue = formatDate(today, "dd/MM/yyyy")
fecha.value=fecha.defaultValue;
|
|||
javascript_obj0112_001.js |
pdf-javascript-stream | PDF /JS object 112 at offset 0xF656 | 88 bytes |
SHA-256: 6f41a385b150f04a6757ebe5c48f6c7982616054ab7c86e10e179e699ea99bba |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (!checkStringOnlyNums(event.change))
{
event.change="";
event.rc=false;
}
|
|||
javascript_obj0109_003.js |
pdf-javascript-stream | PDF /JS object 109 at offset 0x10670 | 33 bytes |
SHA-256: 57758ded0ac3700f786c45e29cca00842b712fb028ce95a4cd688d4f70c62fce |
|||
Preview scriptFirst 1,000 lines of the extracted script
AFDate_KeystrokeEx("dd/mm/yyyy");
|
|||
javascript_obj0108_004.js |
pdf-javascript-stream | PDF /JS object 108 at offset 0x106BB | 38 bytes |
SHA-256: ae95d6581723cae0c2c1e3044a60f6c91e032264799b53449cd6269e6993d7bc |
|||
Preview scriptFirst 1,000 lines of the extracted script
AFNumber_Format(0, 0, 0, 0, "", true); |
|||
javascript_obj0107_005.js |
pdf-javascript-stream | PDF /JS object 107 at offset 0x1070B | 41 bytes |
SHA-256: 617ef4da07d9bc9d4e06a2320fe0d4cbacd3d6c2cc82039cf4e79e7facf7545f |
|||
Preview scriptFirst 1,000 lines of the extracted script
AFNumber_Keystroke(0, 0, 0, 0, "", true); |
|||
javascript_obj0106_006.js |
pdf-javascript-stream | PDF /JS object 106 at offset 0x1075E | 89 bytes |
SHA-256: cd7085eaf347490345794d135ad6387c797c9a8d416b3fcbf1c10ae869f7c246 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/*if (!checkStringOnlyChars(event.change))
{
event.change="";
event.rc=false;
}*/
|
|||
javascript_obj0105_007.js |
pdf-javascript-stream | PDF /JS object 105 at offset 0x107E7 | 38 bytes |
SHA-256: 729ca6264168a99bb97c0658554d5b34491e18c8ba65c8fc35d432391343ef33 |
|||
Preview scriptFirst 1,000 lines of the extracted script
AFNumber_Format(2, 0, 0, 0, "", true); |
|||
javascript_obj0104_008.js |
pdf-javascript-stream | PDF /JS object 104 at offset 0x10837 | 41 bytes |
SHA-256: a011daa0ff2a361a79751d1cef42de9f50cfaaf7fc839fe5b5e485c7248b809d |
|||
Preview scriptFirst 1,000 lines of the extracted script
AFNumber_Keystroke(2, 0, 0, 0, "", true); |
|||
javascript_obj0099_011.js |
pdf-javascript-stream | PDF /JS object 99 at offset 0x11BF9 | 157 bytes |
SHA-256: 358151527d44a20cbb3e806bba9d3b545f93cdb802a0574146d5a2ab9d4d1a8d |
|||
Preview scriptFirst 1,000 lines of the extracted script
var otros=this.getField("otros")
if (event.value=="Otros (Por favor especificar a continuaci�n)")
otros.readonly=false;
else
otros.readonly=true;
|
|||
javascript_obj0120_012.js |
pdf-javascript-stream | PDF /JS object 120 at offset 0x11CF8 | 215 bytes |
SHA-256: cf97633d7035d19004d07cb6d81c7741840c914bb00ad37fcf21b751c4e09cd9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if ((String(event.value).length!=0))
if ((String(event.value).length>8) || (String(event.value).length<6))
{
app.alert("Debe ingresar un n�mero telef�nico v�lido.")
