Malicious PDF — malware analysis report

Heuristics 8

• Embedded PDF child has suspicious static findings critical PDF_EMBEDDED_CHILD_STATIC_TRIAGE
  PDF contains an embedded PDF stream whose extracted child matches suspicious or malicious PDF heuristics. Wrapper PDFs are commonly used to hide the actual exploit or lure payload from scanners that do not recursively inspect attachments.
• PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
  PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
• Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
  PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
• Embedded file low PDF_EMBEDDED
  PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
• JavaScript action low PDF_JAVASCRIPT
  PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• XFA form low PDF_XFA
  PDF uses XML Forms Architecture — can contain script logic
• Remote GoTo action info PDF_GOTO_REMOTE
  PDF has GoToR/GoToE actions that reference sibling document files — typical of multi-part document bundles

Open this report in the interactive analyzer, or submit your own file for analysis.