Attachment: PDF with JSFck obfuscation

calendar Apr 22, 2026  ·
Share on: linkedin copy

PDF attachment contains JavaScript obfuscated using JSFck encoding techniques. JSFck is a method of writing JavaScript code using only six characters: !+ which is often used to evade detection by security tools.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with JSFck obfuscation"
 2description: "PDF attachment contains JavaScript obfuscated using JSFck encoding techniques. JSFck is a method of writing JavaScript code using only six characters: []()!+ which is often used to evade detection by security tools."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          any(file.explode(.),
 9              .depth == 0
10              and any(.scan.yara.matches,
11                      .name in ("pdf_jsfck_strings", "pdf_jsfck_ratio")
12              )
13          )
14  )  
15attack_types:
16  - "Malware/Ransomware"
17tactics_and_techniques:
18  - "Evasion"
19  - "PDF"
20detection_methods:
21  - "File analysis"
22  - "YARA"
23id: "25af625c-2e3c-5bf9-ae33-8061df95f607"
to-top