MALICIOUS
94
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
T1566.002 Spearphishing Attachment
The PDF file contains numerous embedded JavaScript streams and exhibits characteristics associated with exploit preparation, specifically related to CVE-2010-0188. The presence of JavaScript actions and the high stream count suggest obfuscation and potential execution of malicious code. One of the extracted artifacts, 'javascript_obj2237_020.js', is flagged as suspicious. The overall structure points towards a malicious PDF designed to exploit vulnerabilities and potentially download further payloads.
Heuristics 8
-
CCITTFaxDecode + TIFF/XFA exploit prep — LibTIFF CVE-family indicator high PDF_CCITT_CVE_2010_0188_RELATEDPDF uses /CCITTFaxDecode together with TIFF/XFA exploit-preparation markers such as rawValue image-field assignment, TIFF data, or heap-spray JavaScript. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/g/img/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://ns.adobe.com/xap/1.0/t/pg/
- http://ns.adobe.com/xap/1.0/sType/Dimensions#
- http://ns.adobe.com/xap/1.0/g/
- http://ns.adobe.com/pdf/1.3/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj2199_000.js02763d0b97f3b488fc3a30dd82817accf5fdfff6e3fe5e008636626ae4c3003f |
pdf-javascript-stream | PDF /JS object 2199 at offset 0x5021 | 178 bytes |
javascript_obj2217_001.jsb81c69b1f10d6373625583e9bf50ce17cb3d0b89d1de94e8939b137c2a574be3 |
pdf-javascript-stream | PDF /JS object 2217 at offset 0x5431 | 102 bytes |
javascript_obj2222_002.js3308320d248e15f4247255ac71c51c1093417e81c0c9de702acea883b7fb99ea |
pdf-javascript-stream | PDF /JS object 2222 at offset 0x5587 | 83 bytes |
javascript_obj2230_003.js9b160d19334bd56892170b86188c49574febdcb9ac509210fcaccee51ca3d16d |
pdf-javascript-stream | PDF /JS object 2230 at offset 0x5755 | 187 bytes |
javascript_obj2593_005.js504189b07839845a0b0a6b2fec209b98ef2ce785b9c387ad4ea61078bb8b5fbc |
pdf-javascript-stream | PDF /JS object 2593 at offset 0x353ED | 49 bytes |
javascript_obj2595_006.js91798ecd92e2f43f96a8c14669a5c168ae5a8d35171751b6a7acca9f8c50f0e6 |
pdf-javascript-stream | PDF /JS object 2595 at offset 0x3547D | 94 bytes |
javascript_obj2598_007.jsc812fa1f7d0804ae8135a933fd602dbf40b2a354bd7768f9a0362abc4405970f |
pdf-javascript-stream | PDF /JS object 2598 at offset 0x356BB | 90 bytes |
javascript_obj2601_008.js4a11062ce06fdbdf909e26403564cc72f6ea751064561e09fe6d680daa579c4b |
pdf-javascript-stream | PDF /JS object 2601 at offset 0x35911 | 91 bytes |
javascript_obj2603_009.js22a8d36c78278d1275f42b32c1b29d33017804950f86420201a1dea2d59bc639 |
pdf-javascript-stream | PDF /JS object 2603 at offset 0x35B39 | 47 bytes |
javascript_obj2606_010.js781be7cd12751af7b7c26920e3c6172f0e5b4e8848e9636dec195b34d1ceb852 |
pdf-javascript-stream | PDF /JS object 2606 at offset 0x35C26 | 148 bytes |
javascript_obj2609_011.jsf8cbc95388aa6e8c4a785734390d3b178051fe4ef4753eed3bea7e510b074ca4 |
pdf-javascript-stream | PDF /JS object 2609 at offset 0x35E63 | 97 bytes |
javascript_obj2611_012.jsac085ba32f5bb169e82a77ad2098d0ec1d3d229aafb8828b23183b62d69055dd |
pdf-javascript-stream | PDF /JS object 2611 at offset 0x36014 | 164 bytes |
javascript_obj2616_013.js70bdf25ffc7ab416662e0bdf374e264c499c7df49ba0e2f2a627b89ecb45d6d1 |
