MALICIOUS
94
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1027 Obfuscated Files or Information
The PDF file contains multiple embedded JavaScript streams, and the ML classifier flagged it as malicious. The presence of PDF_ENCRYPTED_WITH_JS indicates that the JavaScript is used to conceal the malicious payload, likely for downloading and executing a second-stage payload. The obfuscated nature of the JavaScript prevents a more detailed analysis of its specific actions.
Machine Learning
- Nyx PDF Classifier malicious score 0.5308
Heuristics 4
-
Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0045_000.jscd034f4ebd7ed1106c01ae132f2fdb49fdab807bfea3d7f4d3d759fb6fd7631f |
pdf-javascript-stream | PDF /JS object 45 at offset 0xAB5B0 | 38 bytes |
javascript_obj0051_001.js54433bb0ba55757809c1db36209a588e8a979176c5959cbc1af9d3c4fd40e698 |
pdf-javascript-stream | PDF /JS object 51 at offset 0xABF9D | 41 bytes |
javascript_obj0054_002.jsd0fd199129b7308c2801b1f0d0d56e3613dc4316ea431faa02a6e2022d38441e |
pdf-javascript-stream | PDF /JS object 54 at offset 0xAC0CA | 38 bytes |
javascript_obj0055_003.js93c820bdf3536bf5a51fd3fa469a2df366a8533bdf5f10b5628a49e4b87bb543 |
pdf-javascript-stream | PDF /JS object 55 at offset 0xAC117 | 41 bytes |
javascript_obj0056_004.jseed4b177013f0290dbffae5cfcc7c4b4d4a158083e1ad92ef0d89201b7d1d95d |
pdf-javascript-stream | PDF /JS object 56 at offset 0xAC166 | 36 bytes |
javascript_obj0060_005.jsee2c4afc7485cd347bd06e12df6e69091310f961b7b56d786767203655514e44 |
pdf-javascript-stream | PDF /JS object 60 at offset 0xAC3D4 | 36 bytes |
javascript_obj0061_006.js4dfad19ba19d6aa48ac5654800f6283896566dc54c734183d4f6270bd533a386 |
pdf-javascript-stream | PDF /JS object 61 at offset 0xAC41F | 36 bytes |
javascript_obj0062_007.js1e25bc6f6ecbdf959212ca2339e265908d8f312d1b420f25731d118fc09cfcc7 |
pdf-javascript-stream | PDF /JS object 62 at offset 0xAC46A | 38 bytes |
javascript_obj0064_008.jsbb5e1c5e505bb8aee240f444dac8f6d58fd33fe3c67ce0f9ada08cee0696177c |
pdf-javascript-stream | PDF /JS object 64 at offset 0xAC4E2 | 38 bytes |
javascript_obj0066_009.js1660fd585ca10714d723bbdcd74ac505640438eae1f79bf1ce32c42dc5b02c9d |
pdf-javascript-stream | PDF /JS object 66 at offset 0xAC603 | 41 bytes |
javascript_obj0078_010.js057a5da6f507dd2b648b1c371407b35aaa948a3afb010d2254b08c000ffe36bb |
pdf-javascript-stream | PDF /JS object 78 at offset 0xAE02B | 41 bytes |
javascript_obj0097_011.js25d5355422aeee663254c82086ec414434f683c21b921149382261b687fe8493 |
pdf-javascript-stream | PDF /JS object 97 at offset 0xAF0F9 | 41 bytes |
javascript_obj0103_012.jsf6218eb5082e4b60da8c2d99c47b4145ce5b7c10b6998fabae8f63d8647a7b42 |
pdf-javascript-stream | PDF /JS object 103 at offset 0xAFA8F | 41 bytes |
javascript_obj0104_013.jscb3fc62b98c1ceb91691b2ce012aa6a36b3dc9dcf5500ee28370ed95e229f903 |
pdf-javascript-stream | PDF /JS object 104 at offset 0xAFADF | 38 bytes |
javascript_obj0106_014.jsa291901fb6640b1b5a2dfc42bc0607aa3eeb6596d6f5e62af062e471a5ccad7e |
