MALICIOUS
116
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
This PDF contains multiple embedded JavaScript streams, with high confidence heuristics indicating the use of eval() and obfuscation. The ML classifier also flagged this PDF as malicious. The presence of JavaScript actions and streams, combined with the ML score, strongly suggests the execution of malicious code. The specific JavaScript files javascript_obj2097_012.js and javascript_obj2100_015.js are flagged as suspicious due to obfuscation indicators. The likely intent is to download and execute a second-stage payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.8836
Heuristics 7
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj2094_009.jsbc652186abc2c954510b52205491c95463f92d57bb86b63e3e47026b45e91fcf |
pdf-javascript-stream | PDF /JS object 2094 at offset 0x4D16A | 9998 bytes |
javascript_obj2095_010.js6ee4de61433432f8dff05013f06fc4fe4989e3638131af8674fd9ec6d4f0c0be |
pdf-javascript-stream | PDF /JS object 2095 at offset 0x4DC0E | 2496 bytes |
javascript_obj2096_011.js8ca1586335ea7d079d968ae379ff6e7074d53dc7bb9ec034033167ee30460c83 |
pdf-javascript-stream | PDF /JS object 2096 at offset 0x4E01B | 13320 bytes |
javascript_obj2097_012.js1edd5a7fec012ca89e3a39b1d23bdca911db91765e5448b7b452df2a1938ee5f |
pdf-javascript-stream | PDF /JS object 2097 at offset 0x4EC96 | 1169 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
javascript_obj2098_013.jse3831b8f9a2e9f95f9dea18a0132d9b901dbdaca1fa318d9e74a1c577a561cc7 |
pdf-javascript-stream | PDF /JS object 2098 at offset 0x4EEEB | 6855 bytes |
javascript_obj2099_014.js393a1e44d83e2715020ab13ba04dc52f74e5041e8cc275186c38ff94a09e34e8 |
pdf-javascript-stream | PDF /JS object 2099 at offset 0x4F6CE | 12191 bytes |
javascript_obj2100_015.js1c92daff8ccee007f82ded39a38c5381d7f93ec928271ae35f799dd933776470 |
pdf-javascript-stream | PDF /JS object 2100 at offset 0x4FDC8 | 13141 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj2101_016.js893c6431809ae49dda3f8f30610d5b8f4535f7866491bffa5b9e38187aaddea7 |
pdf-javascript-stream | PDF /JS object 2101 at offset 0x508BF | 166 bytes |
javascript_obj2102_017.jsa54d2aa5b89ccdb207650042e16bed6f2d16564331f67df496438d408ae6fd51 |
pdf-javascript-stream | PDF /JS object 2102 at offset 0x509B6 | 8320 bytes |
javascript_obj2127_024.js8e28a077fad49c61c951129f8e3303ceedc3a381bfa7a62108192fe264c0a534 |
pdf-javascript-stream | PDF /JS object 2127 at offset 0x520E8 | 40 bytes |
javascript_obj2131_025.js3f3b217e0991abf2ee3f23d8ddb10159740cbf8ee222b0d4784fc70cc1d580c3 |
pdf-javascript-stream | PDF /JS object 2131 at offset 0x529B5 | 38 bytes |
javascript_obj2132_026.js0ab94c6dfc95dbf852cf0c0156d65bd4a68a04dc48858495c95095a1f74f6dfa |
pdf-javascript-stream | PDF /JS object 2132 at offset 0x52A65 | 38 bytes |
javascript_obj2133_027.js9cba8df098ce306a9827c0c4cacfb6f8737c4cb6bee35fe4a8e900c355e4acab |
pdf-javascript-stream | PDF /JS object 2133 at offset 0x52B15 | 53 bytes |
javascript_obj2134_028.js04056bf8f7504ac5249d149d183d806910c9dc78053ad5e6e88241125f85f5e7 |
