MALICIOUS
116
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains multiple embedded JavaScript streams, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. One heuristic specifically flags a suspicious extracted artifact named 'javascript_obj0031_022.js', suggesting it contains obfuscated or malicious JavaScript. The use of String.fromCharCode further supports the presence of obfuscated JavaScript. The primary intent appears to be the execution of this embedded script, likely to download and execute a second-stage payload.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
/S /JavaScript /JS (var nops='';for\(i=0;i<nnn2.length;i+=4\){c=0;for\(j=0;j<4;j++\)c=16*c+nnn2.charCodeAt\(i+j\)-65;nops+=String.fromCharCode\(c\);}) >> -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0010_001.js |
pdf-javascript-stream | PDF /JS object 10 at offset 0x3602 | 40 bytes |
SHA-256: f9ae5a33db8c7c1304813e927490f51369c0114e1b7e481ce8d3cc0f2f95f72e |
|||
Preview scriptFirst 1,000 lines of the extracted script
var ppp=new Array();var nnn=new Array(); |
|||
javascript_obj0011_002.js |
pdf-javascript-stream | PDF /JS object 11 at offset 0x3668 | 82 bytes |
SHA-256: e9bd0204f72b52deb3acbc142bc2d26c6e93d0dcee0d072fb25c420848fd168b |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[0]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0012_003.js |
pdf-javascript-stream | PDF /JS object 12 at offset 0x36F4 | 108 bytes |
SHA-256: 64a5cb8bfaa2e97aabe6e56061eefec30a4c33613037656f837b1c04b825680e |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[1]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0013_004.js |
pdf-javascript-stream | PDF /JS object 13 at offset 0x379A | 84 bytes |
SHA-256: a6ca05acf41f0f23e5856ad7647d220cdac10ad3c2eb0b15d66bfc83a7cf160f |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[2]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0014_005.js |
pdf-javascript-stream | PDF /JS object 14 at offset 0x3828 | 94 bytes |
SHA-256: 3392f758d31d882131502b203ef4fd6d57938b6d4763ee0f7ce4f21e8cb9f3b0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[3]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0016_007.js |
pdf-javascript-stream | PDF /JS object 16 at offset 0x390A | 40 bytes |
SHA-256: 76d745a023d12ac64249523b9f6ecd9ae0bb8e3b712f24cc471bbc15ff399ae6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[5]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0017_008.js |
pdf-javascript-stream | PDF /JS object 17 at offset 0x396C | 72 bytes |
SHA-256: e587ef619686df5ddf422fcc670388164bf84c7143778549c7a9c96096ab40f1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[6]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0019_010.js |
pdf-javascript-stream | PDF /JS object 19 at offset 0x3A46 | 118 bytes |
SHA-256: c4e0e6e6e0a4354d64bc6f3cd8c9869f1777d9bdc1fce2548faa7cb729988914 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[8]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0020_011.js |
pdf-javascript-stream | PDF /JS object 20 at offset 0x3AF6 | 92 bytes |
SHA-256: fcd83b9009ed70792532c9083a78b8850b89b881e995d6d7f4bfca34ae84f5af |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[9]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0021_012.js |
pdf-javascript-stream | PDF /JS object 21 at offset 0x3B8C | 37 bytes |
SHA-256: 5c6bfbbf89bac9b5bd57ffae74a0e4afdbcfe5b252b9b7270a71831968519db9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[10]='MMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0023_014.js |
pdf-javascript-stream | PDF /JS object 23 at offset 0x3C3E | 77 bytes |
SHA-256: 14d71ff6464a5c0e4f4c9e7ef6a5d37400f19c0de2f10a03b7a1799f3afe983c |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[12]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0024_015.js |
pdf-javascript-stream | PDF /JS object 24 at offset 0x3CC5 | 115 bytes |
SHA-256: f428a46578dd7c3a02ac13a3b8908eafea8d795c3da889d7e91514082b43bdaf |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[13]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0025_016.js |
pdf-javascript-stream | PDF /JS object 25 at offset 0x3D72 | 125 bytes |
SHA-256: b416a84e79318b87c3dee04241d74c036f992ebc03c0f98711806e86ba1b65fc |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[14]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0026_017.js |
pdf-javascript-stream | PDF /JS object 26 at offset 0x3E29 | 39 bytes |
SHA-256: 9ddfa485d07e81e876fc78fe579992c2744cea993c43f35e2681c5e09cd7a8b1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[15]='MMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0027_018.js |
pdf-javascript-stream | PDF /JS object 27 at offset 0x3E8A | 33 bytes |
SHA-256: a86fd49eb1971edf38a75fbaa8bcb513c62ddbd7f398541ddd05b93551fbf804 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[16]='MMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0028_019.js |
