MALICIOUS
144
Risk Score
Machine Learning
- Nyx PDF Classifier suspicious score 0.3262
Heuristics 7
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
} eval(decrypt(sourceCode,(new Date().getSeconds() % 1))) -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.windjack.com In PDF document text
- http://www.pdfscripting.comIn PDF document text
- http://www.trisect.dk/PDF link annotation
- http://www.formrouter.com/In PDF document text
- http://www.trisect.dkReferenced by PDF JavaScript
- http://www.formrouter.comReferenced by PDF JavaScript
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
- http://purl.org/dc/elements/1.1/Referenced by PDF JavaScript
- http://ns.adobe.com/xap/1.0/mm/Referenced by PDF JavaScript
- http://ns.adobe.com/pdfx/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#Referenced by PDF JavaScript
- http://ns.adobe.com/photoshop/1.0/Referenced by PDF JavaScript
- http://ns.adobe.com/tiff/1.0/Referenced by PDF JavaScript
- http://ns.adobe.com/exif/1.0/Referenced by PDF JavaScript
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
JSPopupCalendar.doc |
pdf-embedded-file | PDF EmbeddedFile object 203 at offset 0x11C0E | 71168 bytes |
SHA-256: f27a827d874af1ac08c33e8c1444b6455ba84923ec12830585794d91f42c5c4e |
|||
javascript_obj0072_000.js |
pdf-javascript-stream | PDF /JS object 72 at offset 0x3715 | 84 bytes |
SHA-256: d782d639c45bcaa96880fc9447174b8d7d299f585b1ea79cf5b180ed3f59332a |
|||
Preview scriptFirst 1,000 lines of the extracted script
FormRouter_PlaceCalendar(this.getField("DateTest2"), true, "ddd mmm d, yyyy");
|
|||
javascript_obj0075_001.js |
pdf-javascript-stream | PDF /JS object 75 at offset 0x3A2A | 86 bytes |
SHA-256: 996a31921a7b314305fefd156bb245b28822c0148d0e73418fca006bd7bf7a12 |
|||
Preview scriptFirst 1,000 lines of the extracted script
FormRouter_PlaceCalendar(this.getField("DateTest1"), false, "mm/dd/yyyy");
|
|||
javascript_obj0079_002.js |
pdf-javascript-stream | PDF /JS object 79 at offset 0x3DC6 | 85 bytes |
SHA-256: 6387eebded479cab3ecfc6ae7580d53e5e71f2a1b2ca26754ba57a2c06fd0577 |
|||
Preview scriptFirst 1,000 lines of the extracted script
FormRouter_PlaceCalendar(this.getField("FormDateField"), false, "mmmm dd, yy");
|
|||
javascript_obj0081_003.js |
pdf-javascript-stream | PDF /JS object 81 at offset 0x3F87 | 89 bytes |
SHA-256: e351151ec253ccf74999819c5e672de09855e7c7809f62c096d11716fd900a51 |
|||
Preview scriptFirst 1,000 lines of the extracted script
FormRouter_PlaceCalendar(this.getField("FormDateField.1"), false, "mmm d, yyyy");
|
|||
javascript_obj0171_004.js |
pdf-javascript-stream | PDF /JS object 171 at offset 0x10059 | 150 bytes |
SHA-256: a6ba449cd511cf40387696e604a8ea30b1c722e0fa6a10b4f3ce2261cac916e7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if(!event.willCommit)
{
FormRouter_SetDays(parseInt(event.changeEx), parseInt(getField("FR_00000_Calendar.CalendarYear").value));
}
|
|||
javascript_obj0224_006.js |
pdf-javascript-stream | PDF /JS object 224 at offset 0x245FD | 54 bytes |
SHA-256: 3028de115b0e4dfaeb8eab1e550b22c5e6bf071f2e46c19f4e7a236056dc0123 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 2 */
FormRouter_SetCurrentDate("2");
|
|||
javascript_obj0230_007.js |
pdf-javascript-stream | PDF /JS object 230 at offset 0x24CB7 | 60 bytes |
SHA-256: 28d9dbd1b4a87869a308c824e9ede90f042537135484ef44a7c9ad16122e7ca4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 3 */
