MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
The PDF contains embedded JavaScript that displays a message prompting the user to update Adobe Reader, directing them to a specific URL. This is a common social engineering tactic to deliver malicious payloads. The ML classifier also flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 0.5792
Heuristics 5
-
Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.monotype.comMonotype
- http://cgi.adobe.com/special/acrobat/update
- https://www.verisign.com/rpa
- http://ocsp.verisign.com/ocsp/status0
- https://www.verisign.com/rpa0
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
- http://www.microsoft.com/typography
- http://www.monotype.com/html/mtname/ms_timesnewroman.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.html
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0069_002.js6b7cde5083353dc94a728e784406248df1e3c34b8a1b86c325dca7d6822fc92b |
pdf-javascript-stream | PDF /JS object 69 at offset 0x77F6 | 39 bytes |
javascript_obj0070_003.jsd7feabbe96d6239a4e68846c17660c84111cd34df235720909593806041f8a24 |
pdf-javascript-stream | PDF /JS object 70 at offset 0x784B | 42 bytes |
javascript_obj0126_006.js1cbe3230bb47687bb85c260df7d916d6169a08e3fbcd9258f74c67716912c6a9 |
pdf-javascript-stream | PDF /JS object 126 at offset 0x44A2D | 372 bytes |
javascript_obj0127_007.js292f5eec823ac9a29d2b678f07695a400782d715ec1ed8cf3f44d54ac74928c6 |
pdf-javascript-stream | PDF /JS object 127 at offset 0x44B67 | 392 bytes |
javascript_obj0128_008.js2f3a7b409302734f22a8ba5616f7c840e218882ac559109832417c6922d82ea3 |
pdf-javascript-stream | PDF /JS object 128 at offset 0x44C8C | 338 bytes |
stream_020_off0000951b.bina0f5b5f69a88877ffaa1733f0e0bbf9b4b3eef82f4ff804c724870cecea228d2 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x951B | 409252 bytes |
javascript_obj0224_002.js2460ac4084aef1aa38ce3ded210c25fdcaaa89150a693c038ba2b842d1c5fb21 |
pdf-javascript-stream | PDF /JS object 224 at offset 0x9E59 | 39 bytes |
javascript_obj0225_003.js5bf210d34351b990ad353b9d7b54b770f7bc5e2b80d14d2d3a338a905f85efbe |
pdf-javascript-stream | PDF /JS object 225 at offset 0x9EA8 | 42 bytes |
javascript_obj0228_006.js633665f82aa54d32439b86422550630f98f4f2eda00bc1d942bd6850868d87f4 |
pdf-javascript-stream | PDF /JS object 228 at offset 0x9F74 | 39 bytes |
javascript_obj0229_007.js7dd069c06c3737be7f67d8249d9ab5c656c0c0739c5dcb3b6311519d33742397 |
pdf-javascript-stream | PDF /JS object 229 at offset 0x9FC2 | 42 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.