MALICIOUS
116
Risk Score
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 5
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPERPDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
gdvvvv.doc |
pdf-embedded-file | PDF EmbeddedFile object 9 at offset 0x307 | 112818 bytes |
SHA-256: 07ba38ef7026f299d336cabe473596fbac5923b233ce43c38aba94b34e3ed501 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
javascript_obj0002_000.js |
pdf-javascript-stream | PDF /JS object 2 at offset 0x5779 | 59 bytes |
SHA-256: 3f4773f17ca522104fa8260583adb098a935b0fa97539b6b6de0c883e8dc52c8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
this.exportDataObject({ cName: "gdvvvv.doc", nLaunch: 2 });
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.