MALICIOUS
70
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file triggered high-severity heuristics indicating it contains a JavaScript exploit stage. Multiple deobfuscated JavaScript files were extracted, suggesting they are responsible for downloading and executing a second-stage payload. The exact nature of the payload is not discernible from the provided evidence, but the presence of JavaScript exploits in a PDF is a strong indicator of malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 1
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
generic_stage_recovery_000.js5a3d618cc83fec1f8003eb2530912f02e653c5baeb1d26e88be81e583830516a |
deobfuscated-js | generic stage recovery percent-decode from decompressed stream at 0x75 at offset 0x75 | 1966 bytes |
generic_stage_recovery_001.js345e044131a08dd1ac7b741746371cfb4c09687390f7933c077c708a4212a1db |
deobfuscated-js | generic stage recovery percent-decode -> percent-decode from decompressed stream at 0x75 at offset 0x75 | 1896 bytes |
legacy_pdfkit_stage_000.js82e437a34ffd7a5adea747c29400e59651eeab351c671fa9b3baf778b23b0fa0 |
deobfuscated-js | repeated-marker hex decoded JavaScript at offset 0x75 | 155 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.