MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
This PDF file contains embedded JavaScript that leverages the Adobe Reader 3D parser, indicated by the 'PDF_JS_EXPLOIT_CLUSTER' and 'PDF_U3D_CVE_RELATED' heuristics. The JavaScript functions like 'getAnnots3D' and 'selectit' suggest an attempt to interact with and exploit the 3D content rendering capabilities. While no direct download URL is present, the exploit cluster strongly implies the execution of malicious code, likely a secondary payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.7272
Heuristics 6
-
U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high PDF_U3D_CVE_RELATEDPDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/xhtml
- http://www.xfa.org/schema/xfa-data/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/pdfx/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/photoshop/1.0/
- http://www.iec.ch
Extracted artifacts 22
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0037_000.js805e1367ad3c2f032ec0df81b20eeb8422daed5fa793f913adfc4cf7af641b54 |
pdf-javascript-stream | PDF /JS object 37 at offset 0x6B5C6 | 49 bytes |
javascript_obj0039_001.js1d863f09197d6f7aee9e84fcdb1b99ea1fb012e125a32a8b1de1f728e83ba6cd |
pdf-javascript-stream | PDF /JS object 39 at offset 0x6B6B7 | 49 bytes |
javascript_obj0040_002.js05fd2dc91a2f1e5b2c53bc307c5997ee5cd002b96586d649af7ff9c2e7b712f6 |
pdf-javascript-stream | PDF /JS object 40 at offset 0x6B712 | 49 bytes |
javascript_obj0047_003.js488426d3ae32544a6168ed276313ddde4ad376deaf6fd18337ad6dc656969491 |
pdf-javascript-stream | PDF /JS object 47 at offset 0x6BAEF | 49 bytes |
javascript_obj0049_004.js081da500bfa4eaf30072596c157e14f6853ece0b52b9aa7077e426885e9638d8 |
pdf-javascript-stream | PDF /JS object 49 at offset 0x6BBE0 | 49 bytes |
javascript_obj0052_005.js1ea36bd0daa6389d65a8a8ca08266a5095f91ba79e5d172490b63b8cba5e41e3 |
pdf-javascript-stream | PDF /JS object 52 at offset 0x8C28B | 49 bytes |
javascript_obj0053_006.js4805f062d36513e4c154ee9d8aae98ae426fdbbef6b8ee233761affa32c4617c |
pdf-javascript-stream | PDF /JS object 53 at offset 0x8C2E6 | 59 bytes |
javascript_obj0056_007.js7f2ac57217a86508982cef0b1c150696d823d51c28528f55cd467d4e4e256824 |
pdf-javascript-stream | PDF /JS object 56 at offset 0x8C476 | 49 bytes |
javascript_obj0060_008.js0b1561de8609a3da3387cab618e2caa4dbe77e7f3b85ef128817596461721a35 |
pdf-javascript-stream | PDF /JS object 60 at offset 0x8C951 | 49 bytes |
javascript_obj0061_009.jsf5ed3c2b0e6a500c7a92ac9b3e7120c532b490ebb572a8ec550f88fd2bc5fd23 |
pdf-javascript-stream | PDF /JS object 61 at offset 0x8C9AC | 49 bytes |
javascript_obj0064_010.jsb645d579d1d0a4cc51c11122cc8b03b9763afe331e3e04649cbf9704c0a3a439 |
pdf-javascript-stream | PDF /JS object 64 at offset 0x9864A | 59 bytes |
javascript_obj0065_011.jsabbcc3392ae2f576d60a7c5e2173ae92de2d5f5384b0332ac629ee0f0c3fabfd |
pdf-javascript-stream | PDF /JS object 65 at offset 0x986AF | 59 bytes |
javascript_obj0067_012.js9d596a351a56352aad6ebd94f40d5da8f15a59b28239b8f5b75874e4bec237b3 |
pdf-javascript-stream | PDF /JS object 67 at offset 0x98779 | 49 bytes |
javascript_obj0068_013.jsa54486afa2c60e81401c5de9876b57efc4420f9c35f658b09e4f11f9dd6fa00d |
pdf-javascript-stream | PDF /JS object 68 at offset 0x987D4 | 49 bytes |
javascript_obj0071_014.jsd70f4ba45cbf04344f67e314c85ecc4f4b05e7b2f909f6d1bee2fd1d99d9dccb |
pdf-javascript-stream | PDF /JS object 71 at offset 0xB8E7E | 52 bytes |
javascript_obj0072_015.js0c348370524e9347f5889698a3c0f745d9105258ec063d0f62a3bf08f9f325e5 |
pdf-javascript-stream | PDF /JS object 72 at offset 0xB8EDC | 50 bytes |
javascript_obj0073_016.js65400f9adf5f8cb21b84a9505b1f6a1e509e9e8bc707f24014ec314c8589fcce |
pdf-javascript-stream | PDF /JS object 73 at offset 0xB8F38 | 50 bytes |
javascript_obj0075_017.js51efb091b55995c2120a74decc96f83c1e6fcf9f6319b3824f4ec8274e4cce4d |
pdf-javascript-stream | PDF /JS object 75 at offset 0xB9029 | 51 bytes |
javascript_obj0080_018.jsaa0176a9a14fa0b725aad4d7b1147578d3a9c6fc723de930bf723894f64cc087 |
pdf-javascript-stream | PDF /JS object 80 at offset 0xB92A1 | 52 bytes |
javascript_obj0300_019.js31f05d62cdcc8625984241416d22920e1b951f98ea8d8d736cf983d407843834 |
pdf-javascript-stream | PDF /JS object 300 at offset 0x7E3 | 1099 bytes |
stream_018_off0006bd06.bin8c07b4ee7510759936afba18460a46ea92df02d5970d6a3f514eb1d7ca98c107 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x6BD06 | 159278 bytes |
icc_00_off00001e9f.icc2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
pdf-icc-profile | PDF ICC profile at offset 0x1E9F | 3144 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.