MALICIOUS
116
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains multiple embedded JavaScript streams, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The presence of String.fromCharCode suggests obfuscation techniques are being used within the JavaScript. While the exact payload is not discernible due to obfuscation and truncation, the overall pattern points to a malicious document designed to execute arbitrary code via embedded scripts.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
/S /JavaScript /JS (var nops='';for\(i=0;i<nnn2.length;i+=4\){c=0;for\(j=0;j<4;j++\)c=16*c+nnn2.charCodeAt\(i+j\)-65;nops+=String.fromCharCode\(c\);}) >> -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0010_001.js |
pdf-javascript-stream | PDF /JS object 10 at offset 0x35CC | 40 bytes |
SHA-256: f9ae5a33db8c7c1304813e927490f51369c0114e1b7e481ce8d3cc0f2f95f72e |
|||
Preview scriptFirst 1,000 lines of the extracted script
var ppp=new Array();var nnn=new Array(); |
|||
javascript_obj0011_002.js |
pdf-javascript-stream | PDF /JS object 11 at offset 0x3632 | 82 bytes |
SHA-256: 0bd49e0db9f56d20f769fe2d5f5bb81d1162abff38b529cd7f597be7a9edb212 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[0]='LIMAFJGJGJNLMENJHECEPECLMJFKLBLFDBECBDADECBDIDMCMELLJMFIANOBJCCDANBALIIA'; |
|||
javascript_obj0012_003.js |
pdf-javascript-stream | PDF /JS object 12 at offset 0x36BE | 44 bytes |
SHA-256: 0aa43c4c40dc9bd2bc480d57ff4be18e6f0917e475b0d700f339f04c3e375fca |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[1]='NEGJOGNMFHDPLLCNNCFHMHILNIFEICAAIC'; |
|||
javascript_obj0013_004.js |
pdf-javascript-stream | PDF /JS object 13 at offset 0x3724 | 86 bytes |
SHA-256: 24933d340c30053983c9135791c21268ebc9b95b73de119bb91f0fea3e03ae7b |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[2]='KJCEDGCLFMBGIJAPFDFCJNNOIJIFAOMJHCHAEDMLAKHMKNCMOFINFPGFFNJFLPFKMMIOLMJGPLJH'; |
|||
javascript_obj0014_005.js |
pdf-javascript-stream | PDF /JS object 14 at offset 0x37B4 | 100 bytes |
SHA-256: 46b688cf8139f71d0196562cbb289e645963972995bc868643125885be70fe33 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[3]='AGHCCMLJDALMJBGPADOFFCIMEHABDOFLEKAJKACKIDNLFGAJGOICNFNLBBBLGJLBOBJIBFBPNPELMDOFBLPOMENGNM'; |
|||
javascript_obj0015_006.js |
pdf-javascript-stream | PDF /JS object 15 at offset 0x3852 | 50 bytes |
SHA-256: 47045ff2543302acf95895d323a8405a25bbf0da769074f38a9336909cdc99d0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[4]='GCPGMGNMBIAOJCFBHHJEPOKEKAACLFNNPGIHBMHP'; |
|||
javascript_obj0016_007.js |
pdf-javascript-stream | PDF /JS object 16 at offset 0x38BE | 58 bytes |
SHA-256: 9698167271c56c12b5f20c0a3022cae0b179761f5439036f85aaeeeffd000b0c |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[5]='HHEMLBIBHHCEHFOOCIPFNKOFHLFIHFLDMBBIPFDOHAFDLICM'; |
|||
javascript_obj0017_008.js |
pdf-javascript-stream | PDF /JS object 17 at offset 0x3932 | 96 bytes |
SHA-256: ea1c9545b06f1e7f1795a969fd49f533db01b5359dfc45b743a5a82f423f836f |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[6]='IKHOKAAHGJPJPIJKHLDNGIEAGIENFBPPPDBEFEOOJJJICJJICEAONMPCPNGJKEMGONJECGBFJNOIMHFMCCBCAP'; |
|||
javascript_obj0018_009.js |
pdf-javascript-stream | PDF /JS object 18 at offset 0x39CC | 34 bytes |
SHA-256: 8b6771b1ee6883a10810f2fcd4952acf475d12673bc32846d2dc2d2c84b777e2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[7]='HGHKGHEFGEMNCOOKDMLMBLMA'; |
|||
javascript_obj0019_010.js |
pdf-javascript-stream | PDF /JS object 19 at offset 0x3A28 | 84 bytes |
