MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
The PDF file contains embedded JavaScript that utilizes eval() calls, a common technique for executing arbitrary code. The heuristics indicate a PDF JavaScript exploit cluster, suggesting the script is designed to exploit a vulnerability. The embedded URLs are likely related to the payload delivery or command and control infrastructure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9922
Heuristics 6
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.massey.ac.nz/
- http://www.massey.ac.nz/p��scowper/ts/cbe.dat
- http://www.massey.ac.nz/��pscowper/ts/poundsnz.dat���
Extracted artifacts 18
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0079_000.js7573760e9ff6f468c9ce5ab20d7f7cc8ed39e7ab8fd22d511a45c944b8a241c4 |
pdf-javascript-stream | PDF /JS object 79 at offset 0x9B7 | 703 bytes |
javascript_obj0079_001.js426a20311d5c002175dbe07f24266b39782844dfd830d3538366e4a4faf8c5f3 |
pdf-javascript-stream | PDF /JS object 79 at offset 0x9B7 | 153 bytes |
javascript_obj0080_002.js7008e4ccb4a9142c87ec4829881963dcb2975f949e9bb8b9621b7cac10e73816 |
pdf-javascript-stream | PDF /JS object 80 at offset 0xCC1 | 6537 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
javascript_obj0080_003.jsf531222f36bde7e3702f4676fcfb8df0304f583b3a6dd8589a8c6553a8d55972 |
pdf-javascript-stream | PDF /JS object 80 at offset 0xCC1 | 47 bytes |
javascript_obj0081_004.jsc6f5d0dbb80c1752b400ab7010c6dd092178db2eb6d708e1349731f690b62c42 |
pdf-javascript-stream | PDF /JS object 81 at offset 0x27BA | 1667 bytes |
javascript_obj0082_006.jsd8ce166fdf9324097842ceea783600d301638ec8c6a9ee7308ea33c3f0a81f9c |
pdf-javascript-stream | PDF /JS object 82 at offset 0x2EA0 | 6361 bytes |
javascript_obj0083_008.js725221c3c22430701cca081c55f6669aab2222840b03232fd96c2fa582dc8fc8 |
pdf-javascript-stream | PDF /JS object 83 at offset 0x4877 | 1381 bytes |
javascript_obj0083_009.jsfa562bd65a6760194901727d09a59bbbee66e5103d64da03231924d40b86ed59 |
pdf-javascript-stream | PDF /JS object 83 at offset 0x4877 | 45 bytes |
javascript_obj0084_010.js3559946e2a7cdd1f7cf0c811f9af202960529e24924a430cade5922dfd95f739 |
pdf-javascript-stream | PDF /JS object 84 at offset 0x4E40 | 385 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
javascript_obj0084_011.jsb09c2a4169372fa32f0f86acde9647d22c1e759f0d20f87d83827c8d967054e3 |
pdf-javascript-stream | PDF /JS object 84 at offset 0x4E40 | 56 bytes |
stream_031_off00019709.bind9447cf76189f810029e48c2d99cf398925b9b34dd079db3b07c1d8e7455ff24 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x19709 | 20406 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.
|
|||
font_00_type1_off0000cfd1.binff8c69da675701e0cf8aec95d2689a218dc04cbee2e0d139ef38f9bf7a2dcf4c |
pdf-font-stream | PDF embedded font (type1) at offset 0xCFD1 | 2375 bytes |
font_01_type1_off000121d6.bina3eb043f78f66765a5ecfef71e6def268f5f5dc678322ec0f4b94b9f7c2252ea |
pdf-font-stream | PDF embedded font (type1) at offset 0x121D6 | 2562 bytes |
font_02_type1_off00012c83.bin7bb402c3ef21fffd112a8917090e79ddda088cefebf2d2a5f41485191e181b44 |
pdf-font-stream | PDF embedded font (type1) at offset 0x12C83 | 4901 bytes |
font_03_type1_off000140dd.binc68219378880dd488c18a231a68f6650c3c3736c47ba07dfd03098165926fa02 |
pdf-font-stream | PDF embedded font (type1) at offset 0x140DD | 7409 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.64, consistent with packed or encrypted content.
|
|||
font_04_type1_off00015ed7.bin32325eb52222ca5933da601bff5af2a05abb51eed3e0db1e880e100b9240cae9 |
pdf-font-stream | PDF embedded font (type1) at offset 0x15ED7 | 14784 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.84, consistent with packed or encrypted content.
|
|||
font_06_type1_off0001e6f0.bin34c4d13c33fd44a0801e3d098b26eabcd56f7b9ed8ea48770575e219b8cb72c4 |
pdf-font-stream | PDF embedded font (type1) at offset 0x1E6F0 | 7391 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.52, consistent with packed or encrypted content.
|
|||
font_07_type1_off00020114.bin46bacd1340fe9f306592551aa1f0baf916d450473cc4bdbb836b4e81d3cd5eca |
pdf-font-stream | PDF embedded font (type1) at offset 0x20114 | 3111 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.