MALICIOUS
78
Risk Score
🔏 Digital signature Modified after signing
A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.
Machine Learning
- Nyx PDF Classifier malicious score 0.8288
Heuristics 6
-
Active content added after the PDF was signed medium PDF_SIGNATURE_POST_SIGN_MODIFICATIONAn incremental update appended AFTER the signed byte range introduces active content (/JavaScript, /JS, /AA). Some of this can occur in legitimate form-fill (field scripts, a rewritten /Catalog), so it is suspicious rather than damning — but it is content the signer did not approve.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.monotype.comMonotype Referenced by PDF JavaScript
- http://www.monotype.comhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript
- http://www.monotype.comHowardReferenced by PDF JavaScript
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript
- https://www.verisign.com/rpaReferenced by PDF JavaScript
- http://ocsp.verisign.com/ocsp/status0Referenced by PDF JavaScript
- https://www.verisign.com/rpa0Referenced by PDF JavaScript
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0Referenced by PDF JavaScript
- http://www.microsoft.com/typographyReferenced by PDF JavaScript
- http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlNOTIFICATIONReferenced by PDF JavaScript
- https://www.verisign.com/repository/RPA0Referenced by PDF JavaScript
- https://www.verisign.com/repository/CPSReferenced by PDF JavaScript
- https://www.verisign.comReferenced by PDF JavaScript
- https://www.verisign.com/repository/verisignlogo.gif0Referenced by PDF JavaScript
- https://www.verisign.com/CPSReferenced by PDF JavaScript
- http://www.microsoft.com/truetype/0Referenced by PDF JavaScript
- http://www.monotype.com/html/mtname/ms_couriernew.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0581_000.js |
pdf-javascript-stream | PDF /JS object 581 at offset 0x5F37 | 242 bytes |
SHA-256: cfcec381f8bf0646cd3df803cdd51dc502f082522034131621be5106adf7485c |
|||
Preview scriptFirst 1,000 lines of the extracted script
//vraci true pokud najde znak char v retezci values. jinak false;
function charIn(ch, values)
{
for ( var t = 0; t < values.length; t++)
{
if ( ch == values.substr(t,1)) { return true; }
}
return false;
}
|
|||
javascript_obj0590_001.js |
pdf-javascript-stream | PDF /JS object 590 at offset 0x61E1 | 37 bytes |
SHA-256: 5933ca82ad3e6bb3ddfba3ac8d6a529892142da6d5bcaf33ae2486d238cc5aae |
|||
Preview scriptFirst 1,000 lines of the extracted script
function TFNK(bs,bt,bc)
{
}
|
|||
javascript_obj0597_002.js |
pdf-javascript-stream | PDF /JS object 597 at offset 0x6350 | 256 bytes |
SHA-256: db645969c141056ae93808bf6dfe857a11e9360547adeb24d5a3631692c5b77a |
|||
Preview scriptFirst 1,000 lines of the extracted script
function TFANP(bv,bf,bn,bc)
{
}
var TF_SPECIAL="@#$%&()*+-,./;:";
if(!TF_ALPHA||!TF_ALPHA.length)
TF_ALPHA=" ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzA��A�AA�E�E�I��I.NO��O�OU�U��.�a��a�aa�e�e�i��i.no��o�ou�u��.\r\n";
|
|||
javascript_obj0888_003.js |
pdf-javascript-stream | PDF /JS object 888 at offset 0x297F0 | 57 bytes |
SHA-256: f2b333f0c9e4ef37ebf7da291342abeb95f847bba92b3c4147f1356b08971fc7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
//this.getField("b12c96nfPrijmeni").setFocus();
|
|||
javascript_obj0893_004.js |
pdf-javascript-stream | PDF /JS object 893 at offset 0x29E1A | 36 bytes |
SHA-256: 022fdac1f75a7ab94bc7f61a4b3587a030ec02eca5cb1fc3e9cbae6d1fce704e |
|||
javascript_obj0902_005.js |
pdf-javascript-stream | PDF /JS object 902 at offset 0x2A36B | 66 bytes |
SHA-256: 2a6fef7fa7b08b1d453dfddac9a45a4cd9d5795586c0b0d781c1033e27d882ca |
|||
Preview scriptFirst 1,000 lines of the extracted script
oddo("b12c96nfVCod", "b12c96nfVCdo", "b12c96nfZapDny",0)
|
|||
javascript_obj0903_006.js |
pdf-javascript-stream | PDF /JS object 903 at offset 0x2A3E1 | 130 bytes |
