MALICIOUS
172
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The PDF sample contains multiple embedded JavaScript streams, several of which trigger critical heuristics related to eval() calls and the String.fromCharCode method. These JavaScript actions are indicative of an attempt to execute arbitrary code, likely to download and run a secondary payload from a remote source. The presence of these exploit-related heuristics, combined with embedded URLs, strongly suggests a malicious intent, though the specific family remains undetermined.
Machine Learning
- Nyx PDF Classifier malicious score 0.8710
Heuristics 8
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Additional-actions dictionary low PDF_AAPDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.JavascriptToolbox.com/
- http://jsfromhell.com/classes/binary-parser
- http://itextsharp.sourceforge.net
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0286_001.js643e78c00dbaedc824c95bd2ad8fd55e43f638abda17569f4cfd3a8bb5b9286d |
pdf-javascript-stream | PDF /JS object 286 at offset 0x1761E | 98 bytes |
javascript_obj0288_002.jsac37ea970c50712e2ce437eb55da22b00fa20146053eb75a142db37ba35ae85f |
pdf-javascript-stream | PDF /JS object 288 at offset 0x177DA | 98 bytes |
javascript_obj0292_003.jsbbc390269924f7111d56938e5f9f3b5944993c43de046e58ba3c7fc4a51393b1 |
pdf-javascript-stream | PDF /JS object 292 at offset 0x17D5D | 98 bytes |
javascript_obj0294_004.js5718090d4f224376bdf41f7789517c12d5eaa74d1d64f84c244511339becf740 |
pdf-javascript-stream | PDF /JS object 294 at offset 0x17F27 | 98 bytes |
javascript_obj0296_005.js77924b2b5dfb7a549de63647c0c6bfe70017ba2bc5273842a70f28dfaba95107 |
pdf-javascript-stream | PDF /JS object 296 at offset 0x180EE | 98 bytes |
javascript_obj0298_006.jse621ebc16e8a09a3c618d9b76c7233fee9b0c43ff7e81ab3b95084ab0c6b5e0b |
pdf-javascript-stream | PDF /JS object 298 at offset 0x182C4 | 98 bytes |
javascript_obj0300_007.js8245e90421edb15ba5eb7b59dac9a4febde01cb648b7bd9bcdcc99c5ce08722d |
pdf-javascript-stream | PDF /JS object 300 at offset 0x1848F | 98 bytes |
javascript_obj0302_008.jsda2bc956160adfe05b9fac2354b8c06075659e7478c28684fb58b832455ced3f |
pdf-javascript-stream | PDF /JS object 302 at offset 0x18652 | 98 bytes |
javascript_obj0304_009.js42b1a9d03c360f05974c5ccc7dbd639c129efb8b37e24b1fdb374ddf690723d4 |
pdf-javascript-stream | PDF /JS object 304 at offset 0x188F4 | 98 bytes |
javascript_obj0306_010.jse9cfd51afd7ffb92ff448f913820e107494f624db2546e185ac51a7b9e86f350 |
pdf-javascript-stream | PDF /JS object 306 at offset 0x18AB7 | 98 bytes |
javascript_obj0308_011.js8305f01d6199ea2eee875b89c56219f3b95e5f9367a939859c8d06b310904dc1 |
pdf-javascript-stream | PDF /JS object 308 at offset 0x18C72 | 98 bytes |
javascript_obj0310_012.jsb097404fa7bb3cf88af5fce2f54095e96a4d8c30e91b3185a5aeab32cbd3e0cb |
pdf-javascript-stream | PDF /JS object 310 at offset 0x18E28 | 98 bytes |
javascript_obj0312_013.jsc39c89483704aed920a7f54ffa823f387826e0af3b566fa37963752f96948b94 |
pdf-javascript-stream | PDF /JS object 312 at offset 0x18FE0 | 98 bytes |
javascript_obj0314_014.js1f40123d755636522ac9b5a9ced8781721f8ab953260b638e16b0fc45e2dfa22 |
