MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains multiple embedded JavaScript streams and actions, indicating an attempt to execute malicious code upon opening. The document body is formatted as a German government form (BAföG), likely a social engineering lure to trick users into interacting with the malicious content. The ML classifier strongly flagged this PDF as malicious. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9700
Heuristics 5
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Additional-actions dictionary low PDF_AAPDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.fjd.de
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0002_000.js227ca46bb27e6d02fc509d522435c3c917f7409b7380571752f9579fd7d8fea5 |
pdf-javascript-stream | PDF /JS object 2 at offset 0x102 | 449 bytes |
javascript_obj0028_003.js28a981141e9bc15718143f4afa4857bd55124196efdd24145e338682b03be212 |
pdf-javascript-stream | PDF /JS object 28 at offset 0x58A0 | 394 bytes |
javascript_obj0132_015.js5d8f58882f9acd59a75917c63381b02cf777cf329a80e9e1d82a27112612b8e9 |
pdf-javascript-stream | PDF /JS object 132 at offset 0xBAFE | 1839 bytes |
javascript_obj0133_016.js9f51a81ea495069ac3bd65daf89fd1c4a332f6ab52c21e14c04ec2c85ecccdee |
pdf-javascript-stream | PDF /JS object 133 at offset 0xC2FE | 166 bytes |
javascript_obj0134_017.jsbb0cc0ea4c337306f6e2f48a1141a3f0f0b71c8fa4e6a492f8fae20a58ca3eb4 |
pdf-javascript-stream | PDF /JS object 134 at offset 0xC3E1 | 280 bytes |
javascript_obj0135_018.js82c0fd6e6cc117687c47ced7f0ce920ecb308781c8402ac1927d871608b9fef1 |
pdf-javascript-stream | PDF /JS object 135 at offset 0xC53A | 468 bytes |
javascript_obj0136_019.jsf6c2357c12b7e2cbd2f963dd05935f9bd1d924cb5654b0cfca7b2eeaa3f05a1b |
pdf-javascript-stream | PDF /JS object 136 at offset 0xC75D | 168 bytes |
javascript_obj0137_020.js68582c3b030f7ce77460540a7ea21e899d133ef6ae8330fbbb6a5db8d1040ccb |
pdf-javascript-stream | PDF /JS object 137 at offset 0xC841 | 70 bytes |
javascript_obj0138_021.js11a1bd3ed0d867a06a568a40ba9d93946c031e168697e359578f9ad5e75f7e59 |
pdf-javascript-stream | PDF /JS object 138 at offset 0xC8BA | 251 bytes |
javascript_obj0139_022.jsb489e14c022670e263ade06b76d1f9a44446979ddfa4df58bed63e1e68ca6dfa |
pdf-javascript-stream | PDF /JS object 139 at offset 0xCA01 | 251 bytes |
javascript_obj0140_023.jsf4379dc788b0345e77b7c62fb70b4743640256954408c64b71bb4e1d213b0ffe |
pdf-javascript-stream | PDF /JS object 140 at offset 0xCB48 | 220 bytes |
javascript_obj0141_024.js2856e6304c394af10c1bf9c2627fd4c31d4605a8e9c743b15c91d5a1c90a0abe |
pdf-javascript-stream | PDF /JS object 141 at offset 0xCC6D | 1263 bytes |
javascript_obj0142_025.jsf953b4e209656e0e024dd8f67fe8f7d5964aa7f88f3c44320410cd2772618c7e |
pdf-javascript-stream | PDF /JS object 142 at offset 0xD1CB | 171 bytes |
javascript_obj0143_026.js5894fd1bd40b9fc6caa0e3e8742be127a4f61d10df05c00855a3416b05029370 |
pdf-javascript-stream | PDF /JS object 143 at offset 0xD2B2 | 171 bytes |
