MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
This PDF file contains embedded JavaScript that utilizes eval() and unescape() functions, indicating an attempt to obfuscate malicious code. The critical CVE-2008-2992 heuristic firing confirms the exploitation of a known Adobe Reader vulnerability via util.printf. The deobfuscated JavaScript streams suggest the primary goal is to download and execute a secondary payload, though the exact nature of that payload could not be determined from the provided evidence. The ML classifier strongly supports the malicious classification.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj111711_000.jsf74a8cce87f96539a05a8c80eb738be99ead336dc95adeb826b514473fefe0d0 |
pdf-javascript-stream | PDF /JS object 111711 at offset 0x18E | 3963 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
|
|||
javascript_obj111712_001.js29a145141169a5f35e8c9d3452d17f593a8b8a21d85d0790b97fd90a8be19500 |
pdf-javascript-stream | PDF /JS object 111712 at offset 0x113F | 15954 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
|
|||
javascript_obj111713_002.jsaeeeef71a6682bb775179188fa696a99466d1590302a2cdbe7d34709a2646bbd |
pdf-javascript-stream | PDF /JS object 111713 at offset 0x4FC7 | 4737 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
|
|||
legacy_pdfkit_stage_000.jsfc73655a72de0e4f564fdd578cdc96b9d979fc030c2a4144bb166b740d0d419d |
deobfuscated-js | multi-marker percent-array decoded JavaScript at offset 0x113F | 1423 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
legacy_pdfkit_stage_001.jse282e90aa5eca950df2ca38b720cea9e6025f175e744e4f996f2c8820ba8b08c |
deobfuscated-js | multi-marker percent-array decoded JavaScript at offset 0x4FC7 | 385 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
legacy_pdfkit_stage_002.jsfd56a589c9c86b34abcf37a2466cbb2800ccf6f6c4511b53e1a3842d3aecf280 |
deobfuscated-js | multi-marker percent-array combined decoded JavaScript at offset 0x113F | 1809 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.