event.rc=false;
}
|
|||
javascript_obj0118_013.js |
pdf-javascript-stream | PDF /JS object 118 at offset 0x11EF4 | 38 bytes |
SHA-256: d01aa0c07a077ec23f69b8fd9ccdaa6826882e0b2e7e446039ebdd1d983fffcc |
|||
Preview scriptFirst 1,000 lines of the extracted script
AFNumber_Format(0, 1, 0, 0, "", true); |
|||
javascript_obj0117_014.js |
pdf-javascript-stream | PDF /JS object 117 at offset 0x11F44 | 41 bytes |
SHA-256: 3e3d0e421d915769fa631911550fb2593579e6bb9a99fb9158381ac8e8f07fe2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
AFNumber_Keystroke(0, 1, 0, 0, "", true); |
|||
javascript_obj0111_015.js |
pdf-javascript-stream | PDF /JS object 111 at offset 0x11F97 | 89 bytes |
SHA-256: 4338dbb4cc316e8aacad7227b13134d807c9b3ab7d8e6c229b1a5ed364d80679 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (!checkStringOnlyChars(event.change))
{
event.change="";
event.rc=false;
}
|
|||
javascript_obj0114_016.js |
pdf-javascript-stream | PDF /JS object 114 at offset 0x121F7 | 51 bytes |
SHA-256: f015573565264e0ab57b71655084a5959c27e67221812cad59b4e5fbb31d4cea |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (!checkDate(event.value))
event.rc=false;
|
|||
javascript_obj0015_017.js |
pdf-javascript-stream | PDF /JS object 15 at offset 0x123E3 | 85 bytes |
SHA-256: bc2ae8ada541508136f4e743b670c74e84e6426817d85b0b88b60cd5b51ae255 |
|||
Preview scriptFirst 1,000 lines of the extracted script
function addZero(vNumber)
{
return ((vNumber < 10) ? "0" : "") + vNumber ;
}
|
|||
javascript_obj0017_018.js |
pdf-javascript-stream | PDF /JS object 17 at offset 0x12499 | 254 bytes |
SHA-256: f2f2aeeb940c9f4cbbb63278623486d12b67603c7e94534028fd8a7ccdce135b |
|||
Preview scriptFirst 1,000 lines of the extracted script
function checkStringOnlyChars(value)
{
var checkStr="<>,;.:_��\\1234567890!\"�$%&/()=?��|@#��~[]{}�+`�;^*Ǩ";
for (i=0; i<value.length; i++)
if (checkStr.indexOf(value.substr(i,1)) >= 0)
return false;
return true;
}
|
|||
javascript_obj0018_019.js |
pdf-javascript-stream | PDF /JS object 18 at offset 0x125DD | 212 bytes |
SHA-256: 15738823d46d0031d83fc529b587b8d4f5db5161eb15e16a707a38a951da0c8f |
|||
Preview scriptFirst 1,000 lines of the extracted script
function checkStringOnlyNums(value)
{
var checkStr="0123456789";
for (i=0; i<value.length; i++)
if (!(checkStr.indexOf(value.substr(i,1)) >= 0))
return false;
return true;
}
|
|||
javascript_obj0021_020.js |
pdf-javascript-stream | PDF /JS object 21 at offset 0x1274A | 110 bytes |
SHA-256: fc0817086763f826fc86ffa7705027f476292243ee0bd9c4b85bcbfaa535b845 |
|||
Preview scriptFirst 1,000 lines of the extracted script
function swapOtraMoneda(bVisible)
{
var omon = this.getField("Omon");
omon.readonly=(!bVisible);
}
|
|||
javascript_obj0022_021.js |
pdf-javascript-stream | PDF /JS object 22 at offset 0x127ED | 505 bytes |
SHA-256: fb1653ee89cbc60dd08f6ed768f4f885fc93f9d2b3e6b07b728b6028dd9960d6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
function stringToDate(DateValue)
{
var firstSlashPos=DateValue.indexOf("/");
var lastSlashPos=DateValue.lastIndexOf("/");
year=0;
month=0;
day=0;
year = DateValue.substr(lastSlashPos+1,DateValue.length - lastSlashPos);
month = DateValue.substr(firstSlashPos+1,lastSlashPos-firstSlashPos-1);
day = DateValue.substr(0,firstSlashPos);
fechaFormat=new Date();
fechaFormat.setFullYear(year);
fechaFormat.setMonth(month-1,day);
return fechaFormat;
}
|
|||
javascript_obj0023_022.js |
pdf-javascript-stream | PDF /JS object 23 at offset 0x12914 | 816 bytes |