FormRouter_SetCurrentDate("3");
|
|||
javascript_obj0236_008.js |
pdf-javascript-stream | PDF /JS object 236 at offset 0x25389 | 54 bytes |
SHA-256: dfa51a9b86cd74123e8a0e369f4b92c9dc95b81d706dba3de1529cb5cc7ed275 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 4 */
FormRouter_SetCurrentDate("4");
|
|||
javascript_obj0242_009.js |
pdf-javascript-stream | PDF /JS object 242 at offset 0x25A43 | 54 bytes |
SHA-256: cd7c981cc4603cde5c751d4a86df821ea0f3bdf6ce2a6a3c3a3e1b71d2fd3dd7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 5 */
FormRouter_SetCurrentDate("5");
|
|||
javascript_obj0248_010.js |
pdf-javascript-stream | PDF /JS object 248 at offset 0x26128 | 54 bytes |
SHA-256: 2b11ec4ab6212f1d04dfd518b4e7148f5e73f838252b2672c6c4e57b691eebe2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 6 */
FormRouter_SetCurrentDate("6");
|
|||
javascript_obj0254_011.js |
pdf-javascript-stream | PDF /JS object 254 at offset 0x267E2 | 54 bytes |
SHA-256: f9d89262795f905244474dabf7997637dada651edbaf7a286da3f08dc8205cb8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 7 */
FormRouter_SetCurrentDate("7");
|
|||
javascript_obj0260_012.js |
pdf-javascript-stream | PDF /JS object 260 at offset 0x26E9C | 54 bytes |
SHA-256: d1dca82399c05b1bd956713048cf5224a9360c8c9722b228789df23841ca9693 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 8 */
FormRouter_SetCurrentDate("8");
|
|||
javascript_obj0266_013.js |
pdf-javascript-stream | PDF /JS object 266 at offset 0x27554 | 54 bytes |
SHA-256: 940e9253698d2df6789af910a67255e9b94d379e0c0679bda19672db05a0d396 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 9 */
FormRouter_SetCurrentDate("9");
|
|||
javascript_obj0272_014.js |
pdf-javascript-stream | PDF /JS object 272 at offset 0x27C0E | 56 bytes |
SHA-256: 27349853cead109b42036ca1ddac0f560e69677c8fc0e99552c3136fbe9066ff |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 10 */
FormRouter_SetCurrentDate("10");
|
|||
javascript_obj0278_015.js |
pdf-javascript-stream | PDF /JS object 278 at offset 0x282CC | 56 bytes |
SHA-256: e0c06a9a5bb90dc10801f6cd7fbe170ba7709786366597b122dabf4e5b95be2d |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 11 */
FormRouter_SetCurrentDate("11");
|
|||
javascript_obj0284_016.js |
pdf-javascript-stream | PDF /JS object 284 at offset 0x2898A | 56 bytes |
SHA-256: 0e1a45b7fc760bfebc03e3b33fe4a6d924f98c651595f4cb340138bb494faae8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 12 */
FormRouter_SetCurrentDate("12");
|
|||
javascript_obj0290_017.js |
pdf-javascript-stream | PDF /JS object 290 at offset 0x2904A | 57 bytes |
SHA-256: 902c8366f14e09e2e38570a9eb9a26e0e6a1274cc39f841ee9f68254c668c241 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 13 */
FormRouter_SetCurrentDate("13");
|
|||
javascript_obj0296_018.js |
pdf-javascript-stream | PDF /JS object 296 at offset 0x2970C | 56 bytes |
SHA-256: cb132c85677fd2be28f5d55c3bb7239b7f30ab5d3494e33500a9ea72704899e9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 14 */
FormRouter_SetCurrentDate("14");
|
|||
javascript_obj0302_019.js |
pdf-javascript-stream | PDF /JS object 302 at offset 0x29DCA | 56 bytes |
SHA-256: 445acad33f8b7efeb8dc5a1c8ee11777d817f15664009bee9081f2e4e9a39a7d |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 15 */
FormRouter_SetCurrentDate("15");
|
