MALICIOUS
92
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 JavaScript/JScript
T1204.002 Malicious File
The PDF contains numerous embedded JavaScript streams, with several triggering heuristics related to JavaScript execution and obfuscation. The presence of PDF_CCITT_CVE_2010_0188_RELATED suggests an attempt to exploit a known PDF vulnerability. The document body is heavily obfuscated and unreadable, providing no direct clues to the user-facing lure. The primary function appears to be executing embedded JavaScript, which is likely responsible for downloading and executing a secondary payload.
Heuristics 7
-
CCITTFaxDecode + TIFF/XFA exploit prep — LibTIFF CVE-family indicator high PDF_CCITT_CVE_2010_0188_RELATEDPDF uses /CCITTFaxDecode together with TIFF/XFA exploit-preparation markers such as rawValue image-field assignment, TIFF data, or heap-spray JavaScript. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/g/img/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://ns.adobe.com/xap/1.0/t/pg/
- http://ns.adobe.com/xap/1.0/sType/Dimensions#
- http://ns.adobe.com/xap/1.0/g/
- http://ns.adobe.com/pdf/1.3/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj2979_000.js02763d0b97f3b488fc3a30dd82817accf5fdfff6e3fe5e008636626ae4c3003f |
pdf-javascript-stream | PDF /JS object 2979 at offset 0x6430 | 178 bytes |
javascript_obj2997_001.jsb81c69b1f10d6373625583e9bf50ce17cb3d0b89d1de94e8939b137c2a574be3 |
pdf-javascript-stream | PDF /JS object 2997 at offset 0x6852 | 102 bytes |
javascript_obj3002_002.js3308320d248e15f4247255ac71c51c1093417e81c0c9de702acea883b7fb99ea |
pdf-javascript-stream | PDF /JS object 3002 at offset 0x69AD | 83 bytes |
javascript_obj3010_003.js9b160d19334bd56892170b86188c49574febdcb9ac509210fcaccee51ca3d16d |
pdf-javascript-stream | PDF /JS object 3010 at offset 0x6B83 | 187 bytes |
javascript_obj3388_005.js91798ecd92e2f43f96a8c14669a5c168ae5a8d35171751b6a7acca9f8c50f0e6 |
pdf-javascript-stream | PDF /JS object 3388 at offset 0x3723B | 94 bytes |
javascript_obj3391_006.jsc812fa1f7d0804ae8135a933fd602dbf40b2a354bd7768f9a0362abc4405970f |
pdf-javascript-stream | PDF /JS object 3391 at offset 0x37475 | 90 bytes |
javascript_obj3394_007.js4a11062ce06fdbdf909e26403564cc72f6ea751064561e09fe6d680daa579c4b |
pdf-javascript-stream | PDF /JS object 3394 at offset 0x376CE | 91 bytes |
javascript_obj3401_008.js70bdf25ffc7ab416662e0bdf374e264c499c7df49ba0e2f2a627b89ecb45d6d1 |
pdf-javascript-stream | PDF /JS object 3401 at offset 0x37C8F | 96 bytes |
javascript_obj3403_009.js504189b07839845a0b0a6b2fec209b98ef2ce785b9c387ad4ea61078bb8b5fbc |
pdf-javascript-stream | PDF /JS object 3403 at offset 0x37DBD | 49 bytes |
javascript_obj3404_010.jsa88f3ebed05f024d40c36ba90dcf67fad6e570a7de6c7711873d14d9f07821a0 |
pdf-javascript-stream | PDF /JS object 3404 at offset 0x37E1F | 100 bytes |
javascript_obj3417_011.jsacbe5c98bf7357251066e74cab0cb6de5b52176b52c12738dd81d9726e1c2737 |
pdf-javascript-stream | PDF /JS object 3417 at offset 0x383BA | 90 bytes |
javascript_obj3420_012.jsa56c28cb40ebf3b49cc5189ac4f9c4a92f69e96703ff4a13e97a2dae640f2aef |
pdf-javascript-stream | PDF /JS object 3420 at offset 0x38613 | 91 bytes |
javascript_obj3426_013.js86271fc741187a75e412a476fca5f2634e8196d231b8179c97ae8cf04b9656ca |
