MALICIOUS
94
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
This PDF file contains multiple embedded JavaScript streams, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The presence of String.fromCharCode suggests obfuscation within the JavaScript, which is commonly used to download and execute secondary payloads. The AcroForm button with an action trigger further supports the idea of an interactive malicious element. While no specific URLs or hashes were extracted, the techniques used point towards a downloader or dropper functionality.
Machine Learning
- Nyx PDF Classifier suspicious score 0.2891
Heuristics 5
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
if (c == " "|| c == "."|| c == String.fromCharCode(13)){ -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://SavePDF.SYSTOC.com Referenced by PDF JavaScript
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0180_000.js |
pdf-javascript-stream | PDF /JS object 180 at offset 0xE562 | 181 bytes |
SHA-256: 5b823c11eecb1f2d5a01dc0ff214a43faea1fc40718ef6eb2b2b3b72162826be |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (this.getField("input.prescriptionnumber").value == "Off"){
this.getField("input.prescriptionnumber").value = 1;
}
Fill_Prescription_Memo();
|
|||
javascript_obj0202_004.js |
pdf-javascript-stream | PDF /JS object 202 at offset 0xE805 | 41 bytes |
SHA-256: 39d90445376aef124b4d4ab7cc0730b9b3b456f6b5c57b062fa4ee05a9abef37 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Unlock(); |
|||
javascript_obj0203_005.js |
pdf-javascript-stream | PDF /JS object 203 at offset 0xE878 | 37 bytes |
SHA-256: 68d0bad3e87b30b17364de05d18c33ecdcb88fba64f10d9518fd28b182546ab1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Lock(); |
|||
javascript_obj0218_007.js |
pdf-javascript-stream | PDF /JS object 218 at offset 0xE938 | 41 bytes |
SHA-256: 056b880c01cdfb0648acf21bf2f3bfc2e5330268ec5a5de34a5b4a57bd1b6cdf |
|||
Preview scriptFirst 1,000 lines of the extracted script
Save(); |
|||
javascript_obj0219_008.js |
pdf-javascript-stream | PDF /JS object 219 at offset 0xE9AD | 88 bytes |
SHA-256: 365d880a881fac7855bb865330aaf46fcfbb8f86d3cbeb95706a6c80a2e2937c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Paragraph("input.exam.memo","input.paragraph.pe","PHYSICAL EXAMINATION: ",2)
|
|||
javascript_obj0238_012.js |
pdf-javascript-stream | PDF /JS object 238 at offset 0xEC95 | 208 bytes |
SHA-256: c031737ce46c67486de54e0f504fe9b004d8f179ce73ebe525c20c0a9841a470 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (this.getField("ohr.empx.suppressalert").value == 0){
this.getField("ohr.empx.AllergiesMemo").textColor = color.red;
}
else {
this.getField("ohr.empx.AllergiesMemo").textColor = color.black;
}
|
|||
javascript_obj0239_013.js |
pdf-javascript-stream | PDF /JS object 239 at offset 0xEDA5 | 206 bytes |
SHA-256: fa448e960943396be58cfbc418b6bbc99c82ed050a69d3c6ebe3708c1776e263 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if (this.getField("ohr.empx.suppressalert").value == 0){
this.getField("ohr.empx.AllergiesMemo").textColor = color.red;
}
else {
this.getField("ohr.empx.AllergiesMemo").textColor = color.black;
}
|
|||
javascript_obj0273_017.js |
pdf-javascript-stream | PDF /JS object 273 at offset 0xF1CB | 48 bytes |
SHA-256: 7e38bacbad8c8b8b22ea9449e79f807f94ac2b5c9a0bebfe2046cd9d4d5d07b6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Fill_Prescription_Memo(); Build_RX(); |
|||
javascript_obj0274_018.js |
pdf-javascript-stream | PDF /JS object 274 at offset 0xF233 | 44 bytes |