|||
javascript_obj0308_020.js |
pdf-javascript-stream | PDF /JS object 308 at offset 0x2A488 | 56 bytes |
SHA-256: 428c460c0da76e767c2f8b817bf4c95ad7855a9489cbc5da4187c68102f40021 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 16 */
FormRouter_SetCurrentDate("16");
|
|||
javascript_obj0314_021.js |
pdf-javascript-stream | PDF /JS object 314 at offset 0x2AB48 | 56 bytes |
SHA-256: c4115f4f95a1bd391913a4936b713d6be1a0c0216553bc6cc5362611e7344a20 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 17 */
FormRouter_SetCurrentDate("17");
|
|||
javascript_obj0320_022.js |
pdf-javascript-stream | PDF /JS object 320 at offset 0x2B208 | 56 bytes |
SHA-256: fe32398961094fbfb2eaafaf6b3bb4fc8a47b15f0704a6a1f8fc3dd246887f6d |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 18 */
FormRouter_SetCurrentDate("18");
|
|||
javascript_obj0326_023.js |
pdf-javascript-stream | PDF /JS object 326 at offset 0x2B8C8 | 62 bytes |
SHA-256: a36f70fbc96a5ba20a0df7d2785518ecf611e42839142e7b1a6226df7fede1bf |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 19 */
FormRouter_SetCurrentDate("19");
|
|||
javascript_obj0332_024.js |
pdf-javascript-stream | PDF /JS object 332 at offset 0x2BFA0 | 56 bytes |
SHA-256: c73585801a9629d21c19497b569d7843840a9be0f202122dbf273134ca7fb2b7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 20 */
FormRouter_SetCurrentDate("20");
|
|||
javascript_obj0338_025.js |
pdf-javascript-stream | PDF /JS object 338 at offset 0x2C660 | 56 bytes |
SHA-256: 580acc352787c4a6c0a7836d4bfcf9ffb1b2b9896ccb1fbe254b668483ce0d5d |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 21 */
FormRouter_SetCurrentDate("21");
|
|||
javascript_obj0344_026.js |
pdf-javascript-stream | PDF /JS object 344 at offset 0x2CD20 | 56 bytes |
SHA-256: 7f6991f19175ea63adacc0932087dad1898fa86177e461e7eb7e385d495a731f |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 22 */
FormRouter_SetCurrentDate("22");
|
|||
javascript_obj0350_027.js |
pdf-javascript-stream | PDF /JS object 350 at offset 0x2D3E0 | 56 bytes |
SHA-256: f1d645ff3ec500f0048bc66b13624594caa254589d8f2ae46c803f2bd9019ca9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 23 */
FormRouter_SetCurrentDate("23");
|
|||
javascript_obj0356_028.js |
pdf-javascript-stream | PDF /JS object 356 at offset 0x2DAA0 | 56 bytes |
SHA-256: 4e5d77d74e314a957f00ff03e8d179e179edef9650931db4dec6e9f6ee147642 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 24 */
FormRouter_SetCurrentDate("24");
|
|||
javascript_obj0362_029.js |
pdf-javascript-stream | PDF /JS object 362 at offset 0x2E160 | 56 bytes |
SHA-256: fe3b638668c71ba5bcc53d13cb36a72c7e938289c6cecb6a1b693f00c77db452 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 25 */
FormRouter_SetCurrentDate("25");
|
|||
javascript_obj0368_030.js |
pdf-javascript-stream | PDF /JS object 368 at offset 0x2E81C | 56 bytes |
SHA-256: fa1d8c34a615fae6ef15c252f22be52da3e06d8edf1b128014ba8d4ba3e9bbe5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 26 */
FormRouter_SetCurrentDate("26");
|
|||
javascript_obj0374_031.js |
pdf-javascript-stream | PDF /JS object 374 at offset 0x2EF08 | 56 bytes |
SHA-256: 96c4e6976d16b424ff02d7ef3fdabf41262d3ffc6a191431dc77176a814c1256 |
|||
Preview scriptFirst 1,000 lines of the extracted script
/* Set day 27 */
FormRouter_SetCurrentDate("27");
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.