MALICIOUS
84
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The PDF file contains numerous embedded JavaScript streams, with one stream being particularly large, suggesting it contains obfuscated malicious code. The presence of PDF_ENCRYPTED_WITH_JS and PDF_MANY_STREAMS heuristics indicates that the PDF is intentionally obfuscated and uses JavaScript to bypass static analysis, likely to download and execute a second-stage payload. The AcroForm button with an action trigger further supports the execution of embedded scripts.
Heuristics 5
-
Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj1638_000.js1fe829dcf4e01eb397271ff8d2ed9be8e9faaf7b374731f5ccfd2f905cebe200 |
pdf-javascript-stream | PDF /JS object 1638 at offset 0x340A | 245 bytes |
javascript_obj1747_001.jscaf3b8fa85be200fba6b10d0e02600639658beba236b2454dc2329334d3e0fb3 |
pdf-javascript-stream | PDF /JS object 1747 at offset 0xBE402 | 39 bytes |
javascript_obj1748_002.jsc7070492540aefad1b6e649570be333ba6924357451f48bb6b796d528e1c652d |
pdf-javascript-stream | PDF /JS object 1748 at offset 0xBE452 | 42 bytes |
javascript_obj1749_003.jsb8789969665e37c19d27dde511a8ae2bd9572a3ea49d1c333fe0721d048c690a |
pdf-javascript-stream | PDF /JS object 1749 at offset 0xBE4A5 | 37 bytes |
javascript_obj1750_004.jsc52b7823aad47d21c0e6e5c38f3bb7779a88cafabd01688640fb6d90ac0e53ea |
pdf-javascript-stream | PDF /JS object 1750 at offset 0xBE4F3 | 39 bytes |
javascript_obj1751_005.js029f40fa6018e2c30d2a41126c59fbc54f740ae18216004345ef17c2189a4215 |
pdf-javascript-stream | PDF /JS object 1751 at offset 0xBE542 | 42 bytes |
javascript_obj1752_006.jsc9edf41a5abdf366cfebc5cb83fb6cddb83d18aa19883d24a4570c10987bbaf4 |
pdf-javascript-stream | PDF /JS object 1752 at offset 0xBE595 | 37 bytes |
javascript_obj1753_007.js0cf83b116f669aa66bb52563c757df9e8a5f0cd0fef881aa1695cf7726a7e98a |
pdf-javascript-stream | PDF /JS object 1753 at offset 0xBE5E4 | 39 bytes |
javascript_obj1754_008.jsddbcccaee01322d5905a6734feb04291fd0b809e2dbafaacc8f62994b3c400c7 |
pdf-javascript-stream | PDF /JS object 1754 at offset 0xBE633 | 42 bytes |
javascript_obj1755_009.js3b65b448c7c8a8dd93cd2902f4abe1e01290f833e1afd66d1dc39ad9a4cb54dd |
pdf-javascript-stream | PDF /JS object 1755 at offset 0xBE687 | 37 bytes |
javascript_obj1756_010.jsa367086a3e0171402e2153203a6eee2b865c274b4176755b2ce3ce28a9b61a4f |
pdf-javascript-stream | PDF /JS object 1756 at offset 0xBE6D4 | 39 bytes |
javascript_obj1757_011.js32d9e500377026f11ccb7c75c80fe6b07bd4a33402b88feb48bea58684adf231 |
pdf-javascript-stream | PDF /JS object 1757 at offset 0xBE723 | 42 bytes |
javascript_obj1759_012.js43a5f863e43e24d19b0c5eebfdb295a177a2eca93268b1130df33e412daab0ee |
pdf-javascript-stream | PDF /JS object 1759 at offset 0xBF1E4 | 39 bytes |
javascript_obj1760_013.js0cb7f5ecc8cd98cab776f9a9ec9c06bda5e1acc65baae23e61a62a64a72f6912 |
pdf-javascript-stream | PDF /JS object 1760 at offset 0xBF234 | 42 bytes |
javascript_obj1761_014.js92e61d17feda1dcbd5d7bc55c2080f4fe32fa4e5b8410be4d51e5b6dbf4a2298 |
