MALICIOUS
418
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1218.005 Client Execution: Mshta
T1566.001 Spearphishing Attachment
This PDF file contains an embedded JavaScript payload that is executed using mshta.exe, a legitimate Windows utility often abused by malware. The script utilizes WScript.Shell to likely download and execute a second-stage payload, indicated by the 'WScript downloader' heuristic. The use of mshta.exe and JavaScript points to a common technique for initial execution and payload delivery.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 9
-
/Launch action target: Mshta critical PDF_LAUNCH_COMMANDPDF /Launch action specifies an executable target with parameters '"javascript:e=String.fromCharCode;new ActiveXObject('wscript.shell'' — references a known-dangerous executable (cmd, PowerShell, etc.).
-
/Launch action targets mshta.exe (LOLBIN) critical PDF_LAUNCH_MSHTAPDF contains a /Launch action whose /F parameter names mshta — Microsoft's legacy HTML Application host, used as a LOLBIN to run inline JScript/VBScript from a /P parameter (typically a `javascript:` URL). MITRE ATT&CK T1218.005.
-
/Launch /P parameter is a javascript: URL critical PDF_LAUNCH_JS_PROTOCOLPDF /Launch action passes a `javascript:` URL as the /P parameter — mshta interprets this as JScript when used as the launched handler, giving inline script execution without a separate payload file. MITRE ATT&CK T1218.005 + T1059.005.
-
Launch action high PDF_LAUNCHPDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
PDF JavaScript WScript downloader high PDF_JS_WSCRIPT_DOWNLOADERDecoded PDF JavaScript reconstructs a Windows Script Host COM downloader using WScript.CreateObject plus XMLHTTP/ADODB.Stream style download, write, and run behavior. This is commodity payload delivery rather than a specific PDF parser CVE trigger.
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_pdf_script_00000366.bin0a4af2107349926725d11e7e467dc99fc3f729cf728b36005d7f8bf7c2e64e28 |
pdf-embedded-script | PDF decompressed stream script payload at offset 0x366 | 67 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.