MALICIOUS
72
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF contains multiple JavaScript streams and an embedded file, indicating a malicious intent to exploit vulnerabilities. The ML classifier also flagged this PDF as malicious. The presence of JavaScript actions and embedded JS streams strongly suggests the execution of code to download and run further malicious content. One URL was identified as unknown, which warrants further investigation.
Machine Learning
- Nyx PDF Classifier malicious score 0.5242
Heuristics 7
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/xhtml
- http://www.xfa.org/schema/xfa-data/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
- http://www.adobe.com/products/acrobat/readstep.h\
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/pdf/1.3/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_filec6c895dd1668be1b2bd23558f05629e164c2a7a7d2971721f70dbd4a022bbf31 |
pdf-embedded-file | PDF EmbeddedFile object 7 at offset 0x216E9 | 4194304 bytes |
javascript_obj0017_000.js140666ff3484ac0e529b6691046f1ecfe3837958d2a0fdb5286212c50f8c9348 |
pdf-javascript-stream | PDF /JS object 17 at offset 0x29E7 | 218 bytes |
javascript_obj0019_001.js18232c2b8268bb4fcff21c22f073415427d2c8430f2d79309ef6d9535002f319 |
pdf-javascript-stream | PDF /JS object 19 at offset 0x2B38 | 73 bytes |
javascript_obj0028_002.jsdfbcf5b827e9ac46518857efffd4bd38db062e280b5a9d31ee87bf96f851d7e0 |
pdf-javascript-stream | PDF /JS object 28 at offset 0x2D18 | 234 bytes |
javascript_obj0029_003.jsc0d3556fdb2d1a78a0a458e0c283ddeb07d5d29bd98febcb2c821bc835e1e61e |
pdf-javascript-stream | PDF /JS object 29 at offset 0x2E43 | 166 bytes |
javascript_obj0033_004.jsbd64f6e57e778f52158b69c21bf2c6c95a5dc2c021053adfc850de5a9dece976 |
pdf-javascript-stream | PDF /JS object 33 at offset 0x2FC7 | 139 bytes |
javascript_obj0036_005.jsff80b0b69f13bf2fbf5df9b01f19461b4fb821ec6bda73e2c69f231f3c4314a8 |
pdf-javascript-stream | PDF /JS object 36 at offset 0x30EB | 150 bytes |
javascript_obj0039_006.jsd261db8174c30cae64e5123f9cf388938de35b5ba68d49024ab7e7eef4065e6b |
pdf-javascript-stream | PDF /JS object 39 at offset 0x3210 | 140 bytes |
javascript_obj0040_007.js74a066b48827abcf696d656faf53d9ca6025a71024c59051c4bcd2e17f94b315 |
pdf-javascript-stream | PDF /JS object 40 at offset 0x32D7 | 95 bytes |
javascript_obj0041_008.js810cfedc29aa122862ec26a22a79d4f7ca60de8e838d095a4e84145e81854293 |
pdf-javascript-stream | PDF /JS object 41 at offset 0x336D | 73 bytes |
javascript_obj0306_010.js00d8bd9c0b2a0cc9bc8b3f5abb3474ba5b3285ae2cd2978aae5ff63557ae14ba |
pdf-javascript-stream | PDF /JS object 306 at offset 0x1A830 | 43 bytes |
javascript_obj0369_013.jsbd6bffa684b984c8ae1eb0d7f4cb897dcf7f9797edd49c545d174abb3043a78b |
pdf-javascript-stream | PDF /JS object 369 at offset 0x1E921 | 78 bytes |
javascript_obj0370_014.jsc2a31ee1097f60fde1ddd4f89d71214bf29759268525ba18f0eb9e8621036d59 |
pdf-javascript-stream | PDF /JS object 370 at offset 0x1E99D | 45 bytes |
javascript_obj0399_015.js8b22318a574b7d43a819f90f5470c74704e0069ff5d2702357711ebc91eb7a54 |