pdf-javascript-stream | PDF /JS object 1761 at offset 0xBF286 | 37 bytes |
javascript_obj1762_015.js4cc65c8fae03f82bbdefb305ae36637937eeec7833dfbe415717bb9ae3df1a72 |
pdf-javascript-stream | PDF /JS object 1762 at offset 0xBF2D4 | 39 bytes |
javascript_obj1763_016.jsc534c2511dc787e5ed4613f2793f50eb88985353ff7fc59af52031317ef4c93a |
pdf-javascript-stream | PDF /JS object 1763 at offset 0xBF325 | 42 bytes |
javascript_obj1764_017.js776f183088dcc80611d4c2c18ca33ceb4c17324aa078b5334cdf25988e4cc679 |
pdf-javascript-stream | PDF /JS object 1764 at offset 0xBF378 | 37 bytes |
javascript_obj1767_018.jsa6f99b982d577a3fe08f113f07cfa86dbfdfdd64929da325b007a3baaa8f167a |
pdf-javascript-stream | PDF /JS object 1767 at offset 0xBFF12 | 87 bytes |
javascript_obj1769_019.jsace0219713c2c1eef47f5790014a4f93abf0254287dbbfde117fd8fefc0d48ca |
pdf-javascript-stream | PDF /JS object 1769 at offset 0xC2885 | 37 bytes |
javascript_obj1772_020.js228e2d65e57649eb0c36090ac8f1d1bff0d09ab80575d1427af567c8d05bd3d5 |
pdf-javascript-stream | PDF /JS object 1772 at offset 0xC292F | 39 bytes |
javascript_obj1773_021.jsdecd7b258cd23a05134260367c00e24908aebb6b7b945206ad59640c2f96b61e |
pdf-javascript-stream | PDF /JS object 1773 at offset 0xC297E | 42 bytes |
javascript_obj1774_022.js751cc256de067cbbb3f063dd27daff2dc18ac963e1fe50d823bfdfd397e6ebb4 |
pdf-javascript-stream | PDF /JS object 1774 at offset 0xC29D1 | 37 bytes |
javascript_obj1775_023.js265f95670cf4ff17bed23880ea1e8300a94635a3ae069fafadbef98340bdef90 |
pdf-javascript-stream | PDF /JS object 1775 at offset 0xC2A1E | 39 bytes |
javascript_obj1776_024.js53a2ca307e34704fb195caac7799032eaab5d1e2281ddd5b93e741cf2d3cbeac |
pdf-javascript-stream | PDF /JS object 1776 at offset 0xC2A6D | 42 bytes |
javascript_obj1777_025.js9879bb82dc7acc0159f569b1b6f99139e8ae3eddbd9870ba80bfef649060f6c7 |
pdf-javascript-stream | PDF /JS object 1777 at offset 0xC2AC0 | 36 bytes |
javascript_obj1780_026.js2c8a3bf8e78dd3be78cf9f7ef0b743d7752cf374cfb79dca2e1f3e3a98efbc66 |
pdf-javascript-stream | PDF /JS object 1780 at offset 0xC2E7C | 39 bytes |
javascript_obj1781_027.js54419b3bdbd42bc2364e53ddad5deb08b26ccce1d2292dce07684197794f8e37 |
pdf-javascript-stream | PDF /JS object 1781 at offset 0xC2ECB | 42 bytes |
javascript_obj1782_028.js3145b24874b24089e7d9604722750e73c8ee8cdb3323e6810bc80f1fa6408b45 |
pdf-javascript-stream | PDF /JS object 1782 at offset 0xC2F1E | 37 bytes |
javascript_obj1783_029.js12a89547f22df9d6456ca84bd25a4e7470ce0f632951deda10c1b145e4b8d5d8 |
pdf-javascript-stream | PDF /JS object 1783 at offset 0xC2F6C | 39 bytes |
javascript_obj1784_030.jsd73bbef35035330584e60c4e5e3e3d8f405d475b3738c17a3f1f9f608de788f3 |
pdf-javascript-stream | PDF /JS object 1784 at offset 0xC2FBB | 42 bytes |
javascript_obj1785_031.jse7c74817cd2c2240677c6923521725f6e621c0153d5fb7c53b5a42397c83ebe3 |
pdf-javascript-stream | PDF /JS object 1785 at offset 0xC300E | 37 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.