MALICIOUS
84
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1027 Obfuscated Files or Information
The PDF file is heavily obfuscated, indicated by a high stream count and encryption with JavaScript. Embedded JavaScript streams were extracted, suggesting the document's primary purpose is to execute malicious code. This code likely downloads and executes a second-stage payload, a common technique for delivering malware. The presence of AcroForm buttons with action triggers further supports the malicious intent.
Heuristics 5
-
Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj4283_000.js5c0fbe6b0a427a90d97ab911db0ce1d1af6bb5c2770fdb99104ba208a27062b5 |
pdf-javascript-stream | PDF /JS object 4283 at offset 0x1E629 | 33 bytes |
javascript_obj4289_002.jsee66b90c9ede376b46d300be3dfb338fe84cb44e5a0d028a676344601302a54c |
pdf-javascript-stream | PDF /JS object 4289 at offset 0x83489 | 46 bytes |
javascript_obj4290_003.jscfe939b1ee570b4947fb3977c366acbeca32a561b3ac4fad815ade4b4344d922 |
pdf-javascript-stream | PDF /JS object 4290 at offset 0x834EA | 50 bytes |
javascript_obj4291_004.jsfb19bc0302da9bbd9b8ae0eca3ad38d192e36199cda7252edb273a40c7b1c606 |
pdf-javascript-stream | PDF /JS object 4291 at offset 0x8354E | 161 bytes |
javascript_obj4292_005.jsdb6583378cebf366942afc07a69c3b4ed5904d3e3ada94e88d9e3f79cc910c37 |
pdf-javascript-stream | PDF /JS object 4292 at offset 0x83628 | 94 bytes |
javascript_obj4293_006.js229573b7f3510147db9717b8d69c138be2671474c33635389f6ccc5416d1d49a |
pdf-javascript-stream | PDF /JS object 4293 at offset 0x836BA | 50 bytes |
javascript_obj4294_007.js468566b58768f17d564b73e6778446fc1b06739da1c2dbdafc948cf7d4655754 |
pdf-javascript-stream | PDF /JS object 4294 at offset 0x8371E | 161 bytes |
javascript_obj4296_008.js836bff220da6e1d895287dbcf2043a78313bac6dc27ce81b7385af709b065b0a |
pdf-javascript-stream | PDF /JS object 4296 at offset 0x8382D | 161 bytes |
javascript_obj4299_009.js7be892175b800469b4dd08e1e9e694b49cd11b7955bd69a90d00fc710295633b |
pdf-javascript-stream | PDF /JS object 4299 at offset 0x83A4F | 161 bytes |
javascript_obj4302_010.js52363d98da230e25212210d8ecd9e8fc9154da8336089ebeed8038e9153dfbdc |
pdf-javascript-stream | PDF /JS object 4302 at offset 0x83C6F | 161 bytes |
javascript_obj4305_011.js75fe78f1c5de45969ef337c2167b6a6d095c30cf04927334d0361bd03f0f4822 |
pdf-javascript-stream | PDF /JS object 4305 at offset 0x83E9B | 161 bytes |
javascript_obj4308_012.js4859ccd02272f5e6191b2027a7b9eb46e4b3556b77b10c391b3d3c495ab09b29 |
pdf-javascript-stream | PDF /JS object 4308 at offset 0x840C7 | 161 bytes |
javascript_obj4311_013.js44485c58c3f7c75ec49a04c63e679ba2e61dc781235be4d0ad494cd8f0f462a1 |
pdf-javascript-stream | PDF /JS object 4311 at offset 0x842F1 | 161 bytes |
javascript_obj4314_014.jsc0dfac92feef1f67e0a9c0a8cd18c06fd26281b310c380584e8b256382d73476 |
pdf-javascript-stream | PDF /JS object 4314 at offset 0x8451A | 161 bytes |
javascript_obj4316_015.jsb4df5587f6d4929f5c3812047868dda10976a06f1252fcc3b90d2fb04e90f99b |
