MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
This PDF file contains multiple JavaScript streams, indicating an attempt to execute malicious code within the viewer. The ML classifier strongly flagged this PDF as malicious. The JavaScript appears to be designed to interact with document properties like keywords and title, and then trigger an alert, suggesting a potential exploit or obfuscation technique.
Machine Learning
- Nyx PDF Classifier malicious score 0.9975
Heuristics 4
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
-
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENTOptional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0012_000.js1f64058a8786054b18d63c1bd7116503f5f8249c417592ffde111fb605a7584c |
pdf-javascript-stream | PDF /JS object 12 at offset 0x16AD | 117 bytes |
javascript_obj0014_001.jsc353d5d8f6f28ea41d8fdb65b825ca3345c37dbda266d3fba3f9cda9125b1ac9 |
pdf-javascript-stream | PDF /JS object 14 at offset 0x17CC | 35308 bytes |
javascript_obj0016_002.js96347833a84cf046dba54e05574c2e38d164238184f806997dccba8c149e7286 |
pdf-javascript-stream | PDF /JS object 16 at offset 0x6F5C | 79 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.