SHA-256: d01b44ce3b05afa71d61b1314f5ab9e9a417df4a7b04f6f9b10a6e8c48ac97ad |
|||
Preview scriptFirst 1,000 lines of the extracted script
var year = this.getField("b12c96nfRok");
if (year.value=="")
{
app.alert("Mus�te vyplnit rok!",1,0);
year.setFocus();
}
|
|||
javascript_obj0904_007.js |
pdf-javascript-stream | PDF /JS object 904 at offset 0x2A49F | 81 bytes |
SHA-256: 94eea748a6cea27ca19d8e4cfe4a7fc3f492c8bd457d11b50ec029d85ef31c9c |
|||
Preview scriptFirst 1,000 lines of the extracted script
oddo("b12c96nfVCod", "b12c96nfVCdo", "b12c96nfZapDny", 1)
|
|||
javascript_obj0917_008.js |
pdf-javascript-stream | PDF /JS object 917 at offset 0x2AD6E | 64 bytes |
SHA-256: 6740a7f5aa2a036211c944166a16e9907c4500e9c5e83eea96e31189b504c378 |
|||
Preview scriptFirst 1,000 lines of the extracted script
oddo("b12c96nfVCod_2", "b12c96nfVCdo_2", "b12c96nfZapDny_2",0)
|
|||
javascript_obj0919_009.js |
pdf-javascript-stream | PDF /JS object 919 at offset 0x2AE98 | 64 bytes |
SHA-256: a119d21406cd732371ccce6b74d89683ff95bc8b862877d382b8a6d9db71cfa6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
oddo("b12c96nfVCod_2", "b12c96nfVCdo_2", "b12c96nfZapDny_2",1)
|
|||
javascript_obj0925_010.js |
pdf-javascript-stream | PDF /JS object 925 at offset 0x2B2BF | 69 bytes |
SHA-256: 831cf2ef45a05d5da6b98c9364a6ff90bf93adcf4385b22218676ed343b12d29 |
|||
Preview scriptFirst 1,000 lines of the extracted script
vymzak();
this.getField("b12c96nfVymZak_2").alignment = "right";
|
|||
javascript_obj0926_011.js |
pdf-javascript-stream | PDF /JS object 926 at offset 0x2B336 | 110 bytes |
SHA-256: a82ec1938a67ea955cb49c3b582aafc3ce0a747792933e0984bc1ce8d919c2f7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
this.getField("b12c96nfVymZak_2").alignment = "left";
this.getField("b12c96nfVymZak_2").alignment = "left";
|
|||
javascript_obj0932_012.js |
pdf-javascript-stream | PDF /JS object 932 at offset 0x2B71F | 64 bytes |
SHA-256: a2026eaded872d408de1a0727d59b2a14e5cda0f8e2eab6818b91f6fd62e8a26 |
|||
Preview scriptFirst 1,000 lines of the extracted script
oddo("b12c96nfVCod_3", "b12c96nfVCdo_3", "b12c96nfZapDny_3",0)
|
|||
javascript_obj0934_013.js |
pdf-javascript-stream | PDF /JS object 934 at offset 0x2B849 | 64 bytes |
SHA-256: 7b89437e0442a88faa488bbb58c03bb421bfc737430918f370b174b3edb629d8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
oddo("b12c96nfVCod_3", "b12c96nfVCdo_3", "b12c96nfZapDny_3",1)
|
|||
javascript_obj0940_014.js |
pdf-javascript-stream | PDF /JS object 940 at offset 0x2BC72 | 69 bytes |
SHA-256: c3e2392d693892f0030f19c4b43a693f9a443a73a42b2bb7d225c3ac271980c0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
vymzak();
this.getField("b12c96nfVymZak_3").alignment = "right";
|
|||
javascript_obj0941_015.js |
pdf-javascript-stream | PDF /JS object 941 at offset 0x2BCE9 | 110 bytes |
SHA-256: 0d70bcd1df805b4b019a399ee49bb4bfbdc6fd825d37d2fa02fd867c6d2650e7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
this.getField("b12c96nfVymZak_3").alignment = "left";
this.getField("b12c96nfVymZak_3").alignment = "left";
|
|||
javascript_obj0944_016.js |
pdf-javascript-stream | PDF /JS object 944 at offset 0x2BF85 | 49 bytes |
SHA-256: 5917f27db86b92b79537cfa334727ac95a1009b0f3e56d98fa01107a42434ec5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
this.getField("b12c96nfDatVyhELDP").setFocus;
|
|||
javascript_obj0022_020.js |
pdf-javascript-stream | PDF /JS object 22 at offset 0x2E45A | 57 bytes |
SHA-256: 5ec848ad6ef70ea6201cd4fed778e5d7484cc628574e50642d3be469cdab1bdb |
|||
Preview scriptFirst 1,000 lines of the extracted script
// <cardiff:dbtype name="text"/> TFANP(0,1,0,0); |
|||
javascript_obj0023_021.js |
pdf-javascript-stream | PDF /JS object 23 at offset 0x2E4C6 | 99 bytes |
SHA-256: 4d75f414b1ca527a9a418178d2f9383f5bc446a8e656b331266d67bfe924b2a9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
