MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is a PDF file that contains embedded JavaScript, which is triggered upon opening. The JavaScript is obfuscated and utilizes eval() calls, indicating an attempt to hide malicious code. This JavaScript is likely responsible for downloading and executing a second-stage payload from one of the embedded URLs. The presence of exploit cluster heuristics further supports this assessment.
Machine Learning
- Nyx PDF Classifier malicious score 0.7356
Heuristics 9
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
PDF auto-runs JavaScript form submission on open critical PDF_OPENACTION_JS_SUBMITFORMPDF uses /OpenAction to run JavaScript that calls submitForm() with an external HTTP(S) URL. Opening the document triggers the outbound submission path without requiring a normal link click.
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
External URI info PDF_URIPDF contains an external URL action
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://formulare.virtuelles-rathaus.de/servlet/com.burg.pdf.SimpleFDFServlet?d=0
- https://formulare.virtuelles-rathaus.de/servlet/com.burg.pdf.ImportServ?d=0
- https://formulare.virtuelles-rathaus.de/servlet/com.burg.ofs2.barcode.BarcodeServlet?design=$&type=pdf417
- https://formulare.virtuelles-rathaus.de/servlet/com.burg.pdf.SignServlet?d=5f
- https://formulare.virtuelles-rathaus.de/servlet/com.burg.pdf.PayServlet?d=6
- https://formulare.virtuelles-rathaus.de/servlet/ofs?action=send
- https://formulare.virtuelles-rathaus.de/servlet/com.burg.pdf.SimpleMailServlet
- http://www.adobe.com/acrobat/readstep.html
Extracted artifacts 15
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0195_000.js9eb3426cfc88396d15a86b175dfd01c1092cd47e0a9c11a3cf9dba46029db0ca |
pdf-javascript-stream | PDF /JS object 195 at offset 0x13266 | 83 bytes |
javascript_obj0196_001.js6df41228049e9cfb40e870ad866cb0990b2c5c68d8dedf656036b6960c17fe67 |
pdf-javascript-stream | PDF /JS object 196 at offset 0x132E4 | 91 bytes |
javascript_obj0194_002.jsfee55bfb2b9cdc0658a55b80fe1f14a23f0a7ed79f7fd4ce851144fedf36b2c8 |
pdf-javascript-stream | PDF /JS object 194 at offset 0x1336A | 58 bytes |
javascript_obj0193_009.js84391237e30359fab2288524f69e3a5faa52ab0bd4a553b0a541fda146d94ede |
pdf-javascript-stream | PDF /JS object 193 at offset 0x13582 | 48 bytes |
javascript_obj0192_012.js8c1842de4ccb6a3c96db5313300728b182467d8c490b4d5e0d55a77535907087 |
pdf-javascript-stream | PDF /JS object 192 at offset 0x1364F | 48 bytes |
javascript_obj0001_014.js41fed8cb3ab98370115b6b2c6834abe182e09b37b43f61939112c459e12a510a |
pdf-javascript-stream | PDF /JS object 1 at offset 0xF | 23072 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj0153_015.js51b416d40e3fe50ca6cc0f31faaf0a6a5b8bacfb1e4c1e4f8ab8982b62aff890 |
pdf-javascript-stream | PDF /JS object 153 at offset 0x72D5 | 948 bytes |
javascript_obj0154_016.js3c4718d5b4722e6302a5956d94c9292ffa8bca5b293d7b4d2fb92ad68b7a1803 |
pdf-javascript-stream | PDF /JS object 154 at offset 0x75C8 | 1278 bytes |
javascript_obj0155_017.js37b7eb79892e58dc20ea6975feac49ee9fe3cee1a15414b7be6d53343cdc22b3 |
pdf-javascript-stream | PDF /JS object 155 at offset 0x78DC | 1948 bytes |
javascript_obj0156_018.jsb90d752a956a79317ce850d9dc248626442258f087fc4e591c9c682371ed73d4 |
pdf-javascript-stream | PDF /JS object 156 at offset 0x7C4D | 879 bytes |
javascript_obj0157_019.js54beb40673c9298f572cf0e8c0a38f651abec4997320e96d7a66a6aa22fbc19a |
pdf-javascript-stream | PDF /JS object 157 at offset 0x7E4B | 4040 bytes |
javascript_obj0158_020.js86fa7b6780ea8978b1a9786befc16005d197f318fd763910910709b2ebe819d2 |
pdf-javascript-stream | PDF /JS object 158 at offset 0x83CB | 136 bytes |
javascript_obj0159_021.js5dc825a345efe5e078ad9ec1684ba5d192fdd7934134de2e788cee9f8b089aac |
pdf-javascript-stream | PDF /JS object 159 at offset 0x84BC | 262 bytes |
javascript_obj0160_022.jsedf27b97ca5533b1482f126283f0a169d3dd1dd63059ba0201e8599590339d98 |
pdf-javascript-stream | PDF /JS object 160 at offset 0x8601 | 4720 bytes |
javascript_obj0169_023.js490313c61a9c5676eae55794b36d947db4b0d36b751a9f7e097fdc64e3efcc63 |
pdf-javascript-stream | PDF /JS object 169 at offset 0x92BD | 8180 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.