pdf-javascript-stream | PDF /JS object 2134 at offset 0x52BD4 | 50 bytes |
javascript_obj2135_029.js195765ccc7664a209704f249b620292db4c7bb94604c725786d3e79f601d8851 |
pdf-javascript-stream | PDF /JS object 2135 at offset 0x52C90 | 53 bytes |
javascript_obj2138_031.js32baeb6873ae5dbf7408631dc3017f5d5af594084b54ed7d94ff07e360317491 |
pdf-javascript-stream | PDF /JS object 2138 at offset 0x5369C | 59 bytes |
javascript_obj2139_032.jsaf924c248ebb877cfc1a5752ac17ce4b853b4fc1d89bbd6153507e341e68b076 |
pdf-javascript-stream | PDF /JS object 2139 at offset 0x53760 | 57 bytes |
javascript_obj2140_033.jsf76c80a2fc48657271b5779ed739b3ddd9bab2737db4b5b9a51540ed0c6a9902 |
pdf-javascript-stream | PDF /JS object 2140 at offset 0x53C53 | 49 bytes |
javascript_obj2141_034.jsa98cd696a3c5b2b6e94eb0d6b1d54b834230019695451b86d46278e61c228478 |
pdf-javascript-stream | PDF /JS object 2141 at offset 0x53D0E | 47 bytes |
javascript_obj2142_035.jse13b438d505e7e75ab99145be9dd768d09427af288ee33f24d43231ee784e000 |
pdf-javascript-stream | PDF /JS object 2142 at offset 0x541F7 | 52 bytes |
javascript_obj2143_036.js53079b5bb81b4dc222e6bb748ab9104e0430e4282c8c52b0ba4a37f9c60b07d7 |
pdf-javascript-stream | PDF /JS object 2143 at offset 0x542B5 | 52 bytes |
javascript_obj2144_037.js24dc107d5323a9ffd73eb23c4e4528f666fdfb36b601c140327e54271c5c5ada |
pdf-javascript-stream | PDF /JS object 2144 at offset 0x57183 | 48 bytes |
javascript_obj2145_038.js1d8caeb2bcb8f936d05e5a0e6603f438616f07f2ac5b8925fb6dcedd92697530 |
pdf-javascript-stream | PDF /JS object 2145 at offset 0x57A9D | 53 bytes |
javascript_obj2146_039.js999e0dfb50510b6b2243bd7f3e57ecc46e7fc857d340bde4446c7a5c6af559d5 |
pdf-javascript-stream | PDF /JS object 2146 at offset 0x57F8C | 54 bytes |
javascript_obj2147_040.js7f06ac97dda4577a11e4ae23e7255587b7b1c3118e2443c389ddc9ee784b1e75 |
pdf-javascript-stream | PDF /JS object 2147 at offset 0x5847C | 53 bytes |
javascript_obj2167_041.js6f76c09ae356bdd5782b668f6d3fc3f271e5301b450902c381915f870f4cbaff |
pdf-javascript-stream | PDF /JS object 2167 at offset 0x7226C | 48 bytes |
javascript_obj2168_042.jsea861ce4dde176d98a0c5764efdb496a5dd6d36b015431ba6ab707d8f0412237 |
pdf-javascript-stream | PDF /JS object 2168 at offset 0x722EB | 76 bytes |
javascript_obj2169_043.js173aed717a4f85f7a90266cdf38955079a0a6c211454137c2df83d0b0aace404 |
pdf-javascript-stream | PDF /JS object 2169 at offset 0x72369 | 70 bytes |
javascript_obj2170_044.js1e39793e6bd5aa8272c01f666a7ae26b8b1dd8a49d74e09b825c3c2454236d5a |
pdf-javascript-stream | PDF /JS object 2170 at offset 0x723E4 | 70 bytes |
javascript_obj2171_045.js03d4d36834d96142aef4abf08f8325ddec26cb9b88cbf5621765957e57f11539 |
pdf-javascript-stream | PDF /JS object 2171 at offset 0x7245F | 70 bytes |
javascript_obj2172_046.jsefab014fd00e9cbb6f222c6767f28b3a0b19422a2c4102797b2ae3c0a42ea6a4 |
pdf-javascript-stream | PDF /JS object 2172 at offset 0x724DA | 70 bytes |
javascript_obj2173_047.js54417defebb22f46cb67582de5f43ae2e00ef14745f599909a17c34806bc214a |
pdf-javascript-stream | PDF /JS object 2173 at offset 0x72555 | 70 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.