MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF contains multiple embedded JavaScript streams, with one stream exhibiting eval() calls and ML classification flagging it as malicious. The presence of JavaScript actions and embedded JS streams, combined with the ML score, indicates a high likelihood of malicious intent. The script's purpose is inferred to be the execution of further malicious code, potentially through obfuscated JavaScript.
Machine Learning
- Nyx PDF Classifier malicious score 0.7891
Heuristics 6
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
Extracted artifacts 23
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0098_000.js87b473ce70c9228c80c80935ff6724a7a159c26f0d27bed1676f18ea1f6de784 |
pdf-javascript-stream | PDF /JS object 98 at offset 0xFF7 | 138 bytes |
javascript_obj0167_001.jsb9122b4565950ac192ee1052575e439b51edce2b995128e9d1237602e6f82807 |
pdf-javascript-stream | PDF /JS object 167 at offset 0x126FF | 34 bytes |
javascript_obj0168_002.js52011416a458c8279d38f8cf1c17ce225d4c5fdf444265e34e3abb588280acfb |
pdf-javascript-stream | PDF /JS object 168 at offset 0x12749 | 35 bytes |
javascript_obj0174_003.jsd329fc89f18b6cb97d018e3ae694eeb99a19378532ad120d658ed85d7c2ade87 |
pdf-javascript-stream | PDF /JS object 174 at offset 0x12F7E | 213 bytes |
javascript_obj0185_008.js19057f9f222d49fdca3560b5c97e17d32cdc47ba686d03bea00fb381aac62c17 |
pdf-javascript-stream | PDF /JS object 185 at offset 0x13340 | 33 bytes |
javascript_obj0186_009.js1c84c437503e05ac5400760fdae3efa7ef1e1f4bca451dbe031a6deb63310391 |
pdf-javascript-stream | PDF /JS object 186 at offset 0x13389 | 34 bytes |
javascript_obj0198_011.js5fff2c97c1f133b69d891c8e00092d361f5cb3fbaddc5fd34fd53b9fe71add0d |
pdf-javascript-stream | PDF /JS object 198 at offset 0x13BDB | 48 bytes |
javascript_obj0202_012.js0754db8e26c8ae53a12fe23791d868e084ea489a2c7feaa23537b3e7d7d6668c |
pdf-javascript-stream | PDF /JS object 202 at offset 0x13DBD | 86 bytes |
javascript_obj0030_015.js26bce592e4bcddbe6a32dd757196a8dd48febe02b79b0b40cacce8ef5e3d88d6 |
pdf-javascript-stream | PDF /JS object 30 at offset 0x1ACB6 | 688 bytes |
javascript_obj0037_016.js5082bcc1b1f9711d3c541a98123c63bd9fa63486704a574c1d423c180c7c9d98 |
pdf-javascript-stream | PDF /JS object 37 at offset 0x1B20B | 296 bytes |
javascript_obj0088_017.js488d146717b23eb8004388e72a398c124cd079d65dfc76df7d2380bb827ae223 |
pdf-javascript-stream | PDF /JS object 88 at offset 0x1DE12 | 565 bytes |
javascript_obj0104_018.jseb6f39e215c39613dc0323bd466a93e50bf841f69ab16dba3e2c622893dcb07a |
pdf-javascript-stream | PDF /JS object 104 at offset 0x1199 | 1682 bytes |
javascript_obj0105_019.js4a27be701b46a16950b39bfb75271b0b43849b2a72cd2143070f8e49a163e903 |
pdf-javascript-stream | PDF /JS object 105 at offset 0x13E8 | 1351 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj0106_020.js19850ebca5dbcb0c1d8241dd98da17f45d6a763064cdc7e0749ed5f82791d146 |
pdf-javascript-stream | PDF /JS object 106 at offset 0x15F9 | 887 bytes |
javascript_obj0107_021.js7e8a6dc55ba2874fb9b17552b8ce2079c91dbf804ce3b95a002ae5d44275efcd |
pdf-javascript-stream | PDF /JS object 107 at offset 0x17CB | 3299 bytes |
javascript_obj0108_022.js5850f36341a6eda824fd8dfeb1427224d6618a91e52a1120c9c47e529491542f |
pdf-javascript-stream | PDF /JS object 108 at offset 0x1CF7 | 1154 bytes |
javascript_obj0109_023.js4937fa5476556b4c1144187ddc04215eae3f34b968eb6d0dd865964cd6d52ff9 |
pdf-javascript-stream | PDF /JS object 109 at offset 0x1F85 | 679 bytes |
javascript_obj0110_024.js5d1b53ad09bf8f559091f524aa947af156a191e0eeeea9497ab2bfaf15447c17 |
pdf-javascript-stream | PDF /JS object 110 at offset 0x212E | 1934 bytes |
javascript_obj0111_025.jsa0021eba2d9841d837ba9ca37bba2fb1b0a490ebaa153a2bf6346a7105151d3d |
pdf-javascript-stream | PDF /JS object 111 at offset 0x2407 | 738 bytes |
javascript_obj0169_026.jsd73fdb4694d7391e5b1beed2b05c068b3687145044153a826804adac9b5e8b9a |
pdf-javascript-stream | PDF /JS object 169 at offset 0x12794 | 1365 bytes |
javascript_obj0173_027.js949c563f9f514a771ef6beaaae039e87224d5f5266e3f54e2373e4b3b359931d |
pdf-javascript-stream | PDF /JS object 173 at offset 0x12B21 | 2535 bytes |
javascript_obj0193_028.js336d4c595a49351c3600274f8a059bd127025fc217272ef23193ed9eee05ac9a |
pdf-javascript-stream | PDF /JS object 193 at offset 0x13563 | 649 bytes |
stream_010_off000037f6.bine254f5633f8f32426a68ec463baee46e8c0a027fe2788cab1e596e4810cf5b99 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x37F6 | 129618 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.