MALICIOUS
98
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF file contains obfuscated JavaScript, indicated by the 'PDF_JS' and 'PDF_OBFUSCATED_NAME_OBJECT' heuristics. The ML classifier also flagged it as malicious. The JavaScript appears to be designed to execute arbitrary code, likely to download and run a second-stage payload. The presence of obfuscated JavaScript and the malicious classification strongly suggest a spearphishing attachment attack vector.
Machine Learning
- Nyx PDF Classifier malicious score 0.8339
Heuristics 2
-
Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECTA PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Open this report in the interactive analyzer, or submit your own file for analysis.