MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
This PDF file is malformed and contains an embedded JavaScript payload. The JavaScript is designed to execute a Windows Script Host payload, likely to download and run a second-stage malicious file. The ML classifier strongly indicates maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 0.9647
Heuristics 3
-
Malformed PDF header with no object graph high PDF_MALFORMED_NO_OBJECT_GRAPHFile starts with a PDF header but contains no indirect objects, xref table/stream, or startxref pointer. This is not a normal renderable PDF and can indicate parser fuzzing, evasion, or a corrupt exploit test case rather than benign content.
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
PDF JavaScript embeds a Windows Script Host payload high PDF_JS_WSCRIPT_PAYLOADPDF JavaScript contains a Windows Script Host/JScript payload using WScript.CreateObject and WScript.Shell with environment, run/exec, registry, sleep, or downloader-adjacent behavior. This is suspicious payload delivery but is not attributed to a specific Acrobat CVE unless a parser/API trigger is also found.
Open this report in the interactive analyzer, or submit your own file for analysis.