MALICIOUS
118
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The critical PDF_JS_EXPLOIT_CLUSTER heuristic, combined with multiple embedded JavaScript streams, indicates this PDF is designed to exploit vulnerabilities. The JavaScript code, though obfuscated, likely serves to download and execute a secondary payload, a common technique for initial access via spearphishing attachments. No specific family could be identified.
Machine Learning
- Nyx PDF Classifier malicious score 0.7617
Heuristics 6
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/tiff/1.0/
- http://ns.adobe.com/xap/1.0/g/img/
Extracted artifacts 18
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0031_000.js4a9213c826ba196b70a7e85c94b7aae013e99a7328ec1ad8be553e94667a0603 |
pdf-javascript-stream | PDF /JS object 31 at offset 0x1A08 | 1839 bytes |
javascript_obj0032_001.jsa05e9ef61f1d614748ce1cacd2e72c31a7c9a3a874531099d730545673feeba6 |
pdf-javascript-stream | PDF /JS object 32 at offset 0x1B3F | 2079 bytes |
javascript_obj0033_002.js9d1645fef471163426f2178924ce9338e159b5612407dda27fc8139e63e40fb4 |
pdf-javascript-stream | PDF /JS object 33 at offset 0x1E2E | 6740 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj0034_003.js5c4f00c69a59aff02a35f97de664d0603e5d4b449c72889d2a4d27c57bc88c39 |
pdf-javascript-stream | PDF /JS object 34 at offset 0x25EC | 15928 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
javascript_obj0035_004.js26ca0c06013da4577a675c2e788a7b01643ea33d235af17fe822fe5d98559f8b |
pdf-javascript-stream | PDF /JS object 35 at offset 0x3731 | 13505 bytes |
javascript_obj0036_005.js5e5d7bb32b96d444601e0a0156c1dcc68a0655dbe30a6e12f3eba2344a8c884e |
pdf-javascript-stream | PDF /JS object 36 at offset 0x3E6C | 5970 bytes |
javascript_obj0037_006.js54c5f9e1eb38a601cd5d54886da574f56fa753743aa1d72ee6daa22b3c30bb11 |
pdf-javascript-stream | PDF /JS object 37 at offset 0x44A0 | 6615 bytes |
javascript_obj0038_007.jsd550cd9a1c20316750d0833a59c64d34dff8fa11b4dd1981f17e1c7dbcccd608 |
pdf-javascript-stream | PDF /JS object 38 at offset 0x4B3A | 5078 bytes |
javascript_obj0039_008.jsc81781e069c478026463bd399d01d20f6bd40e603b9d8c303fd8ba85f2407f68 |
pdf-javascript-stream | PDF /JS object 39 at offset 0x51BE | 16697 bytes |
javascript_obj0040_009.js9c200c85e5e2fd5706f6f0058531517f80ed3f1501decaf2a47cc3ce7d1f11b6 |
pdf-javascript-stream | PDF /JS object 40 at offset 0x60CC | 1077 bytes |
javascript_obj0041_010.jsc77183bd8accd7d989d1f1b0321ace604c99d056dcd04359567237b5d034cc66 |
pdf-javascript-stream | PDF /JS object 41 at offset 0x6288 | 2511 bytes |
javascript_obj0042_011.jse2bf54728d0a99f59983ddbfbea08c3e63ace8177e43dfd0744059d41669f423 |
pdf-javascript-stream | PDF /JS object 42 at offset 0x664D | 4436 bytes |
javascript_obj0043_012.js6486d8e7bdd85daeb1149849986e6f0d9a21317557d894d853fda355b859a596 |
pdf-javascript-stream | PDF /JS object 43 at offset 0x6D2B | 9809 bytes |
javascript_obj0044_013.jsf2e83c4bcae264587e6ff71d984fcf34a1fc02cbaccb4c4a5f030a060cf0ba0c |
pdf-javascript-stream | PDF /JS object 44 at offset 0x786F | 1012 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_083_off000125b5.bin2d4832eacedbe48ea96adf7d82ce670dc458de3ecf58a0f2f7e8475113b321ca |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x125B5 | 10608 bytes |
font_00_cff_off0000a5a4.binb2ee102953e09db7cee60ea7abc64231dd490145b9093f81c3349cd70e0518fe |
pdf-font-stream | PDF embedded font (cff) at offset 0xA5A4 | 5391 bytes |
font_01_cff_off0000bbf9.bin6ae1bd916e2f3908eca9b3b2338c61ef83ac55f4a5e159d58d75c92bc4bb93ff |
pdf-font-stream | PDF embedded font (cff) at offset 0xBBF9 | 6851 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.
|
|||
font_02_cff_off00011e26.bina5bbaa10a4a55b25c07aa7673a9d7434c3848c037709436ebbc23ad8925529f8 |
pdf-font-stream | PDF embedded font (cff) at offset 0x11E26 | 753 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.