MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The PDF document contains embedded JavaScript that is designed to download a second-stage executable from the URL http://styggba.com/exe.exe. The script also appears to be attempting to create a VBScript file named 'vbs1.vbs' to facilitate the download and execution process. This behavior is indicative of a downloader or droppper malware.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
Launch action high PDF_LAUNCHPDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
PDF JavaScript WScript downloader high PDF_JS_WSCRIPT_DOWNLOADERDecoded PDF JavaScript reconstructs a Windows Script Host COM downloader using WScript.CreateObject plus XMLHTTP/ADODB.Stream style download, write, and run behavior. This is commodity payload delivery rather than a specific PDF parser CVE trigger.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://styggba.com/exe.exe
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_pdf_script_00000181.bined677536d4cefd6599612a48290a9eddd4889322271b55f0f5dc878d06a817b4 |
pdf-embedded-script | PDF decompressed stream script payload at offset 0x181 | 161 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.