MALICIOUS
106
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 JavaScript
T1204.002 Malicious Link
The file is a PDF containing multiple embedded JavaScript streams and an AcroForm button with an action trigger, indicating an attempt to exploit PDF vulnerabilities. The ClamAV detection 'Pdf.Exploit.Agent-20775' strongly suggests malicious intent. The embedded JavaScript is likely responsible for downloading and executing a secondary payload, although the specific URLs for this are not directly extractable from the provided evidence. The high stream count also suggests obfuscation.
Heuristics 7
-
ClamAV: Pdf.Exploit.Agent-20775 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Exploit.Agent-20775
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/g/img/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://ns.adobe.com/pdf/1.3/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj1312_009.js6194bed55306139fa0613692ba8d7df6566d9b3e25e1da418cf5db1d4d1a07bc |
pdf-javascript-stream | PDF /JS object 1312 at offset 0x77060 | 61 bytes |
javascript_obj1430_013.jsb1eabd7002b3b6d4374372895528a4cc253665c9907fdfbc558550d6bb45b956 |
pdf-javascript-stream | PDF /JS object 1430 at offset 0x787BE | 64 bytes |
javascript_obj1733_015.js38771303e5b133f65b24c6712ec9e6df4c1e3ff95fa802e5cb4ed740e2d70e27 |
pdf-javascript-stream | PDF /JS object 1733 at offset 0x7DEC1 | 42 bytes |
javascript_obj1734_016.js3bc80ec40ddc2a11c8e2fe6adcd0b03351c4b296889df91d41bcbfba1fd9d4ad |
pdf-javascript-stream | PDF /JS object 1734 at offset 0x7DF15 | 39 bytes |
javascript_obj1760_017.jseb5719eb3e51785b68ef3a44f9d246513081068502558bb59c2e44890eb06512 |
pdf-javascript-stream | PDF /JS object 1760 at offset 0x7E2BB | 65 bytes |
javascript_obj2908_018.js1829f93c988f1bfcd4bf6a74fc06fa5705171ae9bf3ac877b13813c6b492c742 |
pdf-javascript-stream | PDF /JS object 2908 at offset 0x813BA | 42 bytes |
javascript_obj2909_019.js3328eab8501405fcffcc95bb30fbb8bcb963b88928e4a40bd4be3a45d3e80107 |
pdf-javascript-stream | PDF /JS object 2909 at offset 0x8140E | 39 bytes |
javascript_obj2913_020.js2927a11b5de8196505468218d0335e4457345716313d2e477e9af256a6453087 |
pdf-javascript-stream | PDF /JS object 2913 at offset 0x8151A | 42 bytes |
javascript_obj2914_021.js483e06f06445cc39e6730dde13e0b0119b05238d991f965fa3cc0c1fa3e06089 |
pdf-javascript-stream | PDF /JS object 2914 at offset 0x8156E | 39 bytes |
javascript_obj3083_022.js518e1fe2f37fea57fb397cd9512a204da5de881d8b692e9d3695b4c9148f63c0 |
pdf-javascript-stream | PDF /JS object 3083 at offset 0x83982 | 237 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj3192_023.jse934f6fac167651ff02757d601fcd47fc91f338316e9d9cfa095ff9749fa0cb1 |
pdf-javascript-stream | PDF /JS object 3192 at offset 0x84BB0 | 41 bytes |
javascript_obj3193_024.js45932a0bdf1553f65fa81113a37ef4232edd7ba595d343a00555d0f37cdf2fe2 |
pdf-javascript-stream | PDF /JS object 3193 at offset 0x84C03 | 107 bytes |
javascript_obj3294_025.jsbc5cabb464bd6493d4edb053df7d42aeb5db3d18737ab9cde38a91aff940bd47 |
pdf-javascript-stream | PDF /JS object 3294 at offset 0x86348 | 199 bytes |
javascript_obj3981_026.js6aeb2fc8f6b0dba7b9d76914b437aa0140bcd183b4c2b0d2b66173e7a39a1974 |