pdf-javascript-stream | PDF /JS object 314 at offset 0x19199 | 98 bytes |
javascript_obj0316_015.js141820db7a6f1a1860322e1531be8407f6dbb8913f7b58831aaf4fa177e84765 |
pdf-javascript-stream | PDF /JS object 316 at offset 0x19360 | 98 bytes |
javascript_obj0318_016.js53e04ad953d211e283cbb69953afa7b35306e91a936d4a5c43738a3d6812abf1 |
pdf-javascript-stream | PDF /JS object 318 at offset 0x1954C | 98 bytes |
javascript_obj0320_017.js19d496b68c835beb41e2082976aa1e3fd4ce0dd99426156f797c62b3de995ca4 |
pdf-javascript-stream | PDF /JS object 320 at offset 0x1973B | 98 bytes |
javascript_obj0322_018.js2cce9d191f6d18d32b86cc548158f44ad2999ab473f64e611e0cdf81ed767f76 |
pdf-javascript-stream | PDF /JS object 322 at offset 0x19929 | 98 bytes |
javascript_obj0324_019.jsc2b78dea4f8c41a953870705e8b767553dab61eeb7bcbbdbdf9c14df3df122ce |
pdf-javascript-stream | PDF /JS object 324 at offset 0x19B15 | 98 bytes |
javascript_obj0326_020.js10e00ec92b8e287c53bfc60785a1d27d89fb1f288640d4c74c034e00d5241c58 |
pdf-javascript-stream | PDF /JS object 326 at offset 0x19D04 | 98 bytes |
javascript_obj0328_021.js2f2525e526343aa7bf53e58b87df3c18de41966a5073db65ce3dce3354d77d02 |
pdf-javascript-stream | PDF /JS object 328 at offset 0x19EF2 | 98 bytes |
javascript_obj0330_022.jse6794b8557d0cf027d9bd5adf529d3b9ce698a98b05110042beee3baf75db1b2 |
pdf-javascript-stream | PDF /JS object 330 at offset 0x1A0DC | 98 bytes |
javascript_obj0332_023.js805e3a5d3313f86340ce274dc50555b7f4a0385ea8e0e704f598e223b99fcc61 |
pdf-javascript-stream | PDF /JS object 332 at offset 0x1A2C9 | 98 bytes |
javascript_obj0334_024.js892222a159c3503cf483a72ad82cbe7c425e4bc4ff29177cd0b5216e60765631 |
pdf-javascript-stream | PDF /JS object 334 at offset 0x1A4B5 | 98 bytes |
javascript_obj0336_025.jsdb86f6a42e7f8c193a54ebfdbd16468a9afaa6400f5fbc0d3209e89aef9e9b50 |
pdf-javascript-stream | PDF /JS object 336 at offset 0x1A6A4 | 98 bytes |
javascript_obj0338_026.jsf94591802554748da6fe3fd4e0a1312bef8baccc4fbe7fa707ad80a1e7faac90 |
pdf-javascript-stream | PDF /JS object 338 at offset 0x1A896 | 98 bytes |
javascript_obj0340_027.js01780d894dbc090f2c8060c1703afac2173b18134ea1b59bf8665cf4d48bd5f8 |
pdf-javascript-stream | PDF /JS object 340 at offset 0x1AA87 | 98 bytes |
javascript_obj0342_028.js1e76c2c0a8a7f387aff5023e491a9a04b44028ad6c93fde3c3037857cc630462 |
pdf-javascript-stream | PDF /JS object 342 at offset 0x1AC6E | 98 bytes |
javascript_obj0344_029.jsf0d6f07856436bb9a1e31d2c87af6d3af546391bc7651b2e635f7cf07213e3b4 |
pdf-javascript-stream | PDF /JS object 344 at offset 0x1AE58 | 98 bytes |
javascript_obj0346_030.jse80a279dc8c00a9fcbdf20c17772d06d569645b397c84110044e29fa9af71374 |
pdf-javascript-stream | PDF /JS object 346 at offset 0x1B054 | 98 bytes |
javascript_obj0348_031.jsd7cf46766512a35ab5f463de0f39429cf7f60f6b1c5c6b780a065942a003753b |
pdf-javascript-stream | PDF /JS object 348 at offset 0x1B20B | 98 bytes |
javascript_obj0350_032.jsaf511e53a04b06447ba1eabadda37952508744e70776b1fbebe1cd9dcc97cdad |
pdf-javascript-stream | PDF /JS object 350 at offset 0x1B409 | 98 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.