SHA-256: ea7712515e8d2df30cb9117113986dafb076ccae5e9d7d0eb6042b6a4be8a09a |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[8]='CIFKCNBFLHMHPLOALABOJDKINPJNFNBEHCJJKONLFJLPBOFNOLLEGGJHEAFLKOGMMMPCGKEHPH'; |
|||
javascript_obj0020_011.js |
pdf-javascript-stream | PDF /JS object 20 at offset 0x3AB6 | 92 bytes |
SHA-256: a03bcdbd8fb3dccefd9b948039c3685ddad5cb93cd8e65d196de5d16742d01b4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[9]='FBHBMOPBEPACGKIEIEPBIBAOCHAEOLMPBIMMPOMALPDMOFOIDGIKBNEKMMGICEBJEFIBMKKNCOOLDOPMNG'; |
|||
javascript_obj0021_012.js |
pdf-javascript-stream | PDF /JS object 21 at offset 0x3B4C | 77 bytes |
SHA-256: 5e9120c29aebb0aa881185e3b742d805a0b67746226c1457df46db8fefe48972 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[10]='ONHFKNEHAKEGPDMFOIDGGOJMKBEIFCHEGAGOPHCAMCEKFJIJGMNOOGICADNFPMHMJC'; |
|||
javascript_obj0022_013.js |
pdf-javascript-stream | PDF /JS object 22 at offset 0x3BD3 | 69 bytes |
SHA-256: c2f148301fb2cbb6d600fb17113197c908d117eaef186c15ae54337d929d552b |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[11]='BLAFLFLJJMGHIKAENFDJPILHJDAOHMLEFIGLOGPOJBOGBAFPIHGGDFCLEE'; |
|||
javascript_obj0023_014.js |
pdf-javascript-stream | PDF /JS object 23 at offset 0x3C52 | 75 bytes |
SHA-256: 32b7fff85fe6b25c2947135bed15f326e75b21edf6a4bf7200ae060ec4726664 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[12]='CHDCEDICAFPGGCCIKALOJPNOPJOKDDPMHAMODCDOCCJOGEKJJIKBPFGBNOMPEDEC'; |
|||
javascript_obj0024_015.js |
pdf-javascript-stream | PDF /JS object 24 at offset 0x3CD7 | 61 bytes |
SHA-256: 14cbca55cb2564efe050e515d42f14dc96316f493b5e6d006b6aae89a50c2477 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[13]='ICENMIJLAFKDGFGEDLFOMGOENBOPBIAFLNHFMKMEMAGIBABMFD'; |
|||
javascript_obj0025_016.js |
pdf-javascript-stream | PDF /JS object 25 at offset 0x3D4E | 51 bytes |
SHA-256: 5b42a17bb8aafec526d9a894bb3d33ea4bdab6c3245a0e4be871154df53a97b4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[14]='KKBPLKNOKBNIBICCMDOGNGFJFEAMIGFKPBDCPAPB'; |
|||
javascript_obj0027_018.js |
pdf-javascript-stream | PDF /JS object 27 at offset 0x3E14 | 103 bytes |
SHA-256: 595038e4ae0abde6634748f6084b680581f64927ff8c2a59bd1ae2ab492d9a08 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[16]='EJPMPLNPMBKLJIHAONKMOLFIPAGEDOJJJGPMIBOKGJPKMPJGMKIDHMAAGGGCNJEAICCAMAAKKKHNHEPMDBILEJLJLLBN'; |
|||
javascript_obj0028_019.js |
pdf-javascript-stream | PDF /JS object 28 at offset 0x3EB5 | 73 bytes |
SHA-256: a506fac30be4f69aa4cf34993f24d80f71d48a8c6960ff78eed85393fa1ae4bf |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[17]='AOEHOBGDPBOAHFMPOBGJNBMJIJJAOHLMDGCNNBODLIFPOHJOFAAECFEMEDFNND'; |
|||
javascript_obj0029_020.js |
pdf-javascript-stream | PDF /JS object 29 at offset 0x3F38 | 39 bytes |
SHA-256: bbef1ddd6064d80671fd157e4be6816d37210175eadeb0297950570cda4ef4eb |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[18]='ANOLKHMGHHCEIBIPCAELLLKFDMPG'; |
|||
javascript_obj0030_021.js |
pdf-javascript-stream | PDF /JS object 30 at offset 0x3F99 | 61 bytes |
SHA-256: a3227454658f8d483304ee4f7c0eb8f47d910a57145c31cd1f061a90a048e15e |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[19]='BLOKCHJEIJDNBMMDLNBBJPKONKCDFMNJAENBANLLHEGAINNBJB'; |
|||
javascript_obj0031_022.js |
pdf-javascript-stream | PDF /JS object 31 at offset 0x4010 | 43 bytes |
SHA-256: b75c567698303c08d296463d0536f5ac25387badd12790d150bd564fac06bfe3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[20]='IIIGGNKJFILDHBJEKKANOFCENAGBCAAN'; |