pdf-javascript-stream | PDF /JS object 4316 at offset 0x8470E | 34 bytes |
javascript_obj4317_016.js4a0a5e59464d1b790907c827e45406155c7305e09cf62b626ef96bacc9078982 |
pdf-javascript-stream | PDF /JS object 4317 at offset 0x84761 | 161 bytes |
javascript_obj4319_017.js96ebd8ade57a4232c1156bddd6b218850afca5a2732360271224b6033b48a6c9 |
pdf-javascript-stream | PDF /JS object 4319 at offset 0x84873 | 162 bytes |
javascript_obj4322_018.js32e9740b4ec318009dde5801abc6b8a69dc6043606a7bcd21e7c2b020ce92174 |
pdf-javascript-stream | PDF /JS object 4322 at offset 0x84AAB | 162 bytes |
javascript_obj4325_019.jsbd74ed2b0833c957c11816be484b4371882df7ee645f3771a96acd06d3133760 |
pdf-javascript-stream | PDF /JS object 4325 at offset 0x84CDE | 162 bytes |
javascript_obj4327_020.js5e0445abb2276d0c97e7815d0ca8c8360a271882d970da7d3bd8c89a8c68dc73 |
pdf-javascript-stream | PDF /JS object 4327 at offset 0x84ECA | 162 bytes |
javascript_obj4328_021.jsef1a4cf49169b818b8c5a714fbd146e5291a02b7251edaab7e2567587e35bff3 |
pdf-javascript-stream | PDF /JS object 4328 at offset 0x84FA4 | 162 bytes |
javascript_obj4331_024.js60cc6a8722c7ae9b00e1c19e3c61150c3d80028399c79f07113cdeceb2004aea |
pdf-javascript-stream | PDF /JS object 4331 at offset 0x8510D | 162 bytes |
javascript_obj4332_025.js84ef93246855489dbfd7a4c39dc6bab95ffa4f28ab13973612e61f3d4b25dc5b |
pdf-javascript-stream | PDF /JS object 4332 at offset 0x851E4 | 162 bytes |
javascript_obj4333_026.jsc61ced53ab63b435023938471131d1537cff7d31c5d89c465d07fd0d93ea6863 |
pdf-javascript-stream | PDF /JS object 4333 at offset 0x852BD | 162 bytes |
javascript_obj4334_027.js1988ac4b37ca00554bc35e1aad60e5004e88e123bff26a830dfb406c95e92606 |
pdf-javascript-stream | PDF /JS object 4334 at offset 0x85396 | 162 bytes |
javascript_obj4335_028.js31734d45d7a59535ab8a0cbe28be21ae63a09a2efe93a730beef1315ad280538 |
pdf-javascript-stream | PDF /JS object 4335 at offset 0x8546F | 162 bytes |
javascript_obj4336_029.jsc3ee06ababd807c519fa89452af882d4f2f5a26b818c2ad8273c79206689916d |
pdf-javascript-stream | PDF /JS object 4336 at offset 0x85548 | 162 bytes |
javascript_obj4337_030.js746b94a16781899bbba30aa79686d01521f3efca09d86bcf57fdab16d6697325 |
pdf-javascript-stream | PDF /JS object 4337 at offset 0x8561F | 162 bytes |
javascript_obj4338_031.js5adb73af102456146bbdb2f363d6e6c2d124aaed04afdf6a87d6abcf9e55454b |
pdf-javascript-stream | PDF /JS object 4338 at offset 0x856F8 | 162 bytes |
javascript_obj4341_034.js6785609427a6a9fd8770c3c29a83c750b58c4583df1bb0ef2f4ab6bef7f23f68 |
pdf-javascript-stream | PDF /JS object 4341 at offset 0x8585D | 162 bytes |
javascript_obj4342_035.js7979b1949184b64916a6c7b393463b4604d7e6e900f81590e09e249047eaeb58 |
pdf-javascript-stream | PDF /JS object 4342 at offset 0x8593B | 162 bytes |
javascript_obj4343_036.jscce4bc398e7c647d79a222725a5b9a15e72eba5c4f37af53969d75de82986b2d |
pdf-javascript-stream | PDF /JS object 4343 at offset 0x85A16 | 162 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.