MALICIOUS
116
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
This PDF contains numerous embedded JavaScript streams, with several triggering high-severity heuristics for eval() calls and ML classification as malicious. The presence of JavaScript actions and streams, combined with the high stream count and eval() usage, strongly suggests the execution of obfuscated code. The ML classifier's output further supports a malicious classification. No specific URLs or file hashes were extracted, limiting the ability to identify the exact payload or family.
Machine Learning
- Nyx PDF Classifier malicious score 0.5718
Heuristics 6
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/tiff/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/photoshop/1.0/
- http://ns.adobe.com/exif/1.0/
- http://ns.adobe.com/xap/1.0/g/img/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/pdfx/1.3/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj1912_000.js72a67344d1b6b395570402b3c246229b0f48b4c3192ce9a317016a17178031c5 |
pdf-javascript-stream | PDF /JS object 1912 at offset 0x5721 | 96 bytes |
javascript_obj2181_003.jsa96fca058db56283c68e4d5bf34073bd79e36cc2f7becad8c19b1d749472bd24 |
pdf-javascript-stream | PDF /JS object 2181 at offset 0x3FDEA | 42 bytes |
javascript_obj2183_005.jsae95d6581723cae0c2c1e3044a60f6c91e032264799b53449cd6269e6993d7bc |
pdf-javascript-stream | PDF /JS object 2183 at offset 0x3FE8A | 38 bytes |
javascript_obj2184_006.js617ef4da07d9bc9d4e06a2320fe0d4cbacd3d6c2cc82039cf4e79e7facf7545f |
pdf-javascript-stream | PDF /JS object 2184 at offset 0x3FEDA | 41 bytes |
javascript_obj2201_014.jsa38c01daa8a2de78b2151ee01d1c69e81170452d881008dd1b45953b3c94a808 |
pdf-javascript-stream | PDF /JS object 2201 at offset 0x40376 | 39 bytes |
javascript_obj2203_015.jsbf6e5cec6b360b670b6bd2c73336d76c35e5f2336d421386785389d70cf8237a |
pdf-javascript-stream | PDF /JS object 2203 at offset 0x403F6 | 42 bytes |
javascript_obj2217_018.js3328eab8501405fcffcc95bb30fbb8bcb963b88928e4a40bd4be3a45d3e80107 |
pdf-javascript-stream | PDF /JS object 2217 at offset 0x40B4B | 39 bytes |
javascript_obj2219_019.js1829f93c988f1bfcd4bf6a74fc06fa5705171ae9bf3ac877b13813c6b492c742 |
pdf-javascript-stream | PDF /JS object 2219 at offset 0x40BD2 | 42 bytes |
javascript_obj2238_020.js094f9bd7196d381d9d9da41ae00a1960b056db1adab2c4cad456dc80e6493aa9 |
pdf-javascript-stream | PDF /JS object 2238 at offset 0x410E2 | 46 bytes |
javascript_obj2242_022.js7ecc3e3cb1163cdbe01231107ee5983df92e13911d468ed0c735c44bb980de6f |
pdf-javascript-stream | PDF /JS object 2242 at offset 0x411FE | 38 bytes |
javascript_obj2251_024.js006e280fcc63964d49bbe21a395d4fe08282796d47a55ce7b03b040db35820e2 |
pdf-javascript-stream | PDF /JS object 2251 at offset 0x4145C | 36 bytes |
javascript_obj2265_025.js79b9b3b840ce58024a1aaaeacf5312f4d88eef476ec5a7692172fb62b0f0b69f |
pdf-javascript-stream | PDF /JS object 2265 at offset 0x417E8 | 255 bytes |
javascript_obj2266_026.jsb45917730170d966e2727500fcec39c1f2827921e9bccf2db1009a0b2ce8ad10 |
pdf-javascript-stream | PDF /JS object 2266 at offset 0x4193D | 38 bytes |
javascript_obj2296_027.js3e2da4e9bf4864a118727a1384aa1f47b7763a34f28318b5f40545a9896053d6 |