javascript_obj0144_027.js5b8991e20113df1bb42e18966e9db2a83fcf5260e9f52a25315472dc82344d38 |
pdf-javascript-stream | PDF /JS object 144 at offset 0xD399 | 171 bytes |
javascript_obj0145_028.js513ee74e3430a5768089c10405727a775fd0410063380f1135da30248f859f52 |
pdf-javascript-stream | PDF /JS object 145 at offset 0xD480 | 171 bytes |
javascript_obj0146_029.js785bd3e27f09677cf95e6704c36a42b8b1f269b10220523f3f7486fbd0292042 |
pdf-javascript-stream | PDF /JS object 146 at offset 0xD567 | 171 bytes |
javascript_obj0147_030.jsdd03dc34e66f51eb45c93c7883e9d86c60a197554db71a7224abe00d703108cd |
pdf-javascript-stream | PDF /JS object 147 at offset 0xD64E | 171 bytes |
javascript_obj0148_031.jsed1da6c4eb59bb67352f68686e24932396ca0f5b8a24f4bd95374ef2177ba704 |
pdf-javascript-stream | PDF /JS object 148 at offset 0xD735 | 174 bytes |
javascript_obj0149_032.js3ff21d394623da63712e6562ad121a8c686079a728556197a6ff8896322067c5 |
pdf-javascript-stream | PDF /JS object 149 at offset 0xD81F | 174 bytes |
javascript_obj0150_033.js3e97cbbf8962b4e88eb11579b4e70ff6823363fb4343fb4eef0b7f8590d522a2 |
pdf-javascript-stream | PDF /JS object 150 at offset 0xD909 | 174 bytes |
javascript_obj0151_034.js98a706db80d8e9a382bd75f98bce09c6dc405f0479a3d705df58dac02779fd3f |
pdf-javascript-stream | PDF /JS object 151 at offset 0xD9F3 | 174 bytes |
javascript_obj0152_035.js56ad9f2f8071020a7cc715e86e3a3bb934561acaeca49cd0335b06b14475aae5 |
pdf-javascript-stream | PDF /JS object 152 at offset 0xDADD | 174 bytes |
javascript_obj0153_036.jsac5d30deb6a65799203309463c849dbd2f2a908e511d0423245906382b3a6c2e |
pdf-javascript-stream | PDF /JS object 153 at offset 0xDBC7 | 174 bytes |
javascript_obj0154_037.jsbdf70f83552f5964c1353400ad6efc305fcc19e4aaea87f8a3f7d4ce63ab8bfc |
pdf-javascript-stream | PDF /JS object 154 at offset 0xDCB1 | 1297 bytes |
javascript_obj0155_038.jsa98ee7a5aaa51d958b79746af50abf1ef4fd7abc7eda4892c3b6b2fdd7fb2db2 |
pdf-javascript-stream | PDF /JS object 155 at offset 0xE25B | 1777 bytes |
javascript_obj0156_039.js07aa0bce4d66232235d381122d641e4c22279e8698a0b7521a801f70efd27e46 |
pdf-javascript-stream | PDF /JS object 156 at offset 0xE9F3 | 64 bytes |
javascript_obj0157_040.jsb5da3b4620f32902e2862fec42d7a3cbcef186f0c159954b3199d8140763f848 |
pdf-javascript-stream | PDF /JS object 157 at offset 0xEA66 | 64 bytes |
javascript_obj0158_041.js699db5c10caf2ca99f147502aab77086e2462c1329c7bc2417bf858423522b41 |
pdf-javascript-stream | PDF /JS object 158 at offset 0xEAD9 | 64 bytes |
javascript_obj0159_042.jsb3be7c7f74efdd1c60924d3bdd109dc94202406075aec50db02c843ab0ce1f18 |
pdf-javascript-stream | PDF /JS object 159 at offset 0xEB4C | 64 bytes |
javascript_obj0160_043.js17c0365a177513720bba6d02f8b343a00181eae59ec8e990ad2acfc42f01bdfb |
pdf-javascript-stream | PDF /JS object 160 at offset 0xEBBF | 64 bytes |
javascript_obj0161_044.js74678b64a6419b0dc833656b158051cbf023a1e416b29599e0c3eb42a0e70fc6 |
pdf-javascript-stream | PDF /JS object 161 at offset 0xEC32 | 64 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.