SHA-256: f87ca0b24ccf42b743c4f55cb275b813deea671fbcb64d72374c21a3d18a7689 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Fill_Prescription_Memo(); Build_RX(); |
|||
javascript_obj0289_019.js |
pdf-javascript-stream | PDF /JS object 289 at offset 0xF413 | 33 bytes |
SHA-256: b49875e7a786cc7d62191be88c49afc7a7f53551d4ec30ddf24c3fd7583d7233 |
|||
Preview scriptFirst 1,000 lines of the extracted script
AFDate_KeystrokeEx("mm/dd/yyyy");
|
|||
javascript_obj0290_020.js |
pdf-javascript-stream | PDF /JS object 290 at offset 0xF45E | 51 bytes |
SHA-256: 054529fd8206fcd540f450f7d699bd9c226993c851999f0123c4dc6b32c582ec |
|||
Preview scriptFirst 1,000 lines of the extracted script
Today("ohr.trt.clinicwrkstatusdt");
|
|||
javascript_obj0308_023.js |
pdf-javascript-stream | PDF /JS object 308 at offset 0xF7C1 | 32 bytes |
SHA-256: 5b43d6ab17751620869bda1eb77114453254b5a96522ddea609da4bcbcb1d9ae |
|||
Preview scriptFirst 1,000 lines of the extracted script
Fill_PR(); |
|||
javascript_obj0450_028.js |
pdf-javascript-stream | PDF /JS object 450 at offset 0x13AEC | 43 bytes |
SHA-256: 76726842df90410aab092732e5abc7dbd3ac7899987d52d60602698c2ab185c9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
this.print(); |
|||
javascript_obj0452_029.js |
pdf-javascript-stream | PDF /JS object 452 at offset 0x13C05 | 37 bytes |
SHA-256: 7020e07dd78578c6a64cd6ebf7d2d4c42788e22207cf7dafac5b264ebd8888b2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Save(); |
|||
javascript_obj0474_030.js |
pdf-javascript-stream | PDF /JS object 474 at offset 0x14C1C | 67 bytes |
SHA-256: e92a6222941939abe9d8f44814359fc43e6fa45f59621f3e09a57c78b8211cbf |
|||
Preview scriptFirst 1,000 lines of the extracted script
this.print(); |
|||
javascript_obj0486_032.js |
pdf-javascript-stream | PDF /JS object 486 at offset 0x15218 | 77 bytes |
SHA-256: 6acb9721ab653a68fc7aa6ec0cc4f5de9b988a20091bbc3f339a1e86e4865eee |
|||
Preview scriptFirst 1,000 lines of the extracted script
this.print(); |
|||
javascript_obj0793_033.js |
pdf-javascript-stream | PDF /JS object 793 at offset 0x2DE9B | 166 bytes |
SHA-256: ffc40a985d318c9306f06a227ff403a7db7138a97ab348db24be534e86ea7305 |
|||
Preview scriptFirst 1,000 lines of the extracted script
function Hide_Save_Ribbon()
{
// A simple function that hides the save ribbon.
// Passed values: None
this.getField("cmd.sign").display = display.hidden;
}
|
|||
javascript_obj0822_034.js |
pdf-javascript-stream | PDF /JS object 822 at offset 0x2E485 | 182 bytes |
SHA-256: 3fdae12e1394253d70a9ae6ae6ddb548b40a35e8c9bc4ab4700d55ece78169bb |
|||
Preview scriptFirst 1,000 lines of the extracted script
function Sign_Appear()
{
var name = this.getField("ohr.ord.staff_id").value;
if (this.getField(name)){
this.getField(name).display = display.visible;
}
}
|
|||
javascript_obj0823_035.js |
pdf-javascript-stream | PDF /JS object 823 at offset 0x2E58D | 169 bytes |
SHA-256: 4436307cf9a789f0716c1387484f1638834e09cb5cd66827742ec7942b87e96b |
|||
Preview scriptFirst 1,000 lines of the extracted script
function Sign_Hide()
{
var name = this.getField("ohr.ord.staff_id").value;
if (this.getField(name)){
this.getField(name).display = display.hidden;
}
}
|
|||
javascript_obj0840_036.js |
pdf-javascript-stream | PDF /JS object 840 at offset 0x2E95E | 190 bytes |
SHA-256: 9563aeb16654269d63663f90797355ac8830b653e6e2d4505cf3c8e02192544b |
|||
Preview scriptFirst 1,000 lines of the extracted script
function Address_Leave()
{
/*
Action: Removes the field for address entry and returns to the library.
