MALICIOUS
116
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains multiple embedded JavaScript streams, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript appears to be obfuscated, as suggested by the EXTRACTED_FILE_STATIC_TRIAGE heuristic. The script likely attempts to download and execute a second-stage payload from a remote source. The reconstructed strings from the script, such as 'MALIGJFJNLGJNJMECEHECLPEFKMJLFLBECDBADBDBDECMCIDLLMEFIJMOBANCDJCBAANIALIGJNENMOG', are indicative of malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
/S /JavaScript /JS (var nops='';for\(i=0;i<nnn2.length;i+=4\){c=0;for\(j=0;j<4;j++\)c=16*c+nnn2.charCodeAt\(i+j\)-65;nops+=String.fromCharCode\(c\);}) >> -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0010_001.js |
pdf-javascript-stream | PDF /JS object 10 at offset 0x35DF | 40 bytes |
SHA-256: f9ae5a33db8c7c1304813e927490f51369c0114e1b7e481ce8d3cc0f2f95f72e |
|||
Preview scriptFirst 1,000 lines of the extracted script
var ppp=new Array();var nnn=new Array(); |
|||
javascript_obj0011_002.js |
pdf-javascript-stream | PDF /JS object 11 at offset 0x3645 | 90 bytes |
SHA-256: 8970ef4f2109e41a924902366ef8e101dbfb7928580ce55c6aa19e8a0df63ac1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[0]='MALIGJFJNLGJNJMECEHECLPEFKMJLFLBECDBADBDBDECMCIDLLMEFIJMOBANCDJCBAANIALIGJNENMOG'; |
|||
javascript_obj0013_004.js |
pdf-javascript-stream | PDF /JS object 13 at offset 0x372D | 54 bytes |
SHA-256: 6b4f87cb61dbf0a551e80efb5e89fc2e20a86b79e0b559b2562c526c4a6f5570 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[2]='ICFEICAACEKJCLDGBGFMAPIJFCFDNOJNIFIJMJAOHAHC'; |
|||
javascript_obj0014_005.js |
pdf-javascript-stream | PDF /JS object 14 at offset 0x379D | 46 bytes |
SHA-256: 2e727335afd2bff9a14761a2083fd62566b360acf591745b36aacd7698390d25 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[3]='MLEDHMAKCMKNINOFGFFPJFFNFKLPIOMMJGLM'; |
|||
javascript_obj0015_006.js |
pdf-javascript-stream | PDF /JS object 15 at offset 0x3805 | 50 bytes |
SHA-256: 4e676bdc25eabac640360af5dafcae3b0385f60845a2cfbf3676feb0ad29a565 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[4]='JHPLHCAGLJCMLMDAGPJBOFADIMFCABEHFLDOAJEK'; |
|||
javascript_obj0016_007.js |
pdf-javascript-stream | PDF /JS object 16 at offset 0x3871 | 42 bytes |
SHA-256: 3cfc54484c7b79a57e672bf2f1e1df5d064a17d2462b3f0e198a7cc8f362b6a3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[5]='IDCKFGNLGOAJNFICBBNLGJBLOBLBBFJI'; |
|||
javascript_obj0018_009.js |
pdf-javascript-stream | PDF /JS object 18 at offset 0x391D | 34 bytes |
SHA-256: d4542eb3f35b05ad8a9129f3e90834720e0d596e5957dfd449a72fcc7f2a115d |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[7]='BLOFMEPONMNGPGGCNMMGAOBI'; |
|||
javascript_obj0019_010.js |
pdf-javascript-stream | PDF /JS object 19 at offset 0x3979 | 50 bytes |
SHA-256: 1ce5c6e250d85b82cb29e5082eb6b9b3d7e20464927f20bdfff04a3746a87706 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[8]='HHFBPOJEKAKELFACPGNNBMIHHHHPLBEMHHIBHFCE'; |
|||
javascript_obj0021_012.js |
pdf-javascript-stream | PDF /JS object 21 at offset 0x3A35 | 39 bytes |
SHA-256: e7fc740c12229b2c008bbce2883d61722b05e78d85c4677a8a818397fec8ed41 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[10]='LDHFBIMBDOPFFDHACMLIHOIKAHKA'; |
|||
javascript_obj0022_013.js |
pdf-javascript-stream | PDF /JS object 22 at offset 0x3A96 | 43 bytes |
