MALICIOUS
166
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file contains multiple embedded JavaScript streams, with several triggering high-severity heuristics for eval() and unescape() calls, indicating obfuscated code execution. A specific heuristic also flags potential exploitation of U3D/3D content in PDFs, commonly associated with CVE-related vulnerabilities. The embedded JavaScript streams are likely responsible for downloading and executing a second-stage payload, though their exact functionality is obscured by heavy obfuscation. The presence of numerous decompressed JS streams suggests a complex, multi-stage attack.
Heuristics 9
-
U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high PDF_U3D_CVE_RELATEDPDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
unescape() call high PDF_UNESCAPEunescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/g/img/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
Extracted artifacts 29
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_053_off0005bd46.jsd9a00bae7f9b4a73d28810c0596afc4684ed9b978ed91afc480c36218b32340d |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x5BD46 | 28204 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_054_off0005d1af.jsacd6244460873bfdf8c84155b55e9873f457aed088cf4e27f87aa67a1a5f0137 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x5D1AF | 23881 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_055_off0005e348.jsa6ad86a483aebeef23a7a78a561460281eaa4044d00d1444d58691b626f4b0b8 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x5E348 | 7720 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_056_off0005ebd8.jsc37678945a32ddd6d14330812f6555e409e97a7d6be74c29298245d527cea542 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x5EBD8 | 7131 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_057_off0005f393.jscb36499b7c0a124d929629c2cc1bff04fb13abc77a80ad168c858bf459b6220f |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x5F393 | 18421 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 10 eval/decoder/string-building token(s).
|
|||
stream_058_off00060516.js60f7dc10ce4582ab06e8dba17c351f255e7f4e9909d88d50ec31213cdf9b6be0 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x60516 | 12428 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_059_off0006101d.js1c80b1fcfa1a882440def46b1e6406af32dd4a56499b144c09c13572bed8879c |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x6101D | 5368 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_060_off0006161f.jsaf85a00d5afdac67c61116cfb59f33c5720abbdd7dab1e81ecd6278b0ca3ff7f |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x6161F | 26144 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 11 eval/decoder/string-building token(s).
|
|||
stream_061_off00062b13.js70e19c3af78739072cf0c51dfe5e6d2d74ba439663b3b3757c66446c7ef081d2 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x62B13 | 8402 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
stream_062_off0006334a.jsec51594e4b6802de4c6d4cb9a3c0b77804bd8b541ea779adadc994ae123b0501 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x6334A | 12178 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_063_off00063d67.js6caa7dd98eb42d21b7ee6ae5fc317a8bfdb2e8983d02710a0b5928bc4c878992 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x63D67 | 1632 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_072_off0006958a.js20813868ff5924a446b9a1ca93a0f8ca1937ae3a86932db3b02a61aed190f58f |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x6958A | 56410 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 14 eval/decoder/string-building token(s).
|
|||
stream_073_off0006be11.js4d7c4e5dc99001e77d0dea36f8cb3703c863ddc6ad281286d72a2f41f59ae98b |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x6BE11 | 44812 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_074_off0006dcbb.jse2290a81b586bac2c892ba2299416d09668e12e9e0e98958692a38354c69721d |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x6DCBB | 9013 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_075_off0006e4b0.jsacdd026b272c4fcf9dcbfa94681436b9c70cf2805369bdb363ed10c3e4161b75 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x6E4B0 | 1796 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_076_off0006e7fd.js1c2f8fa58b8f5992b85b8bcec7fcdca2948e972bc8a7c32103c96cc2690ff776 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x6E7FD | 17888 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_077_off0006f68a.js265a639a8cbe3cfd38ecad67b2efc469e897aa02dfacdb3d3084587b464cb618 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x6F68A | 17210 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
stream_078_off00070431.jsc0ea2ae0aa0256cb6262856194675d8f3506242b0c10dad1b02c3d058de4a98a |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x70431 | 38073 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 16 eval/decoder/string-building token(s).
|
|||
stream_079_off00072175.js4c00428ae36f5ca7a5c5c499a71c521009015460210cae87312362c2443321da |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x72175 | 29588 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
stream_080_off000736a0.jscdf52350da1741bfffa96552d7abc9b2fa3ed2fcd7f6dbba6eeb747d9bd5d07a |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x736A0 | 5859 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
stream_081_off00073ce8.js37f8a07e2b4ad30ea896a939ff158bfa56c47ebf7db14a1e7960aae4569b20f5 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x73CE8 | 1912 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
stream_082_off00074073.bin87ac3af9f6ee33b427fd2e183b4f51cad816f65bb8e2e977c381c28472242a7d |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x74073 | 62944 bytes |
stream_083_off00080b95.js56a87f97b6e3bf1e6e8117231ee9e5b443ae3563a67d5ebe2ae7fa55468302b6 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x80B95 | 184355 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
stream_084_off0008b8de.js13f4124805789ce9f20546cb787be547c408a1be7160250c99d9d3343540f229 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x8B8DE | 271969 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
objstm_0072_00.bine92a33c102d9adb3546cc31fe38a2be37e16097003a39d1d137393aa29d22001 |
pdf-objstm-decoded | PDF /ObjStm 72 0 obj (inflated) | 15160 bytes |
objstm_0073_00.binac2c7b85e0bb2cf16ef50c3c7a9ad3221501a1fed1dba3c41310c76919d787e9 |
pdf-objstm-decoded | PDF /ObjStm 73 0 obj (inflated) | 5699 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
font_00_sfnt_off00000b1a.bind6c87a9ca199ae8ba090d0572b93dd998834c9c653719de43d2ecc5b209048e7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB1A | 80690 bytes |
font_01_cff_off000101a1.binff2bd39b1311329d9bedf20dcc32a5c5691647192c7f1c6f455126503a909ee9 |
pdf-font-stream | PDF embedded font (cff) at offset 0x101A1 | 1558 bytes |
font_02_sfnt_off00034700.binf39f99e2d4b021d4eac703afe26d32ad26f128c442f2089910c21b1f323fc85d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x34700 | 79301 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.