MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file contains multiple JavaScript streams that utilize eval() calls, indicating an attempt to execute arbitrary code. The PDF_JS_EXPLOIT_CLUSTER and PDF_EVAL heuristics strongly suggest a JavaScript-based exploit. While the specific payload is not directly observable, the presence of JavaScript actions and embedded scripts points to a malicious intent to leverage these vulnerabilities. The embedded URLs, though currently benign, are often used as lures or for initial staging in such attacks.
Machine Learning
- Nyx PDF Classifier clean score 0.2163
Heuristics 8
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENTOptional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.researchgate.net/publication/320015354_Token_games_as_PDF_form_applications?enrichId=rgreq-913b58a46e8f1ac3e1ae69cecebf9cec-XXX&enrichSource=Y292ZXJQYWdlOzMyMDAxNTM1NDtBUzo1NDIzODQ1MjAxMzg3NTJAMTUwNjMyNTk1NDkyMg%3D%3D&el=1_x_2&_esc=publicationCoverPdf
- https://www.researchgate.net/publication/320015354_Token_games_as_PDF_form_applications?enrichId=rgreq-913b58a46e8f1ac3e1ae69cecebf9cec-XXX&enrichSource=Y292ZXJQYWdlOzMyMDAxNTM1NDtBUzo1NDIzODQ1MjAxMzg3NTJAMTUwNjMyNTk1NDkyMg%3D%3D&el=1_x_3&_esc=publicationCoverPdf
- https://www.researchgate.net/project/Applications-of-Field-Animation?enrichId=rgreq-913b58a46e8f1ac3e1ae69cecebf9cec-XXX&enrichSource=Y292ZXJQYWdlOzMyMDAxNTM1NDtBUzo1NDIzODQ1MjAxMzg3NTJAMTUwNjMyNTk1NDkyMg%3D%3D&el=1_x_9&_esc=publicationCoverPdf
- https://www.researchgate.net/project/Describing-Part-of-a-Game-using-Petri-Nets-A-Reply-to-a-Question-at-Quora-Static-Version?enrichId=rgreq-913b58a46e8f1ac3e1ae69cecebf9cec-XXX&enrichSource=Y292ZXJQYWdlOzMyMDAxNTM1NDtBUzo1NDIzODQ1MjAxMzg3NTJAMTUwNjMyNTk1NDkyMg%3D%3D&el=1_x_9&_esc=publicationCoverPdf
- https://www.researchgate.net/?enrichId=rgreq-913b58a46e8f1ac3e1ae69cecebf9cec-XXX&enrichSource=Y292ZXJQYWdlOzMyMDAxNTM1NDtBUzo1NDIzODQ1MjAxMzg3NTJAMTUwNjMyNTk1NDkyMg%3D%3D&el=1_x_1&_esc=publicationCoverPdf
- https://www.researchgate.net/profile/John_Frederick_Chionglo?enrichId=rgreq-913b58a46e8f1ac3e1ae69cecebf9cec-XXX&enrichSource=Y292ZXJQYWdlOzMyMDAxNTM1NDtBUzo1NDIzODQ1MjAxMzg3NTJAMTUwNjMyNTk1NDkyMg%3D%3D&el=1_x_4&_esc=publicationCoverPdf
- https://www.researchgate.net/profile/John_Frederick_Chionglo?enrichId=rgreq-913b58a46e8f1ac3e1ae69cecebf9cec-XXX&enrichSource=Y292ZXJQYWdlOzMyMDAxNTM1NDtBUzo1NDIzODQ1MjAxMzg3NTJAMTUwNjMyNTk1NDkyMg%3D%3D&el=1_x_5&_esc=publicationCoverPdf
- https://www.researchgate.net/profile/John_Frederick_Chionglo?enrichId=rgreq-913b58a46e8f1ac3e1ae69cecebf9cec-XXX&enrichSource=Y292ZXJQYWdlOzMyMDAxNTM1NDtBUzo1NDIzODQ1MjAxMzg3NTJAMTUwNjMyNTk1NDkyMg%3D%3D&el=1_x_7&_esc=publicationCoverPdf
- https://www.researchgate.net/profile/John_Frederick_Chionglo?enrichId=rgreq-913b58a46e8f1ac3e1ae69cecebf9cec-XXX&enrichSource=Y292ZXJQYWdlOzMyMDAxNTM1NDtBUzo1NDIzODQ1MjAxMzg3NTJAMTUwNjMyNTk1NDkyMg%3D%3D&el=1_x_10&_esc=publicationCoverPdf