kstroke(0,1,"+sdpmnrabcdefSDPMNRABCDEF"); event.change = event.change.toUpperCase(); |
|||
javascript_obj0028_022.js |
pdf-javascript-stream | PDF /JS object 28 at offset 0x2E8C2 | 51 bytes |
SHA-256: e59e16daf6a5ad36f09de162318ff1a6d7308aefa76f056dfb911d3591738eb7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
// <cardiff:dbtype name="text"/> TFANP(0,1,0,0); |
|||
javascript_obj0029_023.js |
pdf-javascript-stream | PDF /JS object 29 at offset 0x2E922 | 51 bytes |
SHA-256: 85fa3db4d3b889053dfa749c6089d8a98c65fe129dab4139b0647470c85353e6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
// <cardiff:dbtype name="text"/> TFANP(1,0,0,0); |
|||
javascript_obj0035_025.js |
pdf-javascript-stream | PDF /JS object 35 at offset 0x2EBA1 | 91 bytes |
SHA-256: 54ca76c214d8e79e4ddc1eb463fec3531d3b113d2976de190663a4de3758281c |
|||
Preview scriptFirst 1,000 lines of the extracted script
kstroke(0,1,"+sdpmnrabcdefSDPMNRABCDEF"); event.change = event.change.toUpperCase(); |
|||
javascript_obj0037_026.js |
pdf-javascript-stream | PDF /JS object 37 at offset 0x2ED23 | 38 bytes |
SHA-256: ae95d6581723cae0c2c1e3044a60f6c91e032264799b53449cd6269e6993d7bc |
|||
Preview scriptFirst 1,000 lines of the extracted script
AFNumber_Format(0, 0, 0, 0, "", true); |
|||
javascript_obj0049_029.js |
pdf-javascript-stream | PDF /JS object 49 at offset 0x2F2E9 | 48 bytes |
SHA-256: 3f5b948245d466b4589d006687ffd3524f59a9965170729175cb5bd633b59ca6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
// <cardiff:dbtype name="text"/> TFNK(0,1,0); |
|||
javascript_obj0060_030.js |
pdf-javascript-stream | PDF /JS object 60 at offset 0x2FFD5 | 39 bytes |
SHA-256: ec2a2053e3b84f56547297825efbc1437665e1884725db8d77e914a1ce3cc9f7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
AFNumber_Format(0, 1, 1, 0, "", false); |
|||
javascript_obj0084_031.js |
pdf-javascript-stream | PDF /JS object 84 at offset 0x31152 | 44 bytes |
SHA-256: b59826645745de2a2451953793ba6d111f30741fa33fc89421e5b9ba47e5767d |
|||
Preview scriptFirst 1,000 lines of the extracted script
event.value = formatt(event.value, 3, " ") |
|||
javascript_obj0136_035.js |
pdf-javascript-stream | PDF /JS object 136 at offset 0x335CD | 41 bytes |
SHA-256: 617ef4da07d9bc9d4e06a2320fe0d4cbacd3d6c2cc82039cf4e79e7facf7545f |
|||
Preview scriptFirst 1,000 lines of the extracted script
AFNumber_Keystroke(0, 0, 0, 0, "", true); |
|||
javascript_obj0162_037.js |
pdf-javascript-stream | PDF /JS object 162 at offset 0x34965 | 41 bytes |
SHA-256: 3e3d0e421d915769fa631911550fb2593579e6bb9a99fb9158381ac8e8f07fe2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
AFNumber_Keystroke(0, 1, 0, 0, "", true); |
|||
javascript_obj0197_039.js |
pdf-javascript-stream | PDF /JS object 197 at offset 0x3643E | 48 bytes |
SHA-256: 57a5ede2bbb812b0e91f49bc7f70a9b8aa69e02d7d36a4cd9d9c1cfafdbbb257 |
|||
Preview scriptFirst 1,000 lines of the extracted script
// <cardiff:dbtype name="text"/> TFNK(1,1,0); |
|||
javascript_obj0267_040.js |
pdf-javascript-stream | PDF /JS object 267 at offset 0x39919 | 42 bytes |
SHA-256: 40af22c566b45f66fde72d79348c326b8e7933a50e8c3ad3de475195aac9dacb |
|||
Preview scriptFirst 1,000 lines of the extracted script
AFNumber_Keystroke(0, 1, 1, 0, "", false); |
|||
javascript_obj0293_041.js |
pdf-javascript-stream | PDF /JS object 293 at offset 0x3ACEA | 38 bytes |
SHA-256: d01aa0c07a077ec23f69b8fd9ccdaa6826882e0b2e7e446039ebdd1d983fffcc |
|||
Preview scriptFirst 1,000 lines of the extracted script
AFNumber_Format(0, 1, 0, 0, "", true); |
|||
javascript_obj0349_042.js |
pdf-javascript-stream | PDF /JS object 349 at offset 0x3D973 | 68 bytes |
SHA-256: 1a21e7fdc3c88a60142a82274de85f91d7ad2a2f79a270ff578e3c3ae8198619 |
|||
Preview scriptFirst 1,000 lines of the extracted script
kstroke(0,1,""); event.change = event.change.toUpperCase(); |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.