MALICIOUS
70
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file triggered high severity heuristics for generic JavaScript exploit stage recovery and was flagged by an ML classifier with high confidence. The deobfuscated JavaScript content indicates it is designed to download and execute a secondary payload, likely exploiting a PDF vulnerability. The specific JavaScript files recovered are considered the primary IOCs.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 1
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
generic_stage_recovery_000.js5a3d618cc83fec1f8003eb2530912f02e653c5baeb1d26e88be81e583830516a |
deobfuscated-js | generic stage recovery percent-decode from decompressed stream at 0x73 at offset 0x73 | 1966 bytes |
generic_stage_recovery_001.js345e044131a08dd1ac7b741746371cfb4c09687390f7933c077c708a4212a1db |
deobfuscated-js | generic stage recovery percent-decode -> percent-decode from decompressed stream at 0x73 at offset 0x73 | 1896 bytes |
legacy_pdfkit_stage_000.js82e437a34ffd7a5adea747c29400e59651eeab351c671fa9b3baf778b23b0fa0 |
deobfuscated-js | repeated-marker hex decoded JavaScript at offset 0x73 | 155 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.