pdf-javascript-stream | PDF /JS object 3981 at offset 0x8FE5A | 41 bytes |
javascript_obj3982_027.jsdd4e86ff46931388298d522a0c25afc2a74df361f28fb6ad9f104ffc1f5056c1 |
pdf-javascript-stream | PDF /JS object 3982 at offset 0x8FEAD | 38 bytes |
javascript_obj3986_028.jsa22e7a3e6dbfb6427839e3a2fdcab1be9d58bdd666536d5308358ec98c59feed |
pdf-javascript-stream | PDF /JS object 3986 at offset 0x8FFC0 | 42 bytes |
javascript_obj3987_029.jscf3ef38cead83f4b1b39c7a061c8fef2c62d068861252a2b5ba7c0b959eec058 |
pdf-javascript-stream | PDF /JS object 3987 at offset 0x90014 | 39 bytes |
javascript_obj4665_030.js95066cd27f083b1a0413aadccb5835508c16082c9316fb48ecf4a641d2a49443 |
pdf-javascript-stream | PDF /JS object 4665 at offset 0x971D4 | 140 bytes |
javascript_obj4676_031.jsa864be5d6a4c10f844b899fd655b85ccd76d2549394d2bb49087c933096a8cc5 |
pdf-javascript-stream | PDF /JS object 4676 at offset 0x97298 | 134 bytes |
javascript_obj4688_032.js3edbbd8092239ad80281cabaaad5b6111d8273b8e1f0a5d74399764696944cd2 |
pdf-javascript-stream | PDF /JS object 4688 at offset 0x97352 | 186 bytes |
javascript_obj4774_033.js26ce941523556de27b633b09777f4608b8fe21356f667bed8cd4476d6d43e5a4 |
pdf-javascript-stream | PDF /JS object 4774 at offset 0x977A1 | 184 bytes |
javascript_obj3298_034.js996fc70e5de6677bdf952e8fbd0dc7b163da9aa135aa8ec75002e7168ddec1b7 |
pdf-javascript-stream | PDF /JS object 3298 at offset 0x8651F | 349 bytes |
javascript_obj4461_035.js624f09e12a56a347ca2dd695c161c1a87101c08e7323dcab9678589486c2b1c8 |
pdf-javascript-stream | PDF /JS object 4461 at offset 0x93EE5 | 790 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
javascript_obj4463_036.js9f144a5d4114dc312550f4adb2da6a4d8420a0d4f2f67da33d93c58f789b1592 |
pdf-javascript-stream | PDF /JS object 4463 at offset 0x94151 | 1538 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
javascript_obj4646_037.js4fc7a628209725ea2174e5f0a071abb1ebd48ccfb4c66d7c01712c0f3df12276 |
pdf-javascript-stream | PDF /JS object 4646 at offset 0x96E2A | 1695 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
stream_084_off0004db1a.bind10d11cc944ddfd9fabc799332b25c672db35a7d57174a3906498069b6dba605 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x4DB1A | 19736 bytes |
icc_00_off0001e219.icc2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
pdf-icc-profile | PDF ICC profile at offset 0x1E219 | 3144 bytes |
font_00_cff_off0001ef0d.bin07a25b424b8a1abe69f035df45e0c7239766d4b1d6500319ffccf9f7955bc3c2 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1EF0D | 5470 bytes |
font_01_cff_off000206a8.bin29f4177ad59a582aba22e68bc5d620091288026b5e41569b7d4fc6bbfedfbc47 |
pdf-font-stream | PDF embedded font (cff) at offset 0x206A8 | 5615 bytes |
font_02_cff_off00021ea5.bin0f59f113bc5ceff8fc8fb01d8e5d29e5bab4d6b9be50945c446ce1b8b3cb03bc |
pdf-font-stream | PDF embedded font (cff) at offset 0x21EA5 | 5470 bytes |
font_03_cff_off000234d1.bin181947beade60771eec8ecbdcb94253ae10085b0e18a0ecf34a69fd81cc2b340 |
pdf-font-stream | PDF embedded font (cff) at offset 0x234D1 | 5615 bytes |
font_04_cff_off00024b33.bind083ed40134c489dd152b6940b750d97c1a0f3190f99a2791a17c0b0b448ee34 |
pdf-font-stream | PDF embedded font (cff) at offset 0x24B33 | 5470 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.