- https://inst.eecs.berkeley.edu/%7Eee249/fa07/discussions/PetriNets-Murata.pdf
- https://www.researchgate.net/publication/320015354
- https://inst.eecs.berkeley.edu/~ee249/fa07/discussions/PetriNets-Murata.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/pdfx/1.3/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0148_000.js83c0f6e70f15f0811fe9bca8f848875315992e4430124e2c05146ab5cab62b9b |
pdf-javascript-stream | PDF /JS object 148 at offset 0xA9F9 | 247 bytes |
javascript_obj0152_001.js627a95565daeca12e5d4aa2e083aa918a9ee5542653be13b8a73df9267af3532 |
pdf-javascript-stream | PDF /JS object 152 at offset 0xACAA | 96 bytes |
javascript_obj0153_002.js061c94457d27209aeab494aad4f1992407954466aa111daf38979f86a1e3a131 |
pdf-javascript-stream | PDF /JS object 153 at offset 0xAD97 | 38 bytes |
javascript_obj0154_003.jsbd812e568a87811e555291a087577bfd1ace3fe5a869cd76d3b01260c08d05c7 |
pdf-javascript-stream | PDF /JS object 154 at offset 0xAE10 | 41 bytes |
javascript_obj0155_004.js2d0ca43c76b7106ce7dd5b7593bebe1b0b966ffec0b132fd4ab33c63d53e92e7 |
pdf-javascript-stream | PDF /JS object 155 at offset 0xAE8F | 41 bytes |
javascript_obj0156_005.js8998452e2ceaea38e14c61a840c9c6c601c79d902317959db33038a43c62c25c |
pdf-javascript-stream | PDF /JS object 156 at offset 0xAEE7 | 247 bytes |
javascript_obj0160_006.js3ed84b8cc99b6f0fc2cf0db54d0f037ad85d9cf87db2f191763eb131b0e2c14a |
pdf-javascript-stream | PDF /JS object 160 at offset 0xB198 | 96 bytes |
javascript_obj0161_007.js52aed06e97dbd715b737d4bc70b09dddc4fe4eb97f0c9a060d75b79df92631d1 |
pdf-javascript-stream | PDF /JS object 161 at offset 0xB285 | 38 bytes |
javascript_obj0162_008.js95942488b5201ed74ecfbe6fe2f4585a1603aee6890e204b1b2eee51c12692af |
pdf-javascript-stream | PDF /JS object 162 at offset 0xB2FE | 41 bytes |
javascript_obj0163_009.js764b040686c250638c311cb760d93922f387844a2bd36fef986b10aa4df222be |
pdf-javascript-stream | PDF /JS object 163 at offset 0xB37D | 41 bytes |
javascript_obj0164_010.js2f19786ca57f3af314a626814b46d3befc8c1bedc0c7ece44704116de2713ec6 |
pdf-javascript-stream | PDF /JS object 164 at offset 0xB3D5 | 247 bytes |
javascript_obj0168_011.js12a5a7b8506a26463ff7d6872c43773ac6347b7959f3ecbc0dd514b03b219180 |
pdf-javascript-stream | PDF /JS object 168 at offset 0xB686 | 96 bytes |
javascript_obj0169_012.js952b8cb78d6b68dcbecb294bd5f57555c164683e09cf43fe175f2c8fd2cde1c3 |
pdf-javascript-stream | PDF /JS object 169 at offset 0xB773 | 38 bytes |
javascript_obj0170_013.jsa221309ee2232152c8f644d61b60f09a543a0101650bec42857790028f8189d2 |
pdf-javascript-stream | PDF /JS object 170 at offset 0xB7EC | 41 bytes |
javascript_obj0171_014.jse0fcd3b12f9017f3ba627853e66cdee93bf0339166cd02ecd4c20fe6d65a2867 |
pdf-javascript-stream | PDF /JS object 171 at offset 0xB86B | 41 bytes |
