MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The PDF file contains multiple JavaScript streams, with a critical heuristic firing for a PDF JavaScript exploit cluster that utilizes eval(). This suggests the script is designed to execute arbitrary code, likely to download and run a second-stage payload. The SubmitForm action also indicates an attempt to send data, potentially to a malicious server.
Machine Learning
- Nyx PDF Classifier suspicious score 0.3258
Heuristics 8
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
SubmitForm action medium PDF_SUBMITFORMPDF has a /SubmitForm action — form data can be silently posted to an attacker-controlled URL
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://www.adobe.de
Extracted artifacts 25
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0035_000.jsa11b711e7dbb55adc6c5123c4b8500c22b4a30969c5caf07be5cbb6dfc7e726f |
pdf-javascript-stream | PDF /JS object 35 at offset 0x11D23 | 76 bytes |
javascript_obj0045_001.js1dd217fb04e605025a3fdd98e35431aa45379a297f137ce1a53d04e47ebe77ea |
pdf-javascript-stream | PDF /JS object 45 at offset 0x120E5 | 97 bytes |
javascript_obj0064_002.jsc2afec67f7073f3266b6cc41d0ad47033305a3f36ff85b3d1052a5d576850bd1 |
pdf-javascript-stream | PDF /JS object 64 at offset 0x13463 | 38 bytes |
javascript_obj0093_003.js328d2b036128bd98cfbb313534c50a2ca3b8c69b61cf843ab3204911582428a5 |
pdf-javascript-stream | PDF /JS object 93 at offset 0x1615B | 98 bytes |
javascript_obj0119_004.js2590071e027a491f6d57a9838f86a8ef1c84fe0658d91276a4e11149b667be18 |
pdf-javascript-stream | PDF /JS object 119 at offset 0x17DD5 | 50 bytes |
javascript_obj0120_005.js6aeb2fc8f6b0dba7b9d76914b437aa0140bcd183b4c2b0d2b66173e7a39a1974 |
pdf-javascript-stream | PDF /JS object 120 at offset 0x17E3A | 41 bytes |
javascript_obj0121_006.jsdd4e86ff46931388298d522a0c25afc2a74df361f28fb6ad9f104ffc1f5056c1 |
pdf-javascript-stream | PDF /JS object 121 at offset 0x17E92 | 38 bytes |
javascript_obj0130_007.js27b87cc250a90fcd32d25dd38c86882c4b9cf098226424f7d658d79118072d63 |
pdf-javascript-stream | PDF /JS object 130 at offset 0x1878F | 72 bytes |
javascript_obj0131_008.js572a91fc51702643df28955aaeeb86dd1625f4e3544ee1ba29446fcedc17c93d |
pdf-javascript-stream | PDF /JS object 131 at offset 0x1880D | 41 bytes |
javascript_obj0132_009.jsfefbea8a61fff6d2a5e8d7c764a407c92249644f8a10b0dec3cfae812883a2b7 |
pdf-javascript-stream | PDF /JS object 132 at offset 0x18865 | 38 bytes |
javascript_obj0279_010.js5b0712842335b0a44459a54d9b4f9dd113722b1574b35b32712557e01424f21c |
pdf-javascript-stream | PDF /JS object 279 at offset 0x211C7 | 156 bytes |
javascript_obj0284_011.js9d944ad482148fddbb4c3ec07997e46533d25f7326485ec4758d22f05845d057 |
pdf-javascript-stream | PDF /JS object 284 at offset 0x215D8 | 64 bytes |
javascript_obj0289_012.js1a9154d2ad00d560fc77073bbd656979bb01ee79af52659d3e79ea66edf26023 |
pdf-javascript-stream | PDF /JS object 289 at offset 0x219ED | 66 bytes |
javascript_obj0295_013.js5e9ecaaf074aec2dec679a750aac27d146d56776e4c2ae417df321dd4c2b4283 |
pdf-javascript-stream | PDF /JS object 295 at offset 0x21E59 | 74 bytes |
javascript_obj0297_014.js0f0b3c58873b4700c6b869ef81b2b9eca8b12c6cafb76aac8c8b049287721cb4 |
pdf-javascript-stream | PDF /JS object 297 at offset 0x21F59 | 75 bytes |
javascript_obj0301_015.jsf98f59a123d85c2df582a4bbc656465a1996349f94b1efab088525a632df6532 |
pdf-javascript-stream | PDF /JS object 301 at offset 0x22108 | 73 bytes |
javascript_obj0302_016.js5b4e1a57bf6476c87a1db4d415eeb42e1477d446a4236b8ae4189d3d8f669dde |
pdf-javascript-stream | PDF /JS object 302 at offset 0x22187 | 41 bytes |
javascript_obj0303_017.jsff0b1e0798b55aee9e494d4b5046c0d747ee05557796f33002cd8f8168a10b67 |
pdf-javascript-stream | PDF /JS object 303 at offset 0x221DF | 38 bytes |
javascript_obj0311_019.js75a1cbe4e281d6b35addda0cd0f2fda7a8468297d37a6cc0813f672ac53611e8 |
pdf-javascript-stream | PDF /JS object 311 at offset 0x224CD | 33 bytes |
javascript_obj0312_020.jsa90a7efbb584485ff3347dc5e329e79d4d8c7314f6a6fc7b951b18f0c915358c |
pdf-javascript-stream | PDF /JS object 312 at offset 0x2251D | 39 bytes |
javascript_obj0020_021.js3f47657062b15749b9c6a387de3d40eed6b65bc0084fb4aa6894a70b9dc33fec |
pdf-javascript-stream | PDF /JS object 20 at offset 0xF998 | 781 bytes |
javascript_obj0021_022.jsd5adf5f05c0bfbb950b598845c1394fe82aa7c7967460fa98397372ea331c415 |
pdf-javascript-stream | PDF /JS object 21 at offset 0xFAF6 | 23740 bytes |
javascript_obj0022_023.js4789477b0456c4380767d8b47c198958760a574c4a16a594499bbdccaa252ba3 |
pdf-javascript-stream | PDF /JS object 22 at offset 0x1032A | 607 bytes |
javascript_obj0023_024.jse0071920049fad5771a655a1812ed999df564cc98fcdef89fc6b5bd9b9e226a7 |
pdf-javascript-stream | PDF /JS object 23 at offset 0x104B8 | 20743 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
font_00_cff_off00000447.bin9990409bbf59a9858ef34345b777969ea1ac81b4c02bde365b530f919a959ba0 |
pdf-font-stream | PDF embedded font (cff) at offset 0x447 | 29688 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.41, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.