SHA-256: 175b1e9fce8c29f08a8d2d1611183c1e54d0f7f389620cdcab15b14cec658e0e |
|||
Preview scriptFirst 1,000 lines of the extracted script
function formatDate(vDate, vFormat)
{
var vDay = addZero(vDate.getDate());
var vMonth = addZero(vDate.getMonth()+1);
var vYearLong = addZero(vDate.getFullYear());
var vYearShort = addZero(vDate.getFullYear().toString().substring(3,4));
var vYear = (vFormat.indexOf("yyyy")>-1?vYearLong:vYearShort)
var vHour = addZero(vDate.getHours());
var vMinute = addZero(vDate.getMinutes());
var vSecond = addZero(vDate.getSeconds());
var vDateString = vFormat.replace(/dd/g, vDay).replace(/MM/g, vMonth).replace(/y{1,4}/g, vYear)
vDateString = vDateString.replace(/hh/g, vHour).replace(/mm/g, vMinute).replace(/ss/g, vSecond)
return vDateString
}
|
|||
javascript_obj0024_023.js |
pdf-javascript-stream | PDF /JS object 24 at offset 0x12A85 | 1611 bytes |
SHA-256: a3f6129a77fdedbcdda28dd0f9b659c9d2cfdc2f548787f7b6147a0619c9d144 |
|||
Preview scriptFirst 1,000 lines of the extracted script
function checkDate(DateValue)
{
if (DateValue=="")
return true;
var checkstr = "0123456789";
var DateTemp = "";
var seperator = "/";
var day=0;
var month=0;
var year=0;
var leap = 0;
var err = 0;
var i;
var strErr="La fecha es incorrecta. Por favor, verifique que la fecha exista. La fecha debe estar de acuerdo al formato dd/mm/aaaa";
err = 0;
var firstSlashPos=DateValue.indexOf("/");
var lastSlashPos=DateValue.lastIndexOf("/");
if (firstSlashPos==lastSlashPos)
{
app.alert(strErr);
return false;
}
year = DateValue.substr(lastSlashPos+1,DateValue.length - lastSlashPos)
if (year == 0)
{
err = 20;
}
month = DateValue.substr(firstSlashPos+1,lastSlashPos-firstSlashPos-1);
if ((month < 1) || (month > 12))
{
err = 21;
}
day = DateValue.substr(0,firstSlashPos);
if ((day < 1) || (day >31))
{
err = 22;
}
if ((year % 4 == 0) || (year % 100 == 0) || (year % 400 == 0))
{
leap = 1;
}
if ((month == 2) && (leap == 1) && (day > 29))
{
err = 23;
}
if ((month == 2) && (leap != 1) && (day > 28))
{
err = 24;
}
if ((day > 31) && ((month == "01") || (month == "03") || (month == "05") || (month == "07") || (month == "08") || (month == "10") || (month == "12")))
{
err = 25;
}
if ((day > 30) && ((month == "04") || (month == "06") || (month == "09") || (month == "11")))
{
err = 26;
}
if ((day == 0) && (month == 0) && (year == 00))
{
err = 27;
day = "";
month = "";
year = "";
seperator = "";
}
if (err != 0)
{
app.alert(strErr);
return false;
}
return true;
}
|
|||
javascript_obj0096_024.js |
pdf-javascript-stream | PDF /JS object 96 at offset 0x11E13 | 261 bytes |
SHA-256: b5d347d2c15011c0ecbc96badd6480f07d1979a89d44c832d5791643308eb044 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (event.value!="")
{
var lpszValor;
var iPos;
lpszValor=String(event.value);
iPos=((lpszValor.length-4)<0)?0:lpszValor.length-4;
event.value=util.printf("%s-%s", String(lpszValor.substr(0,iPos)), String(lpszValor.substr(iPos,4)));
}
|
|||
font_00_cff_off0000341d.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x341D | 2592 bytes |
SHA-256: 8af77a8120cad34282369b63df8e587550ab5f9a7388557d88ae6eac7ec25966 |
|||
font_01_cff_off00004010.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x4010 | 8372 bytes |
SHA-256: 09b9abfd9d19d0c7f25e01d9891fb871c08832b73a05d2b0e88c7ede9b551b40 |
|||
font_02_cff_off00005be6.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x5BE6 | 2414 bytes |
SHA-256: 2606917f60bdf282f51b28ecdc15ec546c2bbf475a0d6ab4afd7e954a1345d3f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.