SHA-256: 7013e7c2581e05fbe029083bc0a3fb10610d5de53b928f47f3e7ccec5be52aa6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[11]='PJGJJKPIDNHLEAGIENGIPPFBBEPDOOFE'; |
|||
javascript_obj0023_014.js |
pdf-javascript-stream | PDF /JS object 23 at offset 0x3AFB | 43 bytes |
SHA-256: 4af8fa1655cd767f91747fa83b004c30ed7eee7dbf852a30169ebce85793a975 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[12]='JIJJJICJAOCEPCNMGJPNMGKEJEONBFCG'; |
|||
javascript_obj0027_018.js |
pdf-javascript-stream | PDF /JS object 27 at offset 0x3C57 | 43 bytes |
SHA-256: 2b1e9baa455251fc92341e7868b287347457080e9fe64e5b79f92a2c90707d84 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[16]='LHBFPLMHLAOAJDBONPKIFNJNHCBEKOJJ'; |
|||
javascript_obj0028_019.js |
pdf-javascript-stream | PDF /JS object 28 at offset 0x3CBC | 75 bytes |
SHA-256: 31389c4e8921b5a65d02f52def3354de6820dbe0172da52250aaf6630a188568 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[17]='LPFJFNBOLEOLJHGGFLEAGMKOPCMMEHGKFBPHMOHBEPPBGKACIEIEIBPBCHAOOLAE'; |
|||
javascript_obj0029_020.js |
pdf-javascript-stream | PDF /JS object 29 at offset 0x3D41 | 43 bytes |
SHA-256: e7afd28efc4101bd11fdfea60bcc536261252009a3825ffaad02a67f41078f60 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[18]='MMBIMAPODMLPOIOFIKDGEKBNGIMMBJCE'; |
|||
javascript_obj0030_021.js |
pdf-javascript-stream | PDF /JS object 30 at offset 0x3DA6 | 99 bytes |
SHA-256: 96817d690292410fe6727c992e2df65ba7cf34d42ce0c55345fe86e400bb3545 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[19]='MKIBCOKNDOOLNGPMHFONEHKNEGAKMFPDDGOIJMGOEIKBHEFCGOGACAPHEKMCIJFJNOGMICOGNFADHMPMBLJCLFAF'; |
|||
javascript_obj0032_023.js |
pdf-javascript-stream | PDF /JS object 32 at offset 0x3E9C | 43 bytes |
SHA-256: ec0bf9547a20d5ebcac37d9f4a4bb3c30b61cb83d499ba49f86997be0944e64f |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[21]='LEHMGLFIPOOGOGJBFPBAGGIHCLDFCHEE'; |
|||
javascript_obj0033_024.js |
pdf-javascript-stream | PDF /JS object 33 at offset 0x3F01 | 51 bytes |
SHA-256: 242076078ba89766809ee0237028a62ea6e5d600bdf4fef188356275e721907c |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[22]='ICEDPGAFCIGCLOKANOJPOKPJPMDDMOHADODCJOCC'; |
|||
javascript_obj0034_025.js |
pdf-javascript-stream | PDF /JS object 34 at offset 0x3F6E | 79 bytes |
SHA-256: 93758dbb73f56c7f3029988e0c49980735ce475c073716a394a8c057774fbe27 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[23]='JIKJPFKBNOGBEDMPICECMIENAFJLGFKDDLGEMGFONBOEBIOPLNAFMKHFMAMEBAGIFDBM'; |
|||
javascript_obj0035_026.js |
pdf-javascript-stream | PDF /JS object 35 at offset 0x3FF7 | 83 bytes |
SHA-256: 7e7ca0351f1d271b63b8ba3056fb99484579025fbb01ad7242e1f0e42645f2dd |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[24]='BPKKNOLKNIKBCCBIOGMDFJNGAMFEFKIGDCPBPBPAEKLPBMACHMIEIPFNGIDDPMEJNPPLKLMB'; |
|||
javascript_obj0036_027.js |
pdf-javascript-stream | PDF /JS object 36 at offset 0x4084 | 43 bytes |
SHA-256: cee11a3f9521579524d3c40190232b2c04fd32e3364ba2df51925b7bd581651f |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[25]='HAJIKMONFIOLGEPAJJDOPMJGOKIBPKGJ'; |
|||
javascript_obj0037_028.js |
pdf-javascript-stream | PDF /JS object 37 at offset 0x40E9 | 83 bytes |
SHA-256: 95d08abd6c623e96ea52ca4a3ba896dc9813c00f61d10f16ecb103737c8850a0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[26]='MKJGHMIDGGAANJGCICEAMACAKKAKHEHNDBPMEJILLLLJAOBNOBEHPBGDHFOAOBMPNBGJIJMJ'; |
|||
javascript_obj0038_029.js |
