MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
This PDF contains multiple embedded JavaScript streams that perform calculations on form fields. The presence of JavaScript within an encrypted PDF, combined with ML classification, indicates malicious intent. The scripts appear to be designed to manipulate numerical inputs within the document, potentially for a financial scam or to present misleading information to the user.
Machine Learning
- Nyx PDF Classifier malicious score 0.9131
Heuristics 5
-
Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0096_001.js8f1ea47bad96bf7d7da10aa161e4739f16b559cecc1e359bd2a9648faedb7c17 |
pdf-javascript-stream | PDF /JS object 96 at offset 0x4C11 | 79 bytes |
javascript_obj0097_002.jsdd4e86ff46931388298d522a0c25afc2a74df361f28fb6ad9f104ffc1f5056c1 |
pdf-javascript-stream | PDF /JS object 97 at offset 0x4C93 | 38 bytes |
javascript_obj0098_003.js6aeb2fc8f6b0dba7b9d76914b437aa0140bcd183b4c2b0d2b66173e7a39a1974 |
pdf-javascript-stream | PDF /JS object 98 at offset 0x4CE7 | 41 bytes |
javascript_obj0102_004.js9aa5b8ef8cd37b6d2a7d16a2b9c7269e59d93a158f3584ec97cf797075406626 |
pdf-javascript-stream | PDF /JS object 102 at offset 0x4F1A | 80 bytes |
javascript_obj0108_005.jsc5208f95ed1826fc34ec15450d73da475408314013f37afbdb9e8956014d119f |
pdf-javascript-stream | PDF /JS object 108 at offset 0x522C | 79 bytes |
javascript_obj0114_006.jsdfe580dee9fe1f14c1aa82ca0822b26bb51d0798386134968d08d8ff1620dbbb |
pdf-javascript-stream | PDF /JS object 114 at offset 0x553D | 79 bytes |
javascript_obj0144_007.jsc2b974e7d08aad609bd20659ea5a35293e1f90433c8af7eb7724dc5dc71c1d98 |
pdf-javascript-stream | PDF /JS object 144 at offset 0x6349 | 72 bytes |
javascript_obj0150_008.js7294dd385288a1c150d30423fb0910237401e6508868ccb809eeb7b67c080c73 |
pdf-javascript-stream | PDF /JS object 150 at offset 0x6650 | 72 bytes |
javascript_obj0156_009.js230d4098eb3361ab8f69fc4aae9604fdc85e488c7128a42aa04676a4c1038613 |
pdf-javascript-stream | PDF /JS object 156 at offset 0x6955 | 74 bytes |
javascript_obj0162_010.jsaa74c4e33307069f44a1bd48b39bff379af06a178799418f8a3b03ae72a6bb68 |
pdf-javascript-stream | PDF /JS object 162 at offset 0x6C5E | 74 bytes |
javascript_obj0168_011.jsdf52092fe8063e9fb13c2f285327d3dfa4c1b4481cdb587eac776044584d8829 |
pdf-javascript-stream | PDF /JS object 168 at offset 0x6F66 | 112 bytes |
javascript_obj0174_012.jscd35710079edb70100ca68a9fc298b298a37d3e641d00532c7603fbb4f85784a |
pdf-javascript-stream | PDF /JS object 174 at offset 0x728A | 66 bytes |
javascript_obj0183_013.jsbd92c49d945e04073764108531adbe2243fc4fa2b3966433940598fcd9e1b294 |
pdf-javascript-stream | PDF /JS object 183 at offset 0x7756 | 67 bytes |
javascript_obj0192_014.js59eade29e964e9169486c6240f3a6a85b900639eaba6305bb1a01e28fa531af1 |
pdf-javascript-stream | PDF /JS object 192 at offset 0x7C25 | 68 bytes |
javascript_obj0201_015.jsaa9daa2772f17a173c0a13e17c1be9c6a3886a7dcb31a05185bcf2e608d743b9 |