|||
javascript_obj0032_023.js |
pdf-javascript-stream | PDF /JS object 32 at offset 0x4075 | 59 bytes |
SHA-256: ac521f0c68f866703ba40f4372461730c3513358285e0605c4dba1cb93fef517 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[21]='LEPHDINEFKKAPFPNFJCFJNBBBLHCIPDNEMPIFLHAOCDHEOKB'; |
|||
javascript_obj0033_024.js |
pdf-javascript-stream | PDF /JS object 33 at offset 0x40EA | 65 bytes |
SHA-256: 9d0d24421a187886c071b9710db4b5c8aa66356c4b7ec4b3c353e1a0062e67c7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[22]='KAPFHJHGPDPLMNKKMKAPIPPEFBGCIEFNFPAKEJDFCJHMODDEHBBBPJ'; |
|||
javascript_obj0035_026.js |
pdf-javascript-stream | PDF /JS object 35 at offset 0x41AE | 63 bytes |
SHA-256: 90a064d0731fa8d07679cc869dd92903ebae63300df8b5b013b3598229ee71a3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[24]='HGMIGMCDKNBLODBIJGKIBFIBPIFGOHMFEEKNEKEBGEHGHLCDAKME'; |
|||
javascript_obj0037_028.js |
pdf-javascript-stream | PDF /JS object 37 at offset 0x4272 | 85 bytes |
SHA-256: 61e07714cfb9cb13e3504e9e89e4670cb9c3092f40a6e8f9595adc0c9c955285 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[26]='HFDCFIACNCHMLDKEGKHHHGJBGMKLDKHAMCMJHBMKIHHNFFJJBGDFGLPLCOAJNLMKEODHBNIGJM'; |
|||
javascript_obj0038_029.js |
pdf-javascript-stream | PDF /JS object 38 at offset 0x4301 | 81 bytes |
SHA-256: d921e9932803c1f5e20767876ff5e96ac30b8fb6ccceceb5459b4ec35337f24c |
|||
Preview scriptFirst 1,000 lines of the extracted script
ppp[27]='LIDJJEEEGILJMKFFFAJPLDPCKKFIPCPOEEJBMNKNGEDIKNCFDDLGHNJINPDDILODMHKLMB'; |
|||
javascript_obj0046_037.js |
pdf-javascript-stream | PDF /JS object 46 at offset 0x4588 | 49 bytes |
SHA-256: 5919c0d1d84a5a746be9f27963881ad88d4190b52b00795a7bba41f91757774f |
|||
Preview scriptFirst 1,000 lines of the extracted script
var pay='';for (i=0;i<ppp.length;i++)pay+=ppp[i]; |
|||
javascript_obj0047_038.js |
pdf-javascript-stream | PDF /JS object 47 at offset 0x45F5 | 51 bytes |
SHA-256: 9882b77792295f132527561d187f85c94b2cd973564768e464959f18c36b3adf |
|||
Preview scriptFirst 1,000 lines of the extracted script
var nnn2='';for (i=0;i<nnn.length;i++)nnn2+=nnn[i]; |
|||
javascript_obj0048_039.js |
pdf-javascript-stream | PDF /JS object 48 at offset 0x4664 | 121 bytes |
SHA-256: d0c51bf80c2b774fd7e3f148d01ffbc945e29725fa0df8312c7ee2e2af01f03e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var nops='';for(i=0;i<nnn2.length;i+=4){c=0;for(j=0;j<4;j++)c=16*c+nnn2.charCodeAt(i+j)-65;nops+=String.fromCharCode(c);}
|
|||
javascript_obj0049_040.js |
pdf-javascript-stream | PDF /JS object 49 at offset 0x471F | 119 bytes |
SHA-256: b1b2b43288ce70ec200b2f13b08007f27b53e440ecc0d66f3597d77149e048d4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var coqu='';for(i=0;i<pay.length;i+=4){c=0;for(j=0;j<4;j++)c=16*c+pay.charCodeAt(i+j)-65;coqu+=String.fromCharCode(c);}
|
|||
javascript_obj0050_041.js |
pdf-javascript-stream | PDF /JS object 50 at offset 0x47D8 | 42 bytes |
SHA-256: cdb00d413dd3dc5b9d3e3780f1775e73dbb44b071a24019bd9d4f5472f12fea2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
var nop='';for(i=0;i<128;i++)nop=nop+nops; |
|||
javascript_obj0051_042.js |
pdf-javascript-stream | PDF /JS object 51 at offset 0x483E | 52 bytes |
SHA-256: 887c4000e5cc4d9dfa6111f1e7cc04f6b55e03f5444509a403960cb208d351ee |
|||
Preview scriptFirst 1,000 lines of the extracted script
heapblock=nop+coqu;big=nops;spr=20+heapblock.length; |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.