javascript_obj0172_015.js1c603f31d8770447dbd837f479b220b0bc30be3b2a156130e0799357b3f7d3bc |
pdf-javascript-stream | PDF /JS object 172 at offset 0xB8C3 | 247 bytes |
javascript_obj0176_016.js65ce8cd25a66d3e6f1fc402868d04c04d397eb4c8d70d82273c972b17307caed |
pdf-javascript-stream | PDF /JS object 176 at offset 0xBB74 | 96 bytes |
javascript_obj0177_017.js78ad7caad7701040f42868635b9b8d2b05ccd89ce79d2a045eb1fe45160bbd5b |
pdf-javascript-stream | PDF /JS object 177 at offset 0xBC61 | 38 bytes |
javascript_obj0178_018.jsb9c187b2cb2c08c94fe0f3424e26f7cab6226b61fb2ac697a570bc57b18927df |
pdf-javascript-stream | PDF /JS object 178 at offset 0xBCDA | 41 bytes |
javascript_obj0179_019.js85ac1cd156cd6a9940fb806e859986825b9b75ad4cd5534a7528c597432ed6d5 |
pdf-javascript-stream | PDF /JS object 179 at offset 0xBD59 | 41 bytes |
javascript_obj0284_020.js0a3e96ca036c08b597a7117cb8e8c1a3b0f2125fa2773efc1bdf9c140d0e8f4e |
pdf-javascript-stream | PDF /JS object 284 at offset 0x15BEF | 41 bytes |
javascript_obj0285_021.js49d2cfe402415d8914a6a717ca9196ab780cf14c24418aec87a25876dac99370 |
pdf-javascript-stream | PDF /JS object 285 at offset 0x15C47 | 41 bytes |
javascript_obj0286_022.js621f883938bfc77ce2133a8e39b850c676918a1c9f32928407b6f592f4d7fd61 |
pdf-javascript-stream | PDF /JS object 286 at offset 0x15C9F | 41 bytes |
javascript_obj0287_023.js8385907877c4babd135f23c27a78a37f5b58af5a962f945cb22118a8a8dae54e |
pdf-javascript-stream | PDF /JS object 287 at offset 0x15CF7 | 41 bytes |
javascript_obj0288_024.js0e6b1dddffb949ad91c611b4fdf7da6b092736cf4b68013583079f0619eb8272 |
pdf-javascript-stream | PDF /JS object 288 at offset 0x15D4F | 41 bytes |
javascript_obj0307_025.jsd0caba40f8191289ff14405fb94dbd8b850dea0af6ed702cccd764c7986ca03a |
pdf-javascript-stream | PDF /JS object 307 at offset 0x17704 | 41 bytes |
javascript_obj0308_026.js48fd30af8252f2154a7f03886fe37137b55fe665e944b5a9e990f8dd04f6e1f7 |
pdf-javascript-stream | PDF /JS object 308 at offset 0x1775C | 41 bytes |
javascript_obj0309_027.jsff6659dfc61729d42f9fc6f0a48707b11ff99a9a44d1646797a83827b15344e0 |
pdf-javascript-stream | PDF /JS object 309 at offset 0x177B4 | 41 bytes |
javascript_obj0310_028.jsaf6e3560aeb6d6ef9af286c349cb4a8cedd4b0b826fc903e7c22b4d3232ed0ce |
pdf-javascript-stream | PDF /JS object 310 at offset 0x1780C | 41 bytes |
javascript_obj0311_029.js5dfcb42fcf124a6207bc94065a1ddc8c5a49f3293c32b3c024e81c60968d6ebb |
pdf-javascript-stream | PDF /JS object 311 at offset 0x17864 | 41 bytes |
javascript_obj0312_030.js247363f5fbdf705392e082c2bef9b7816f40194217d8a13c643d6b1604c7635d |
pdf-javascript-stream | PDF /JS object 312 at offset 0x178BC | 41 bytes |
javascript_obj0313_031.jse0dce1873b7ceaa561cba24d450eeb36e3a490274255ceaa6dcf572f6b46eea2 |
pdf-javascript-stream | PDF /JS object 313 at offset 0x17914 | 41 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.