pdf-javascript-stream | PDF /JS object 2616 at offset 0x3626E | 96 bytes |
javascript_obj2163_014.js50882de2fa932efa184f96e8ee550ea6a50044b6d399637932666cc83fb725a9 |
pdf-javascript-stream | PDF /JS object 2163 at offset 0x11355C | 94 bytes |
javascript_obj2232_015.js0a4ecb6c67fb50ad82596bc67b0226244ae82c7c63b9adda4d784064b31cbe09 |
pdf-javascript-stream | PDF /JS object 2232 at offset 0x5885 | 2439 bytes |
javascript_obj2233_016.js28a851867441f6620715987a9284cddd5f094983a9424a0335a31e9dc71e3337 |
pdf-javascript-stream | PDF /JS object 2233 at offset 0x5BB6 | 1400 bytes |
javascript_obj2234_017.js01ecf8adb04541a4523d366e0c9ae0e3fb6a693d673717f9a78bb5a5950d823e |
pdf-javascript-stream | PDF /JS object 2234 at offset 0x5E25 | 2120 bytes |
javascript_obj2235_018.js7630710805486d977fce8926658e46f5ab4a78dccf1c04ce9842c0cd183e1a50 |
pdf-javascript-stream | PDF /JS object 2235 at offset 0x5FFB | 981 bytes |
javascript_obj2236_019.jsf224f131dc20954cd93afb30c4a9fd95d30c0c2cd5e4427b749bfa028eb23b87 |
pdf-javascript-stream | PDF /JS object 2236 at offset 0x61DA | 751 bytes |
javascript_obj2237_020.jsb0c929f13177283012ad4036654ce01413d0aafb48e1b7790dc9b4ca97f35e5d |
pdf-javascript-stream | PDF /JS object 2237 at offset 0x635D | 342 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj2238_021.js890a317fb2991a5335edca47fe8f59b4090ded51020ebeace9078ec8f13f6ef2 |
pdf-javascript-stream | PDF /JS object 2238 at offset 0x6453 | 5555 bytes |
javascript_obj2239_022.js45f6c8f2e7ec08cef736e519bfbf01dba0fc5aff007e3fe1fe70120f4a92a24b |
pdf-javascript-stream | PDF /JS object 2239 at offset 0x67D2 | 525 bytes |
javascript_obj2240_023.jsc4103c0c7e6a993a188423bd208fe661e2cf01d6983e9d6c8161c34604ee34ad |
pdf-javascript-stream | PDF /JS object 2240 at offset 0x68E3 | 8078 bytes |
javascript_obj2241_024.jsc835dc232ea87b2feebb15867d10c455975e237c2611acbc10b5ef6da7a58e82 |
pdf-javascript-stream | PDF /JS object 2241 at offset 0x7053 | 394 bytes |
javascript_obj2242_025.jse4a71d5b01073ef53b6df121a3f1c8d0df6efbce0fcbec600e35043e3362dbe5 |
pdf-javascript-stream | PDF /JS object 2242 at offset 0x7193 | 2527 bytes |
javascript_obj2243_026.jsd17fa5bbb33026d194cae7a4a8c001fb944c8f91df82fa601bb9b61c98eae4e5 |
pdf-javascript-stream | PDF /JS object 2243 at offset 0x74E4 | 502 bytes |
javascript_obj2244_027.js4a976e3fdadd74b6af3af6fd882291c4cb14626d80bc17eaa5573cda3d78cc46 |
pdf-javascript-stream | PDF /JS object 2244 at offset 0x7620 | 985 bytes |
javascript_obj2245_028.jsb544cb72d7c0e280da6be871b6c307d5c757f471f22ab95bfd40e2a6258bf99d |
pdf-javascript-stream | PDF /JS object 2245 at offset 0x77C1 | 1562 bytes |
javascript_obj2246_029.js114e6d2d87b542aaf67fbcc48356b9601939c1b4d944b14a9cd910afd6fe081f |
pdf-javascript-stream | PDF /JS object 2246 at offset 0x79D4 | 1907 bytes |
javascript_obj2247_030.js949e62edc4b7226ee740ce782edfd3f999d49739f58318938992ec8af2bc2d60 |
pdf-javascript-stream | PDF /JS object 2247 at offset 0x7C2F | 3941 bytes |
javascript_obj2248_031.js581ec1c86f32fb43247705af9e535701f3740fbefb5a691f3d0b7e2dbc8c68f9 |
pdf-javascript-stream | PDF /JS object 2248 at offset 0x7F0E | 355 bytes |
javascript_obj2249_032.js6e1840f30e52e9e309ef31054af2c2b073de51bc2d97d438c320051b7e1de960 |
pdf-javascript-stream | PDF /JS object 2249 at offset 0x800F | 998 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.