MALICIOUS
378
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
The PDF contains JavaScript that uses eval() and unescape() functions, indicating an attempt to exploit a known vulnerability. The deobfuscated JavaScript attempts to construct a large string and likely prepares for the download and execution of a secondary payload, as suggested by the embedded file artifact. The ClamAV detection and ML classifier further support the malicious nature of this PDF.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 12
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
ClamAV: Pdf.Exploit.Agent-35955 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Exploit.Agent-35955
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
RichMedia (Flash) high PDF_RICHMEDIAPDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
unescape() call high PDF_UNESCAPEunescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
-
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEXHex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0003.binb52b546f445164350b564869980b2766408aef84eb0be15a0893d30d2249d32f |
pdf-embedded-file | PDF EmbeddedFile object 3 at offset 0xE29 | 26804 bytes |
|
Detection
ClamAV:
Pdf.Exploit.Agent-35955
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
legacy_pdfkit_stage_000.jsa6a68cec92c9ff48318a37483a59e2a964f15a3a86cc6c540ba4da0f3673d267 |
deobfuscated-js | repeated-marker hex decoded JavaScript at offset 0x650 | 383 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
objstm_0019_00.binad3182cffbb82c0409b4de6a4edb4839ac92eccfa84fc7af089bab0d9b25c07a |
pdf-objstm-decoded | PDF /ObjStm 19 0 obj (inflated) | 6742 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.