pdf-javascript-stream | PDF /JS object 2296 at offset 0x4225E | 65 bytes |
javascript_obj2298_028.jsd58fdc3ea9ab57d69349fcd06442493cef7e6b03d1918f44316d35b85fbb1bf2 |
pdf-javascript-stream | PDF /JS object 2298 at offset 0x4231A | 65 bytes |
javascript_obj2300_029.js55fc45c8c56075c4a28422683b96ce088d3ba3194172acfa54a027d0d2fecf4a |
pdf-javascript-stream | PDF /JS object 2300 at offset 0x423CF | 59 bytes |
javascript_obj2302_030.js09eef5cddea81a667309d87e55c29b2da2ba8f8eb161b75c50387cbcb9e497f3 |
pdf-javascript-stream | PDF /JS object 2302 at offset 0x42478 | 59 bytes |
javascript_obj2306_031.js5c32b9bf0f34030031a8a841b68a515c6695029bee496078d61c025fc8633491 |
pdf-javascript-stream | PDF /JS object 2306 at offset 0x426BE | 65 bytes |
javascript_obj2311_034.jsa9bf44866021eb4810c964f1a2149a6251c6e4ce2d51b1a645f7bc671de0a1ee |
pdf-javascript-stream | PDF /JS object 2311 at offset 0x42842 | 153 bytes |
javascript_obj2314_035.js75e6058349f6513f9b377af038a0a9c5b612424534a150fe000a148aa2aa445b |
pdf-javascript-stream | PDF /JS object 2314 at offset 0x42983 | 156 bytes |
javascript_obj2334_038.js812b02f6ce60edd57d85e2547e6545096d50c9a3d33d3c755f370a7ac9730263 |
pdf-javascript-stream | PDF /JS object 2334 at offset 0x42EFC | 54 bytes |
javascript_obj2337_039.js2fb38f55912a1ae89f04fe1254c56222ac715235f2265fe26bec9747f68342d2 |
pdf-javascript-stream | PDF /JS object 2337 at offset 0x42FCE | 62 bytes |
javascript_obj2343_040.jsa4be0a89271ca5207f61e3beb896ae4fb1f8f98856b7a63aea508e3b60cea0c7 |
pdf-javascript-stream | PDF /JS object 2343 at offset 0x43182 | 66 bytes |
javascript_obj0076_042.jsc70b2b9d2231f05d0d1bb476c87868b2ff6c1ecaa7f0dbf0f4e18eb3a57604fd |
pdf-javascript-stream | PDF /JS object 76 at offset 0x7BB67 | 54 bytes |
javascript_obj0079_043.js4338b2c56c2f0889c576742a0841a925da0262a003dc269a0219f9ffe6509dc1 |
pdf-javascript-stream | PDF /JS object 79 at offset 0x7BC3B | 217 bytes |
javascript_obj0098_046.js9ab3ff814d68f4c8b2c650dbda3d88296f92bcd7add8b5954698a79269264b7b |
pdf-javascript-stream | PDF /JS object 98 at offset 0x7C436 | 50 bytes |
javascript_obj0103_047.jsab9963b3113e95266d94ae9c0e5e84b929e0bf758813ca9f36e1956200729078 |
pdf-javascript-stream | PDF /JS object 103 at offset 0x7C590 | 64 bytes |
javascript_obj0104_048.jseeb4d5702a73114c9d972ed94e900ebf3ed4ed430394ce24c21e2b2ea11a44e9 |
pdf-javascript-stream | PDF /JS object 104 at offset 0x7C603 | 224 bytes |
javascript_obj0109_050.jsb25caa2f46c8228a3f893c0730db0bb1f0a3b16d41c3c5809f439bbff159021f |
pdf-javascript-stream | PDF /JS object 109 at offset 0x7C83F | 54 bytes |
javascript_obj0110_051.jsf3f44e03b5527709489f088b646efb2c0eb5fc3144eeac95a424565e18192350 |
pdf-javascript-stream | PDF /JS object 110 at offset 0x7C8AC | 32 bytes |
javascript_obj0118_052.js978172c44b9564260d45a8fff4481dcbe5aa8cc236acea40fa40052e901ebebe |
pdf-javascript-stream | PDF /JS object 118 at offset 0x7CBFC | 69 bytes |
javascript_obj0121_055.js7eb6e68ba99fd04a3029e1b9b62ad471af69ec1bae89d138655c0df7d687dd48 |
pdf-javascript-stream | PDF /JS object 121 at offset 0x7CD0E | 50 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.