MALICIOUS
74
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.007 JavaScript
This PDF document contains multiple embedded JavaScript streams, with several triggering heuristics related to JavaScript execution and obfuscation, including the use of eval() and String.fromCharCode. The presence of these elements suggests the document is designed to exploit PDF vulnerabilities to run malicious code. The specific intent of the JavaScript is unclear due to obfuscation, but it likely aims to download and execute a second-stage payload.
Heuristics 7
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
Extracted artifacts 27
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj1109_006.js0ac36b35c9b9868f3a6e8782e626a73a77a9d64c4009f7c1035ffcbdf823d700 |
pdf-javascript-stream | PDF /JS object 1109 at offset 0x1B1E0 | 1082 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
javascript_obj1111_007.js71393fb3f6adfb076734da164b578bcaa24fad9da40b36329255d95d0053bcd0 |
pdf-javascript-stream | PDF /JS object 1111 at offset 0x1B439 | 11195 bytes |
javascript_obj1113_008.jsd5d0891ac1be81c8b752a442b23cdfbad6371db80f2267f442e29ccfc8c6382e |
pdf-javascript-stream | PDF /JS object 1113 at offset 0x1C1A5 | 6836 bytes |
javascript_obj1115_009.js808c684c6f98ffc90cd194b3ff2b549c296c326f9d54dd9bf7f206ccedbd9e39 |
pdf-javascript-stream | PDF /JS object 1115 at offset 0x1CB51 | 2390 bytes |
javascript_obj1117_010.jsa039de835df1ab680c5a3f7bd1726b4dc29e82f2df86dc93164a5f7efbdd5927 |
pdf-javascript-stream | PDF /JS object 1117 at offset 0x1CF34 | 1025 bytes |
javascript_obj1119_011.js226170ae4d62738ffdc38d6b7e43baddcf809a49a2e76510fd0024ff738fc933 |
pdf-javascript-stream | PDF /JS object 1119 at offset 0x1D110 | 4127 bytes |
javascript_obj1121_012.jsf5a7524363feab60bcd065e260fff4530d695e7b3c0bfd8e2349afc46cec93af |
pdf-javascript-stream | PDF /JS object 1121 at offset 0x1D583 | 14143 bytes |
javascript_obj1123_013.js32f13d6810aaac911a7297ba6547ca053adae371d4f67923a82a16ea3add4311 |
pdf-javascript-stream | PDF /JS object 1123 at offset 0x1E380 | 4603 bytes |
javascript_obj1125_014.js2f2260d8118df1fc15df2d4361befc0ff2dcb186a26d4b2b960511fa49cf7877 |
pdf-javascript-stream | PDF /JS object 1125 at offset 0x1E980 | 6492 bytes |
javascript_obj1127_015.jsae82ed22803c9e2d4c6c211368e684ed61e15325bc676bdddf7bfe1d26a3a323 |
pdf-javascript-stream | PDF /JS object 1127 at offset 0x1F061 | 5759 bytes |
javascript_obj1129_016.js2f1d2f81f4c0e6c201815c4dff2998d050938e468e266f952d6cd7e47be7af88 |
pdf-javascript-stream | PDF /JS object 1129 at offset 0x1F6B3 | 3846 bytes |
javascript_obj1131_017.jsf06b23987cd2530a9934988c763daeed23153febb6dee37355a57ec07fbc3383 |
pdf-javascript-stream | PDF /JS object 1131 at offset 0x1FA2F | 14898 bytes |
javascript_obj1133_018.jscebc314097841998d5e5f556b235790486243bfb69fe435e389677ac9aa8b84b |
pdf-javascript-stream | PDF /JS object 1133 at offset 0x2033E | 9885 bytes |
javascript_obj1135_019.js80b27af8f8684f37743b0655ba4c214738197f6a9b2cd1d229dbb61fc6d401d0 |
pdf-javascript-stream | PDF /JS object 1135 at offset 0x20DA7 | 16196 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s).
|
|||
javascript_obj1137_020.jsa49e23c764e53f72babfe7c217d39bb3a3df1e7e5d36a473052bd69609f7ae11 |
pdf-javascript-stream | PDF /JS object 1137 at offset 0x21FFF | 9133 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj1139_021.js7e3ffca9be353ccba0a2272b2a0a9581c97fc189d75e91f4e367f7f3d89882f5 |
pdf-javascript-stream | PDF /JS object 1139 at offset 0x22AC1 | 2419 bytes |
javascript_obj1141_022.jsa1d7ca39d6051772db0eeea18f24fb953452a01b73edc50b9f09acb023467bb2 |
pdf-javascript-stream | PDF /JS object 1141 at offset 0x22E9F | 3740 bytes |
javascript_obj1143_023.jsb80faa9ec38ede6faadefd7d3b65ca3cdacd925497c4a9b47624c7a6a450d712 |
pdf-javascript-stream | PDF /JS object 1143 at offset 0x233B7 | 16250 bytes |
javascript_obj1145_024.jsc15b99440b226161bbbced37b506841cc118b0df2418a192824b43a1c66e5757 |
pdf-javascript-stream | PDF /JS object 1145 at offset 0x2373B | 6931 bytes |
javascript_obj1147_025.js9a39747644f5533763875bd91e1a5570395d35adbf25856a7e6896e5d5d1ec2e |
pdf-javascript-stream | PDF /JS object 1147 at offset 0x23A65 | 1181 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
javascript_obj1149_026.js2d381aeed757d106ee0fbed5a201288af0ca1028016e4172b7cf1989b78c7e69 |
pdf-javascript-stream | PDF /JS object 1149 at offset 0x23CA1 | 13213 bytes |
javascript_obj1151_027.js749efdf836b1db0dfe2710169a872372683116f459d9763df69283bd344076e2 |
pdf-javascript-stream | PDF /JS object 1151 at offset 0x248F2 | 2437 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj1153_028.js0baa621c903c14e69addca93f43d3f1a41012c9fc492caae97f76f9a4f7c84d1 |
pdf-javascript-stream | PDF /JS object 1153 at offset 0x24CA6 | 6722 bytes |
javascript_obj1155_029.js393a1e44d83e2715020ab13ba04dc52f74e5041e8cc275186c38ff94a09e34e8 |
pdf-javascript-stream | PDF /JS object 1155 at offset 0x2545B | 12191 bytes |
javascript_obj1157_030.js174fa637afb937ba32ae77ce1eee3b538e99a6fc14d04e8e4bf08f2631b7982e |
pdf-javascript-stream | PDF /JS object 1157 at offset 0x25B3F | 13019 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj1159_031.js893c6431809ae49dda3f8f30610d5b8f4535f7866491bffa5b9e38187aaddea7 |
pdf-javascript-stream | PDF /JS object 1159 at offset 0x26609 | 166 bytes |
javascript_obj1161_032.js84803724c83b454d4b334bbe7153f26e595f2c92e0865ef54535c45f7cadcada |
pdf-javascript-stream | PDF /JS object 1161 at offset 0x266EA | 120 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.