pdf-javascript-stream | PDF /JS object 201 at offset 0x80F7 | 64 bytes |
javascript_obj0210_016.js59bc8a7bd37a9fb513b47ff4eacdc90a3b10db5e975aa71f4f6d9767bfd05489 |
pdf-javascript-stream | PDF /JS object 210 at offset 0x85C3 | 68 bytes |
javascript_obj0219_017.jscac0bd56556d0676aefff38f5090df66236b0f0b848472e81f295baf55defce0 |
pdf-javascript-stream | PDF /JS object 219 at offset 0x8A95 | 118 bytes |
javascript_obj0225_018.jsdb34454f2d36b4fa04b7365f5907f701a56da457ee21f8cbab818cc5cf1ce52d |
pdf-javascript-stream | PDF /JS object 225 at offset 0x8DBE | 76 bytes |
javascript_obj0232_019.js491d066d51ae0cd095198ac688e50f8525903af238191f5d3dae50f9080abb22 |
pdf-javascript-stream | PDF /JS object 232 at offset 0x90D2 | 67 bytes |
javascript_obj0238_020.jsf629d671aaa3128ea3766b26aa448483118f5589a619debf024258c8baa14d3d |
pdf-javascript-stream | PDF /JS object 238 at offset 0x94D4 | 86 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj0248_022.jsddda81c58978e73a81855e54023b88a6cbb87acd584b6adeece31b03e94d9d7e |
pdf-javascript-stream | PDF /JS object 248 at offset 0x9A0A | 108 bytes |
javascript_obj0249_023.jscf3ef38cead83f4b1b39c7a061c8fef2c62d068861252a2b5ba7c0b959eec058 |
pdf-javascript-stream | PDF /JS object 249 at offset 0x9AA7 | 39 bytes |
javascript_obj0250_024.jsa22e7a3e6dbfb6427839e3a2fdcab1be9d58bdd666536d5308358ec98c59feed |
pdf-javascript-stream | PDF /JS object 250 at offset 0x9AFD | 42 bytes |
javascript_obj0254_025.js5cb84cc552056d9cb62e53db147f957bfa72e43bbbc2c8c6ff8340316d1ec039 |
pdf-javascript-stream | PDF /JS object 254 at offset 0x9D36 | 112 bytes |
javascript_obj0255_026.js0e9038242bfa0d40ceade6b7f9fdecf035b27851c43dc0afce04d94da78e0406 |
pdf-javascript-stream | PDF /JS object 255 at offset 0x9DD7 | 39 bytes |
javascript_obj0256_027.js3612bc2429fdf52bde15586df93bf3b79f92893c5f2b5c72e5bf1cdbfe223e3a |
pdf-javascript-stream | PDF /JS object 256 at offset 0x9E2D | 42 bytes |
javascript_obj0260_028.jse607b9d044160c98f661ff7dd63de4a65a14e035439463d92fe411cf278ab090 |
pdf-javascript-stream | PDF /JS object 260 at offset 0xA066 | 44 bytes |
javascript_obj0266_031.jsb9164ca31416b8c2aa6f17b11873d6dcd1a24f045b0a7563b2c82e49717eac8d |
pdf-javascript-stream | PDF /JS object 266 at offset 0xA5B2 | 108 bytes |
javascript_obj0272_032.jsb0f820a0cf31d6b524b4ec238670ab303b5959348377f10d0004516585f927f1 |
pdf-javascript-stream | PDF /JS object 272 at offset 0xA8DE | 100 bytes |
javascript_obj0273_033.jsfefbea8a61fff6d2a5e8d7c764a407c92249644f8a10b0dec3cfae812883a2b7 |
pdf-javascript-stream | PDF /JS object 273 at offset 0xA973 | 38 bytes |
javascript_obj0274_034.js572a91fc51702643df28955aaeeb86dd1625f4e3544ee1ba29446fcedc17c93d |
pdf-javascript-stream | PDF /JS object 274 at offset 0xA9C8 | 41 bytes |
javascript_obj0278_035.js08cfb812169d8529d91e41e56feed83e6541742041a38569d54a3530234a4eb7 |
pdf-javascript-stream | PDF /JS object 278 at offset 0xABFF | 81 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.