MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The PDF sample contains multiple embedded JavaScript streams, some of which are associated with exploit clusters and unescape() calls, indicating an attempt to exploit a vulnerability. The JavaScript functions suggest interaction with form fields and validation, likely to facilitate the execution of a malicious payload. The presence of unknown URLs associated with the document further supports the malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.7745
Heuristics 5
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
unescape() call high PDF_UNESCAPEunescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://intranet.iafg.net/FDFGate/FDFGateway2.asp#FDF
- http://intranet.iafg.net/
- http://cyberiafonc.iafg.net/FDFGate/FDFGateway2.asp#FDF
- http://cyberiafonc.iafg.net/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0506_000.js2d0e8fe77e67095c583fe56e539c1104b5f6f6891d6cbbd49b81a4dc3597bced |
pdf-javascript-stream | PDF /JS object 506 at offset 0x5373 | 67 bytes |
javascript_obj0869_002.js04131a026bcf4a3f696506d167971b09f0f994442547f66b25f85593bf2ceab2 |
pdf-javascript-stream | PDF /JS object 869 at offset 0x29502 | 47 bytes |
javascript_obj0885_006.jsf5e4e25e57d7b6feab9738ae9fe21daa21aff7e0908f847612850aa18dd3966a |
pdf-javascript-stream | PDF /JS object 885 at offset 0x2997E | 39 bytes |
javascript_obj0886_007.jse0e7dec5bceb4358160ca032310f7567f8fb68bcfdd4975d9f76bab3d0667c40 |
pdf-javascript-stream | PDF /JS object 886 at offset 0x299D1 | 38 bytes |
javascript_obj0893_008.jsc3c05a7d9ba0c48df10d4fcb1eacbf91ba21462a7753a9b7d43fe191d6b4b59a |
pdf-javascript-stream | PDF /JS object 893 at offset 0x29BDB | 45 bytes |
javascript_obj0897_009.jsc19618cfcf9182a56b1e5a83cb9fe212f24b2b4db4c149f46cb11edbc07c79cd |
pdf-javascript-stream | PDF /JS object 897 at offset 0x29D18 | 32 bytes |
javascript_obj0900_011.jsfd67f6b0d028d047369337c9ed0ebe78871790186426a032cf7db5fbea1cbef0 |
pdf-javascript-stream | PDF /JS object 900 at offset 0x29DEC | 33 bytes |
javascript_obj0901_012.js1d83f81af162bbedd85d03f12711e69808ae80a7f31c0660a76a4bd20b8cbc4e |
pdf-javascript-stream | PDF /JS object 901 at offset 0x29E39 | 32 bytes |
javascript_obj0997_016.js1a020014b6488ea356910445b4d7e66204bc377330ee380185e219f961650da3 |
pdf-javascript-stream | PDF /JS object 997 at offset 0x2BB8E | 39 bytes |
javascript_obj0998_017.js62036cf39ff91db69bfeb20e0ff08cf2aa343ec1222118ab6b0e65bc3964c44c |
pdf-javascript-stream | PDF /JS object 998 at offset 0x2BBE1 | 38 bytes |
javascript_obj1027_018.jsc3e93446b95e49ee7f5c8fe251beb3d9a968a560abc4fa274f2682b3b114bfb8 |
pdf-javascript-stream | PDF /JS object 1027 at offset 0x2C357 | 39 bytes |
javascript_obj1028_019.js0c95baa1c927248e1c183c869999f8cf230bca1c937b34fcb97a6fe1f21c3528 |
pdf-javascript-stream | PDF /JS object 1028 at offset 0x2C3AB | 38 bytes |
javascript_obj1063_020.jsb6bceea8227dce1a71df0b577f8bd2a307c19d4321c40e241d4d59b9584010a5 |
pdf-javascript-stream | PDF /JS object 1063 at offset 0x2CC85 | 39 bytes |
javascript_obj1064_021.js9be89d64511f64881c15dd54892d9bcde7e8c09f7632a7da5e2225dee3049da8 |