pdf-javascript-stream | PDF /JS object 28 at offset 0x3EE5 | 59 bytes |
SHA-256: 409d0b10d6e62746ba3f2432a19dc7e4a05f6aa2a78f039f25c824c8ef8a93a2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[17]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0029_020.js |
pdf-javascript-stream | PDF /JS object 29 at offset 0x3F5A | 127 bytes |
SHA-256: b37dfe2cd27e49fa1de08c2bc422024b64f6dd82a71729201f41ace1a5e5fdec |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[18]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0030_021.js |
pdf-javascript-stream | PDF /JS object 30 at offset 0x4013 | 77 bytes |
SHA-256: c8781a06ebaa2892c20a169eb2215ae62c48e91e68a0b952dc019f8d8caf521f |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[19]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0031_022.js |
pdf-javascript-stream | PDF /JS object 31 at offset 0x409A | 135 bytes |
SHA-256: a7f32cff80bcc61be9b82f8f823651abf4c10a1c9b4dfa4849317e0b939d34c9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[20]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0032_023.js |
pdf-javascript-stream | PDF /JS object 32 at offset 0x415B | 57 bytes |
SHA-256: 43ff7fd11ffc3f9c3759b2e7f9108638fd6736539b6f9104e56bf7e077738c16 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[21]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0033_024.js |
pdf-javascript-stream | PDF /JS object 33 at offset 0x41CE | 95 bytes |
SHA-256: 1d3c650687ee74e547323960b11259925175bf64dd67df420a9b9705149a23f0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[22]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0036_027.js |
pdf-javascript-stream | PDF /JS object 36 at offset 0x4311 | 35 bytes |
SHA-256: 17233be074ab7e996b045273aa5e8cfaa36ac32befbdba3fe0dff6883e4729cc |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[25]='MMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0037_028.js |
pdf-javascript-stream | PDF /JS object 37 at offset 0x436E | 65 bytes |
SHA-256: 395b29bf2938f2ae2a2dc9fa29f2f2476ed1da1efc7d3f0e29898338e7b56f2d |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[26]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0038_029.js |
pdf-javascript-stream | PDF /JS object 38 at offset 0x43E9 | 129 bytes |
SHA-256: d3f4fd25fa2acedc45e685c2eb03adc5cf62afd98489f0b6558e9d7aa3831124 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[27]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0039_030.js |
pdf-javascript-stream | PDF /JS object 39 at offset 0x44A4 | 101 bytes |
SHA-256: d0b60ea2f5bcfe721b23a0aaf4f988e8a42c4553c4490aad4840524e988cd82b |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[28]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0040_031.js |
pdf-javascript-stream | PDF /JS object 40 at offset 0x4543 | 43 bytes |
SHA-256: a3994fae8bb22c322bd620a2ef5f0234386ec5d06872a496588f95f86096f3ec |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[29]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0041_032.js |
pdf-javascript-stream | PDF /JS object 41 at offset 0x45A8 | 39 bytes |
SHA-256: af8b48de6402479a8825c647e637a27973e5863f0df63d784627bfaf0f78d13c |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[30]='MMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0042_033.js |
pdf-javascript-stream | PDF /JS object 42 at offset 0x4609 | 47 bytes |
SHA-256: 0f8201e59f8735b9b92078f009b6f8ca6e74b311991fecf3f490a912c5c0b96a |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[31]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0045_036.js |
pdf-javascript-stream | PDF /JS object 45 at offset 0x4714 | 79 bytes |
SHA-256: 45f6e18027112c18fb6e79e920d5fb84ed1db27baaf9f7a29f5da96ddfe8e7e9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[34]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0046_037.js |
pdf-javascript-stream | PDF /JS object 46 at offset 0x479D | 59 bytes |
SHA-256: 95082c7e3adabc3b3cb44ad052b698119d6dc93c4bc4dc1365f4c5f9c789219c |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[35]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM'; |
|||
javascript_obj0049_040.js |
pdf-javascript-stream | PDF /JS object 49 at offset 0x48A2 | 49 bytes |
SHA-256: 5919c0d1d84a5a746be9f27963881ad88d4190b52b00795a7bba41f91757774f |
|||
Preview scriptFirst 1,000 lines of the extracted script
var pay='';for (i=0;i<ppp.length;i++)pay+=ppp[i]; |
|||
javascript_obj0050_041.js |
pdf-javascript-stream | PDF /JS object 50 at offset 0x490F | 51 bytes |
SHA-256: 9882b77792295f132527561d187f85c94b2cd973564768e464959f18c36b3adf |
|||
Preview scriptFirst 1,000 lines of the extracted script
var nnn2='';for (i=0;i<nnn.length;i++)nnn2+=nnn[i]; |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.