pdf-javascript-stream | PDF /JS object 3426 at offset 0x38AB4 | 90 bytes |
javascript_obj3429_014.jsb21c81b444ed9d387bb3e6d106a772f560ef2836ab0c7b5fa9abd85b4fa6b93f |
pdf-javascript-stream | PDF /JS object 3429 at offset 0x38D0C | 91 bytes |
javascript_obj3435_015.js781be7cd12751af7b7c26920e3c6172f0e5b4e8848e9636dec195b34d1ceb852 |
pdf-javascript-stream | PDF /JS object 3435 at offset 0x39057 | 148 bytes |
javascript_obj3438_016.jsf8cbc95388aa6e8c4a785734390d3b178051fe4ef4753eed3bea7e510b074ca4 |
pdf-javascript-stream | PDF /JS object 3438 at offset 0x39297 | 97 bytes |
javascript_obj3440_017.jsac085ba32f5bb169e82a77ad2098d0ec1d3d229aafb8828b23183b62d69055dd |
pdf-javascript-stream | PDF /JS object 3440 at offset 0x3944A | 164 bytes |
javascript_obj3444_018.js22a8d36c78278d1275f42b32c1b29d33017804950f86420201a1dea2d59bc639 |
pdf-javascript-stream | PDF /JS object 3444 at offset 0x396B8 | 47 bytes |
javascript_obj1884_019.jsaefa64db7ad230470a96a35db96b8b432480b005d52c5dc6d7f8d06c06f8e36b |
pdf-javascript-stream | PDF /JS object 1884 at offset 0x132434 | 170 bytes |
javascript_obj1887_020.jse0ed9548de396d6e016081b2ea298f1fd9f002856f57eb29de833ef16f1ab696 |
pdf-javascript-stream | PDF /JS object 1887 at offset 0x132594 | 172 bytes |
javascript_obj1906_021.js2ec0dfca0217784805ac5f7f489111af0a656dc272cccc4c3c936cb02b90e624 |
pdf-javascript-stream | PDF /JS object 1906 at offset 0x1330E9 | 103 bytes |
javascript_obj1917_022.jscaa170e76c2e8a0c908fcc40e088f18b684501e5e118f9ab0501f33a033b4efb |
pdf-javascript-stream | PDF /JS object 1917 at offset 0x1336DD | 105 bytes |
javascript_obj2056_023.js4b0668787e790e8793c4a21ae1e1eae8d410b45b7ee4216b68e81a2be34fe6d5 |
pdf-javascript-stream | PDF /JS object 2056 at offset 0x13A6AF | 164 bytes |
javascript_obj2061_024.jsb204e6d9c037ce32d10d4b8d1b64ce99ab2c8dd376c069a4989e593ea902de1c |
pdf-javascript-stream | PDF /JS object 2061 at offset 0x13AAAA | 164 bytes |
javascript_obj2067_025.js809a445cfe2ce6f5e248717d46587743f0fd9e257e02c02b36cb40329972c078 |
pdf-javascript-stream | PDF /JS object 2067 at offset 0x13AEB2 | 164 bytes |
javascript_obj2196_026.js7854edc1b9d8bc2ed16952115e03746910fefc4b69aa50278ccac2231cf65620 |
pdf-javascript-stream | PDF /JS object 2196 at offset 0x1415E3 | 165 bytes |
javascript_obj2197_027.jscbdc4cbd355d5e0f593b762ac4382edd4dbb6a1ca3bba249ae26385323d77205 |
pdf-javascript-stream | PDF /JS object 2197 at offset 0x1416C5 | 165 bytes |
javascript_obj2220_028.js0c872dd9455411b0953b7886891809c6b8f223416249b967194b6f8db5dc9184 |
pdf-javascript-stream | PDF /JS object 2220 at offset 0x142ADA | 164 bytes |
javascript_obj2290_029.jsa66d7340eace919856b620401a828c9e04ab01df158d0c43c1ba2c5d758187b9 |
pdf-javascript-stream | PDF /JS object 2290 at offset 0x145AA4 | 101 bytes |
javascript_obj2292_030.js26a06b0596fc189b5912014f84057bacb4f6d2aae9331b79cec58d9dc8f6201f |
pdf-javascript-stream | PDF /JS object 2292 at offset 0x145CDD | 100 bytes |
javascript_obj2297_031.js0c8e732fa0b2ef7521e04cf8d25075d057ba031992416973470ca26668164729 |
pdf-javascript-stream | PDF /JS object 2297 at offset 0x145FA5 | 101 bytes |
javascript_obj2311_032.js602d876b4be0f99c69eebd0d14edf06999dd05d66104972e3638d9eaba58a252 |
pdf-javascript-stream | PDF /JS object 2311 at offset 0x1467D3 | 100 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.