Suspicious
Unsigned JavaScript exhibiting process injection and credential-dumping techniques; tier-1 engines silent but heuristics flagged malware-like behaviour.
4f4d54e702245a2c41…4da140c716The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The file presents a mixed-signal profile. On one hand, the triggered heuristics (MalwareTips.Synth.ProcessInjection and MalwareTips.Synth.CredentialDumper) name specific offensive techniques — process injection via CreateRemoteThread/APC and LSASS memory access — that are hallmarks of credential-theft malware like Mimikatz. The MITRE technique set (T1055, T1082, T1071, T1027, T1064) aligns with post-exploitation activity. On the other hand, the complete silence from 17 tier-1 engines (Microsoft Defender, Kaspersky, ESET, BitDefender, Fortinet, Avast, Avira, Emsisoft, GData, Ikarus, DrWeb, F-Secure, and others) is a strong counter-signal — genuine malware families are typically caught by at least one tier-1 vendor. The sandbox did not return a malicious verdict despite observing the suspicious behaviour, and no external-intel sources (CIRCL, YARAify, MalwareBazaar) have flagged the sample. The file is unsigned, generic-named, and 130 days old with only 2 submissions, which does not fit the profile of an active malware campaign. The most likely explanation is that the heuristics detected legitimate-but-suspicious script activity (e.g., a system-administration or penetration-testing script) rather than weaponized malware.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
tier1Malicious=0; 17 tier-1 engines (Avast, BitDefender, ESET, Kaspersky, Microsoft, Fortinet, Ikarus, Emsisoft, GData, Avira, DrWeb, F-Secure) all reported undetected
triggeredHeuristics: MalwareTips.Synth.ProcessInjection (T1055) + MalwareTips.Synth.CredentialDumper (LSASS targeting) both fired with high/medium severity
behaviour.mitreTechniques=[T1027, T1055, T1064, T1071, T1082]; offensiveTechniques=[T1055] — process injection is offensive-only technique
No external-intel hits (CIRCL, YARAify, MalwareBazaar all negative); no similar-hash RAG entries; no malicious sandbox verdict recorded
Unsigned JavaScript; generic filename; no brand mismatch; prevalence medium (2 submitters, 130 days) — not rare-new
- All 17 tier-1 antivirus engines reported undetected — strong signal against malware classification
- No external-intel corroboration (CIRCL, YARAify, MalwareBazaar all negative) — not in researcher-curated threat databases
- No malicious sandbox verdict recorded — sandbox did not classify behaviour as conclusively malicious
- File age 130 days with only 2 submissions — low prevalence inconsistent with active malware campaign
- Process injection (T1055) heuristic triggered — suggests attempt to hide code in legitimate process
- LSASS access detected — consistent with credential-dumping malware
- Unsigned script — no publisher verification or code integrity
- Multiple system processes spawned — could indicate privilege escalation or lateral movement
- Obfuscation techniques detected (T1027) — suggests intent to evade detection
Treat this file as suspicious pending manual code review. The heuristic alerts warrant caution, but the tier-1 engine silence and lack of external-intel corroboration suggest a false positive or benign-but-suspicious script. Do not execute on production systems without understanding its source and purpose; if it is a legitimate tool, whitelist it after verification.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\System32\svchost.exe -k NetworkService -pSandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exe
0 detections across 76 engines
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- scripts.js
- Size
- 17.0 KB
- MIME type
- (unknown)
- Detected type
- JavaScript
- SHA-256
- 4f4d54e702245a2c411f04125658a4d6b8aa8c553bd7c3bfd978214da140c716
- MD5
- 0f1c7eae2cdae9ad9dd34fb0faee38ca
- SHA-1
- 20028debf3175f129a0cbc490e9464d63d896fc1
- First seen (VT)
- 2/16/2026, 10:26:45 AM
- Last analysis (VT)
- 2/16/2026, 10:26:45 AM
- First scan (MalwareTips)
- 6/26/2026, 4:15:35 PM
- Last scan (MalwareTips)
- 6/26/2026, 4:15:35 PM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.