MALICIOUS
226
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
T1566.002 Spearphishing Attachment
T1105 Ingress Tool Transfer
The PDF contains numerous JavaScript streams, including calls to eval() and unescape(), indicating obfuscated code execution. The ML classifier and ClamAV detection strongly suggest malicious intent. The presence of embedded JavaScript and the high stream count point towards a dropper mechanism, likely intended to download and execute a secondary payload from the embedded URL http://www.dynaforms.com.
Machine Learning
- Nyx PDF Classifier malicious score 0.9318
Heuristics 10
-
ClamAV: Pdf.Dropper.Agent-1669214 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Dropper.Agent-1669214
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
unescape() call high PDF_UNESCAPEunescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.dynaforms.com
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj5812_000.jsbaf9cbdea88593024b2b12c6777d51479cc38ef798b18600d3b6600f23d6851d |
pdf-javascript-stream | PDF /JS object 5812 at offset 0x188F | 101 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj5813_001.jscac5feb65c9482ab3e5302e13d6842c8f757febaee3fac1b635bb67784a471a4 |
pdf-javascript-stream | PDF /JS object 5813 at offset 0x1927 | 73 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj5815_003.jsc3cdcd4ff9a9030c24420179fc3118b240d6fc5eb693baad7641d6930a15d136 |
pdf-javascript-stream | PDF /JS object 5815 at offset 0x19D9 | 61 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj5816_004.jsac94d45b250614b38d40305a0f6e6ccda9a2da0516c64f21de434f5bf6481696 |
pdf-javascript-stream | PDF /JS object 5816 at offset 0x1A45 | 59 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj5961_018.jsf9c454b9bf739f4a88e918fd78866ce97b37e5366c1fdd3a5048f229291cd076 |
pdf-javascript-stream | PDF /JS object 5961 at offset 0xE58B | 35 bytes |
javascript_obj5962_019.js4640479262a6e2bd6ef3a88b206cc9cbf4c6c577c88c681b94727dc90bd731ce |
pdf-javascript-stream | PDF /JS object 5962 at offset 0xE5DD | 35 bytes |
javascript_obj6005_024.js858c12ca857900aaebec8d105192b9e5c43d8b5a823d35e52eb3af4527391adc |
pdf-javascript-stream | PDF /JS object 6005 at offset 0xFF53 | 34 bytes |
javascript_obj6010_025.jsd36cdebd55ae13c49b5ddce8febff58eb3ffd43fe884eff6a4d5de9832137154 |
pdf-javascript-stream | PDF /JS object 6010 at offset 0x10130 | 34 bytes |
javascript_obj6050_027.jsf85c9446eb564dbf2c73c1a72a7b4291bce0fe2827dda99d4488cf8aea485b4a |
pdf-javascript-stream | PDF /JS object 6050 at offset 0x11395 | 47 bytes |
javascript_obj6082_028.jsecedc3038ddcd3dd129633e6ae47f741b628726f27063b62be76e5dec72579a3 |
pdf-javascript-stream | PDF /JS object 6082 at offset 0x123AF | 49 bytes |
javascript_obj0119_032.js750c026a4f478475d31f95723584520d2ad084bc594cd6cbd8d743c10095fd2d |
pdf-javascript-stream | PDF /JS object 119 at offset 0x1E9DA | 42 bytes |
javascript_obj0175_033.js28c7527ef881c2c84481beeeaca17173fcd897524c3866ed55ab406830103318 |
pdf-javascript-stream | PDF /JS object 175 at offset 0x2024C | 35 bytes |
javascript_obj0176_034.jse526352f0273ed717a7acf68db06e27d683c941ec71e60621ca23e848aeded9a |
pdf-javascript-stream | PDF /JS object 176 at offset 0x2029D | 35 bytes |
javascript_obj0178_035.js843139fbe58f4020f9ca4daca070075b3da932a4eab39fc9e81ce391cf353712 |
pdf-javascript-stream | PDF /JS object 178 at offset 0x20321 | 41 bytes |
