MALICIOUS
94
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file contains embedded JavaScript and triggers XFA form and eval() heuristics, indicating malicious code execution. The embedded script payload, 'embedded_pdf_script_00001fa3.bin', is highly suspicious and likely responsible for downloading and executing a secondary payload. The presence of PDF_JAVASCRIPT and PDF_JS firings further supports this attack pattern.
Heuristics 8
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/2.6/
- http://www.xfa.org/schema/xci/2.8/
- http://www.xfa.org/schema/xfa-template/2.6/
- http://www.xfa.org/schema/xfa-locale-set/2.7/
- http://www.xfa.org/schema/xfa-locale-set/2.6/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xfa/promoted-desc/
- http://www.xfa.org/schema/xfa-form/2.8/
- http://www.xfa.org/schema/xfa-data/1.0/
- http://purl.org/dc/elements/1.1/
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_002_off0000034a.jsf94e41f586bf3f20bc1deeac4bfbda388a61db43f25fbd6304ba73f5653368cf |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x34A | 1313 bytes |
stream_003_off00000528.js1b2ec98752b966f601d5223a750559cf13d562ac5e5c6d1fcc7217835b01f5fd |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x528 | 902 bytes |
embedded_pdf_script_00001fa3.bine45f0db5444a350dc36906b62f13de3242a7bcc160612704abd60036808f4770 |
pdf-embedded-script | PDF raw stream script payload at offset 0x1FA3 | 14750 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
objstm_0039_00.bin1ea3deb9e8fefd18545f049b32b3e41f97022417f1a40126c3434430380af6d5 |
pdf-objstm-decoded | PDF /ObjStm 39 0 obj (inflated) | 1389 bytes |
font_00_cff_off00000f11.bin666463adac6cacb6e214e0e648c340c7321ba33bf110c46c426619784597d466 |
pdf-font-stream | PDF embedded font (cff) at offset 0xF11 | 1289 bytes |
font_01_sfnt_off000068c7.bin3a47365ba29be93b97be381e34ec3c7ef0a10e0f82cdb3dadd6fb11f2800fdb3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x68C7 | 36717 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.