pdf-javascript-stream | PDF /JS object 399 at offset 0x20647 | 217 bytes |
javascript_obj0566_018.jsff5952889d6affeb5ea21493215a5e39cbbcdc47f904921764c4ed32ea32a648 |
pdf-javascript-stream | PDF /JS object 566 at offset 0x33F5F5 | 742 bytes |
javascript_obj0042_019.js9f9906ff842b03aadfeb849f7767dd5f4906b2eb56d10533f7b2c08c6a75045e |
pdf-javascript-stream | PDF /JS object 42 at offset 0x33ED | 3490 bytes |
javascript_obj0043_020.jsf77e2edcf33d85ca9b0b0983a489fe3e2bebd7455fe7b53b3eba560530d2e438 |
pdf-javascript-stream | PDF /JS object 43 at offset 0x37E5 | 747 bytes |
javascript_obj0044_021.js44ed9cf0e476e0ebb40fc38ca9459056beba58ac8f84c49722d4e46c861389ce |
pdf-javascript-stream | PDF /JS object 44 at offset 0x3945 | 785 bytes |
javascript_obj0045_022.js6bc055cf75a9c5c0c58fbfc2059ec2d3c7c00ec88cabd36ee8d49d2fb050f338 |
pdf-javascript-stream | PDF /JS object 45 at offset 0x3AE8 | 5299 bytes |
javascript_obj0046_023.js5be6c9abca3f42949e321ebc3ab9183224992c8b7fccb7ee82936aeeba57cc90 |
pdf-javascript-stream | PDF /JS object 46 at offset 0x4224 | 1496 bytes |
javascript_obj0047_024.js09f5ca347e5a9653212e337e8736dc684c653d92749fb0393e098da202fbcc77 |
pdf-javascript-stream | PDF /JS object 47 at offset 0x44A4 | 273 bytes |
javascript_obj0048_025.js6b2a8e4a51569bddf8962a8a928dc650490b47f1603c8cf12d138bae7b2063d5 |
pdf-javascript-stream | PDF /JS object 48 at offset 0x45A3 | 302 bytes |
javascript_obj0049_026.jsaad725103e8376908690a702de25290c0c79d219e82c0912f50e8b6af83b36af |
pdf-javascript-stream | PDF /JS object 49 at offset 0x4696 | 358 bytes |
javascript_obj0050_027.js0cb03d7d07c66ddbec3c29d7485a522a440f0e4484f2e2e04e526a4e5a9ea178 |
pdf-javascript-stream | PDF /JS object 50 at offset 0x47C6 | 458 bytes |
javascript_obj0051_028.jsa042daba7ffdf35e4fefc7e648831dd68f33a78711644af4c573220d3d026fd4 |
pdf-javascript-stream | PDF /JS object 51 at offset 0x490C | 277 bytes |
javascript_obj0052_029.jsf692536ec264cfc24e42aae57a09bba58d5dd561caaf381c7db90f146033c7e3 |
pdf-javascript-stream | PDF /JS object 52 at offset 0x4A06 | 571 bytes |
javascript_obj0053_030.jsc7532caf15f36663cba741cb9f9395d71d3abad570ec5cd6d0b1e684e420c3fb |
pdf-javascript-stream | PDF /JS object 53 at offset 0x4B50 | 605 bytes |
javascript_obj0054_031.js0ef975e1d00aa0c28b691c6e99940503499384645cbc3cd6aa0157c91e7f6319 |
pdf-javascript-stream | PDF /JS object 54 at offset 0x4CCA | 1766 bytes |
javascript_obj0055_032.js971d13b4621eaa71b1fdf6468691a91ae362802c0e42d08f83287e9e53e86dc0 |
pdf-javascript-stream | PDF /JS object 55 at offset 0x4F89 | 2381 bytes |
javascript_obj0056_033.jse9adb23c66bae7ca9386411d5abffa651ea1e2c9c6aa39fbfdfc506b60cc0504 |
pdf-javascript-stream | PDF /JS object 56 at offset 0x5287 | 1228 bytes |
javascript_obj0057_034.js7516046ae8f7c11e9a166ebed6d247a1f4f363bed33c53337c620474de3301c8 |
pdf-javascript-stream | PDF /JS object 57 at offset 0x54C7 | 263 bytes |
javascript_obj0365_035.jsd8455bf93d1003190a69b2145079786c5ae29167898cb0f8bee5bc82686eace2 |
pdf-javascript-stream | PDF /JS object 365 at offset 0x1E4BA | 1205 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.