pdf-javascript-stream | PDF /JS object 1064 at offset 0x2CCD9 | 38 bytes |
javascript_obj1081_022.js7e617a35ad1944c5a897b753f59b83e706c7ddacd7ee39df41c3d2fa7f0dc8d4 |
pdf-javascript-stream | PDF /JS object 1081 at offset 0x2D18D | 35 bytes |
javascript_obj1082_023.jsdfc4d4be5af6f6db66c7ba8c82fcbef72b246bb5e1a512eeee5fdd042ad1356b |
pdf-javascript-stream | PDF /JS object 1082 at offset 0x2D1DD | 34 bytes |
javascript_obj1109_024.jsf5c4a1ee6e6a3b2c9f20ab644bd441fa4f51d2c1b7262d53f67ed588ff102a57 |
pdf-javascript-stream | PDF /JS object 1109 at offset 0x2D852 | 32 bytes |
javascript_obj1126_026.jsdc37fded7df2b80cf6ec22775a0ba7ba8734d56e28c12e57013964507ac752f9 |
pdf-javascript-stream | PDF /JS object 1126 at offset 0x2DCBC | 40 bytes |
javascript_obj1162_027.jsb528e6fa130bf4f452c42f3db80cef386ec5c8d3ea1c6d158725ecba40fdf37f |
pdf-javascript-stream | PDF /JS object 1162 at offset 0x2E5FF | 92 bytes |
javascript_obj1170_028.js5b1ad76e9e759768eee65a0591c780ae6910803c4906042c0ff14dc4d9b03af5 |
pdf-javascript-stream | PDF /JS object 1170 at offset 0x2E891 | 33 bytes |
javascript_obj1171_029.jsdd8115d21168dfac712af48773e2454a1a9795c21855ed443bf572931d9848e7 |
pdf-javascript-stream | PDF /JS object 1171 at offset 0x2E8DF | 32 bytes |
javascript_obj1178_032.js6a2411d60acad66d0c16e14bcc7bebfd7aabe46b348f7c001828dc667f9b96a3 |
pdf-javascript-stream | PDF /JS object 1178 at offset 0x2EAFB | 42 bytes |
javascript_obj1194_033.js48fbe34688e2e1f4559dc8cd5b803e42e0432ef25de2f0851a90d62d7bb847c0 |
pdf-javascript-stream | PDF /JS object 1194 at offset 0x2EF95 | 42 bytes |
javascript_obj0115_039.jsb08a3f3d0ea4b4f8e619aa6560835a458c89e18437eb28e8e1c7806df34d73c9 |
pdf-javascript-stream | PDF /JS object 115 at offset 0x3BF1E | 44 bytes |
javascript_obj0116_040.jsa6f31a88c9a38eb9c974d9d0bae8b4e8768fb94adebd316dabb9769f22a31709 |
pdf-javascript-stream | PDF /JS object 116 at offset 0x3BF7A | 43 bytes |
javascript_obj0216_044.js1eae9375bf0723a494a0005e4f8c4322820b92ebbb59c528174bce43a0f76552 |
pdf-javascript-stream | PDF /JS object 216 at offset 0x3FF40 | 35 bytes |
javascript_obj0220_045.jsec624dc4e01141a96f4467646a603fbeb56191fa4ffd53eead8b2d0c737f7ec6 |
pdf-javascript-stream | PDF /JS object 220 at offset 0x40090 | 43 bytes |
javascript_obj0246_048.js85b35ab4e30d1c8ddd0ddb3b2009076bdfd7dea94581f3bd69d86498d8d8f0bc |
pdf-javascript-stream | PDF /JS object 246 at offset 0x40798 | 46 bytes |
javascript_obj0247_049.js1da938e12885fdb9e08f56cea0b3943e79f57554b6942f6bd9e3321ce7dc2e56 |
pdf-javascript-stream | PDF /JS object 247 at offset 0x407F6 | 45 bytes |
javascript_obj0263_052.js968c069cd8f796fdcd4eaf0713367dccdfce645adba5221d4701de37401dad07 |
pdf-javascript-stream | PDF /JS object 263 at offset 0x40C7B | 45 bytes |
javascript_obj0269_053.js2bb3931ab0c23b29a4ecdb0b6122b64aad002ffa85de8b31e6b8c5fb7bf55b9f |
pdf-javascript-stream | PDF /JS object 269 at offset 0x40E0A | 46 bytes |
javascript_obj0270_054.js0991d1b1b462632e3f4d1d4e24f794a12d01d2bd5742a395464da987e00a985e |
pdf-javascript-stream | PDF /JS object 270 at offset 0x40E68 | 45 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.