pdf-javascript-stream | PDF /JS object 38 at offset 0x4176 | 63 bytes |
SHA-256: 935af0040d46cef01c5c606781eaaa9c88baf9825f8281310578d48017916995 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[27]='LMOHCNDGODNBFPLIJOOHAEFAEMCFFNEDANNDKHOLHHMGIBCECAIP'; |
|||
javascript_obj0039_030.js |
pdf-javascript-stream | PDF /JS object 39 at offset 0x41EF | 95 bytes |
SHA-256: ed6e5d524db12d34b0773dbfc980300ae2e14d49f5e31f1cc533a5e76aa99dec |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[28]='KFLLPGDMOKBLJECHDNIJMDBMBBLNKOJPCDNKNJFMNBAELLANGAHENBINIIJBGNIGFIKJHBLDKKJEOFANNACE'; |
|||
javascript_obj0040_031.js |
pdf-javascript-stream | PDF /JS object 40 at offset 0x4288 | 51 bytes |
SHA-256: bd8631617b6037111385d7544da8ca2aa429158ff69ef4228564e357e4734adf |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[29]='ANCAPHLENEDIKAFKPNPFCFFJBBJNHCBLDNIPPIEM'; |
|||
javascript_obj0041_032.js |
pdf-javascript-stream | PDF /JS object 41 at offset 0x42F5 | 43 bytes |
SHA-256: 093ae9b3084e69d019729c91a332a3062efcc662730a1bd7aa71f928df13f22f |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[30]='OCHAEODHKAKBHJPFPDHGMNPLMKKKIPAP'; |
|||
javascript_obj0042_033.js |
pdf-javascript-stream | PDF /JS object 42 at offset 0x435A | 99 bytes |
SHA-256: f8249ab76b0c80f7720608b5d0bcaf829cf44b40309b94493d4d82d5ff955bec |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[31]='GCFBFNIEAKFPDFEJHMCJDEODBBHBHNPJHGHGGMMIKNCDODBLJGBIBFKIPIIBOHFGEEMFEKKNGEEBHLHGAKCDPLME'; |
|||
javascript_obj0043_034.js |
pdf-javascript-stream | PDF /JS object 43 at offset 0x43F7 | 55 bytes |
SHA-256: bd82837f71768c16adabbbf27a1946629f5abd118274707e358229bf966bc11f |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[32]='HFLGFIDCNCACLDHMGKKEHGHHGMJBDKKLMCHAHBMJIHMK'; |
|||
javascript_obj0044_035.js |
pdf-javascript-stream | PDF /JS object 44 at offset 0x4468 | 87 bytes |
SHA-256: f91c2a2ba0b5299e898c3b67ffd0f663b6598ce257136250a711779d8a4e1749 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[33]='JJFFDFBGPLGLAJCOMKNLDHEOIGBNLIJMJEDJGIEEMKLJFAFFLDJPKKPCPCFIEEPOMNJBGEKNKNDI'; |
|||
javascript_obj0049_040.js |
pdf-javascript-stream | PDF /JS object 49 at offset 0x4622 | 49 bytes |
SHA-256: 5919c0d1d84a5a746be9f27963881ad88d4190b52b00795a7bba41f91757774f |
|||
Preview scriptFirst 1,000 lines of the extracted script
var pay='';for (i=0;i<ppp.length;i++)pay+=ppp[i]; |
|||
javascript_obj0050_041.js |
pdf-javascript-stream | PDF /JS object 50 at offset 0x468F | 51 bytes |
SHA-256: 9882b77792295f132527561d187f85c94b2cd973564768e464959f18c36b3adf |
|||
Preview scriptFirst 1,000 lines of the extracted script
var nnn2='';for (i=0;i<nnn.length;i++)nnn2+=nnn[i]; |
|||
javascript_obj0051_042.js |
pdf-javascript-stream | PDF /JS object 51 at offset 0x46FE | 121 bytes |
SHA-256: d0c51bf80c2b774fd7e3f148d01ffbc945e29725fa0df8312c7ee2e2af01f03e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var nops='';for(i=0;i<nnn2.length;i+=4){c=0;for(j=0;j<4;j++)c=16*c+nnn2.charCodeAt(i+j)-65;nops+=String.fromCharCode(c);}
|
|||
javascript_obj0052_043.js |
pdf-javascript-stream | PDF /JS object 52 at offset 0x47B9 | 119 bytes |
SHA-256: b1b2b43288ce70ec200b2f13b08007f27b53e440ecc0d66f3597d77149e048d4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var coqu='';for(i=0;i<pay.length;i+=4){c=0;for(j=0;j<4;j++)c=16*c+pay.charCodeAt(i+j)-65;coqu+=String.fromCharCode(c);}
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.