javascript_obj0264_039.jsfb6a65b45260877fb99a8a32e752407efc4c67e36d6a13d6471e972c78f9b299 |
pdf-javascript-stream | PDF /JS object 264 at offset 0x22A58 | 47 bytes |
javascript_obj0732_040.jsa7bc1f7a9f45e9beaa726772775f0102e0b7bcc5fbe1b3da430757bf7b8840b0 |
pdf-javascript-stream | PDF /JS object 732 at offset 0x38346 | 36 bytes |
javascript_obj1041_041.js7fddf0133384bb49a5b87cb2cdaa1928f440524537f2188a3c363dcd65ea3f7a |
pdf-javascript-stream | PDF /JS object 1041 at offset 0x441CE | 87 bytes |
javascript_obj1757_042.js096bc813157839bffb34c717fbe3eba7854cca6f809a1e7638c53922d411ce38 |
pdf-javascript-stream | PDF /JS object 1757 at offset 0x5FA96 | 43 bytes |
javascript_obj2996_043.js82d00a2e1b93e77e05e0a33f90be4ab5c77e7ae306698a56ea0c2e305fa39700 |
pdf-javascript-stream | PDF /JS object 2996 at offset 0x8F64E | 36 bytes |
javascript_obj5200_045.jsb3697a78a6ec9537bbf15c3c4ba7b6bab3a1f3a81a970c22118c06e44b782b61 |
pdf-javascript-stream | PDF /JS object 5200 at offset 0xF001E | 62 bytes |
javascript_obj5202_047.jsfdef0db562beac911d6b4341f88d793116d5e6fccb75a5e11e13571d1f11e5f9 |
pdf-javascript-stream | PDF /JS object 5202 at offset 0xF00DD | 33 bytes |
javascript_obj5203_048.js6cc83cc2eeb926f6aa49e4f928c9b33a62ac8634bad092ed30bb4edffa829876 |
pdf-javascript-stream | PDF /JS object 5203 at offset 0xF012B | 42 bytes |
javascript_obj5418_049.js70fc7b9985818351f89121f16df70f7b5e537836146a508cb13a753128a84fa6 |
pdf-javascript-stream | PDF /JS object 5418 at offset 0xF942F | 87 bytes |
javascript_obj4085_050.jsc1da00554575ceedc1c27a6842cf85deaa0ac408c3e504d12433eda968cf05a1 |
pdf-javascript-stream | PDF /JS object 4085 at offset 0xBD1A4 | 21756 bytes |
javascript_obj4901_051.jsa1cdf900869d209bf8dfdde929df651d86eec173687e4d87df96f499402bb4e8 |
pdf-javascript-stream | PDF /JS object 4901 at offset 0xE15BB | 21758 bytes |
javascript_obj5565_052.js2ec8f4193ac8f231f9689a4b14c7f856da49f0d205154f38672818bc6e0cc951 |
pdf-javascript-stream | PDF /JS object 5565 at offset 0xFDCAD | 21763 bytes |
javascript_obj5825_053.js050e1cf6c80fe33c773a131339177e623099edb4e68b204f3354f89ee06c700c |
pdf-javascript-stream | PDF /JS object 5825 at offset 0x4AC2 | 16770 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj5827_054.js3f5a767f9bef30d1052725d76be6cb561ee9aed995c65cfe0bf9703b107cc376 |
pdf-javascript-stream | PDF /JS object 5827 at offset 0x5B0B | 1791 bytes |
javascript_obj5829_055.js6973253da093bc525926a71769c424f86da4235fce6749eb371963c7e54e4600 |
pdf-javascript-stream | PDF /JS object 5829 at offset 0x5E8D | 20324 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 31 eval/decoder/string-building token(s).
|
|||
javascript_obj5831_056.js258cce54449cfbf6889e4d9fa4d8835758c66198fd1476b54174a6fc5faa8022 |
pdf-javascript-stream | PDF /JS object 5831 at offset 0x6F35 | 22718 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 34 eval/decoder/string-building token(s).
|
|||
javascript_obj5833_057.jsf1a2798053b078aeef7c6daecb27312316237b57f8ed10042a3a6bb22bdb1388 |
pdf-javascript-stream | PDF /JS object 5833 at offset 0x8523 | 21793 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 13 eval/decoder/string-building token(s).
|
|||
javascript_obj5835_058.jse183cfdb18a135a3d733332d0b48c29206c6522e9e044e47308b24076b63fbb4 |
pdf-javascript-stream | PDF /JS object 5835 at offset 0x97CA | 805 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.