Passed Values : None
*/
this.removeField("book");
Do_Import();
}
|
|||
javascript_obj1052_037.js |
pdf-javascript-stream | PDF /JS object 1052 at offset 0x2FDA7 | 60 bytes |
SHA-256: 3310556741b7ca472f9af8aeb1541f90a6cb62f548a47b6d7b3bd1c2c04ed9d1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
CalcAge("ohr.pat.BirthDate","calc.Age");
|
|||
javascript_obj1059_038.js |
pdf-javascript-stream | PDF /JS object 1059 at offset 0x2FFE1 | 35 bytes |
SHA-256: 80cc7513fc96a260823490d5188681ee7ca2f319843b437d9406135fd049be2c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Do_HPI_Dictation(); |
|||
javascript_obj1068_043.js |
pdf-javascript-stream | PDF /JS object 1068 at offset 0x3027C | 38 bytes |
SHA-256: ecfcaf8103cdec1191d0fe82441e9a23cab7fcab05521afda120007e82da082a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Restore_HPI(); |
|||
javascript_obj1069_044.js |
pdf-javascript-stream | PDF /JS object 1069 at offset 0x302E5 | 32 bytes |
SHA-256: 9b6921f1b436537b4324fec48fa6d815ec990b1a2179a37b6a85cd307cae3a9d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Restore_HPI(); |
|||
javascript_obj1081_047.js |
pdf-javascript-stream | PDF /JS object 1081 at offset 0x3066A | 190 bytes |
SHA-256: 6a528bcb501097ad409085926322d4c5335a158705658c8b58210cc65191c04f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Do_HPI_Dictation();
if (this.getField("input.hpidata.injury").value ==1){
this.getField("ohr.trt.PainLevel").value = this.getField("input.hpidata.10").value
}
|
|||
javascript_obj1086_051.js |
pdf-javascript-stream | PDF /JS object 1086 at offset 0x308B7 | 43 bytes |
SHA-256: c88194b6eac486c40f53c6cc62e25a9fff7e911c10208cbce87c562df33d2a85 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Lock(); |
|||
javascript_obj1091_052.js |
pdf-javascript-stream | PDF /JS object 1091 at offset 0x30A03 | 38 bytes |
SHA-256: 0cb4a1cf19d38099753d7941a0e7b017913d4df0eb0455d208d9681952b3f8d9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Fill_Consultation; |
|||
javascript_obj1095_054.js |
pdf-javascript-stream | PDF /JS object 1095 at offset 0x30AEC | 36 bytes |
SHA-256: b6f6c066bdbfe0d8c01fae13c6872f6067b580b78b770243bc68c0f678058fea |
|||
Preview scriptFirst 1,000 lines of the extracted script
Fill_Consultation(); |
|||
javascript_obj1096_055.js |
pdf-javascript-stream | PDF /JS object 1096 at offset 0x30B4B | 34 bytes |
SHA-256: 2bb9d30849baed005b2d3480d9c518168b8657048d959ce942df88003008d357 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Fill_PT(); |
|||
javascript_obj1099_058.js |
pdf-javascript-stream | PDF /JS object 1099 at offset 0x30C36 | 102 bytes |
SHA-256: ba221c3e588c3c5b3dfba8556ab210501bd117cbf27e19e71dd04872287855b0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
this.getField("ohr.pat.Initial").value=this.getField("ohr.pat.Initial").value.toUpperCase();
|
|||
javascript_obj1101_059.js |
pdf-javascript-stream | PDF /JS object 1101 at offset 0x30D2F | 33 bytes |
SHA-256: 546c815f88a8368b0cb74ac25c25f0da7ae1e5b944194a5fb4faefb39435f5f2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Transcribe(); |
|||
javascript_obj1102_060.js |
pdf-javascript-stream | PDF /JS object 1102 at offset 0x30D8F | 36 bytes |
SHA-256: b35854ba7d6b87b85598dbad6d2d7529d50eee209ce2d490caf525a49b1ea42f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Do_Import(); |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.