pdf-javascript-stream | PDF /JS object 106 at offset 0xAFBF3 | 36 bytes |
javascript_obj0111_015.js3e0f859b28e5b635a236dcd3d765d4d91be3e65bf140e84d744f35cf9e4dd6cf |
pdf-javascript-stream | PDF /JS object 111 at offset 0xB007B | 38 bytes |
javascript_obj0112_016.jsf65e7ecb5c92eb85099f13818d49949225b06b04b71e47325fa807d4eaa65a22 |
pdf-javascript-stream | PDF /JS object 112 at offset 0xB00C9 | 41 bytes |
javascript_obj0113_017.jse723fdce216839161fac8119482291ac75e806e9947cee09c19dd7a265950466 |
pdf-javascript-stream | PDF /JS object 113 at offset 0xB011A | 38 bytes |
javascript_obj0122_018.jsddcf8d1a68c9cb3a5698298186669af6df65cd1f744489d0209348af8253cdf7 |
pdf-javascript-stream | PDF /JS object 122 at offset 0xB0868 | 39 bytes |
javascript_obj0123_019.jse022156d12a37f04ad07b27cde02fc402d6eadfd8fcb227f80447fb3c5894bee |
pdf-javascript-stream | PDF /JS object 123 at offset 0xB08B7 | 38 bytes |
javascript_obj0124_020.js12513aa3fb6c9a473c966a728f8d258ade0eeccbd2807df2aed80f827126f2a5 |
pdf-javascript-stream | PDF /JS object 124 at offset 0xB0904 | 41 bytes |
javascript_obj0126_021.js10ddbb60d44fec5c0f7432f7b42e4aa7cf87e6577902c44cfeafd3435eb11262 |
pdf-javascript-stream | PDF /JS object 126 at offset 0xB0E1A | 36 bytes |
javascript_obj0149_022.js1ae882cd6f35a2bca128ca6b87b1abcd5930485ba9027dfb401830499fc69f9a |
pdf-javascript-stream | PDF /JS object 149 at offset 0xB2AB3 | 42 bytes |
javascript_obj0150_023.jsb979e4c6645d3f7b19e52181042a7e8e5804cd6dbaa18ca9373658a7c918e099 |
pdf-javascript-stream | PDF /JS object 150 at offset 0xB2B04 | 38 bytes |
javascript_obj0151_024.jsac6df812a14b2255701fcd988c8f20f0f87295b572ed319a6c1d5e40efc0851d |
pdf-javascript-stream | PDF /JS object 151 at offset 0xB2B51 | 42 bytes |
javascript_obj0158_025.jsa610980132d210d12f8d59925bb8bc53c1e06ed5708e7fd860b31ee1ae1fac37 |
pdf-javascript-stream | PDF /JS object 158 at offset 0xB30BE | 38 bytes |
javascript_obj0161_026.jsc1fc32270671cc78c9abe91357320ef2355060a2060c595477848fa7ea12c59e |
pdf-javascript-stream | PDF /JS object 161 at offset 0xB32D1 | 37 bytes |
javascript_obj0164_027.js53e6e4b63a7091a317d10384c0d8b83f180b27eca449e365bdcbf56b2e9313dd |
pdf-javascript-stream | PDF /JS object 164 at offset 0xB35AB | 39 bytes |
javascript_obj0165_028.js618e225a054e51d175d914cd44ee9cf0d19238bad64042fc69ca0ce670c58618 |
pdf-javascript-stream | PDF /JS object 165 at offset 0xB35F9 | 42 bytes |
javascript_obj0167_029.js6f4c9c6c87f971b1525db00678232230e7da28c579fbce27be3aa3ea426856da |
pdf-javascript-stream | PDF /JS object 167 at offset 0xB368D | 42 bytes |
javascript_obj0168_030.js156a8e75dc5ccaf578c8c3f50e460f7157f973a1c32bcceb745fc2a25195dea3 |
pdf-javascript-stream | PDF /JS object 168 at offset 0xB36DE | 37 bytes |
javascript_obj0169_031.js8998a7e09e4e69ee8ca20333918a8caac018998da09c6cfe9fe9e4322660e533 |
pdf-javascript-stream | PDF /JS object 169 at offset 0xB372B | 39 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.