MALICIOUS
86
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1027 Obfuscated Files or Information
This PDF file exhibits multiple indicators of malicious intent, including the presence of JavaScript actions and streams, and is encrypted with JavaScript. The high stream count suggests obfuscation techniques are in use. The PDF is also flagged as an 'IMAGE_ONLY_LURE', indicating it may be using images to disguise its true purpose. The primary attack vector appears to be the execution of hidden JavaScript, likely to download and execute a second-stage payload.
Heuristics 6
-
Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENTOptional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
-
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj1195_000.jsdede7c1bec4e3ba6038ae0eee7019448b47b342744590a7ce4d9112ae6c914a9 |
pdf-javascript-stream | PDF /JS object 1195 at offset 0x694BF | 64 bytes |
javascript_obj1196_001.js9344a95a3c865b018da87506dd6a4b329aac50250b903b7ae56898e2d4da0ea4 |
pdf-javascript-stream | PDF /JS object 1196 at offset 0x69529 | 64 bytes |
javascript_obj1197_002.jsf6a796da10e35c7b75a8637f795a2e5f6386e016a9a4a25e2dd5485a1e4b3a8e |
pdf-javascript-stream | PDF /JS object 1197 at offset 0x69594 | 64 bytes |
javascript_obj1207_003.jsbc2eeaf936a8f13b239103b024bbaff22d1d771a65329e818439494d872c6d98 |
pdf-javascript-stream | PDF /JS object 1207 at offset 0x6962E | 48 bytes |
javascript_obj2660_004.js91937ea56d25bbdd093ea721a5939dacd9183f06c1f5070af199396c940081f8 |
pdf-javascript-stream | PDF /JS object 2660 at offset 0x6A092 | 64 bytes |
javascript_obj2661_005.js8681cdade361c9359efac3342d89060ab0b67a407816cb36bf8d5100037c1286 |
pdf-javascript-stream | PDF /JS object 2661 at offset 0x6A0FC | 64 bytes |
javascript_obj2664_006.jsf9f9d05bd7d230616eadd41946a45c9e7fad50ba9722af422ecc42b8551dc29d |
pdf-javascript-stream | PDF /JS object 2664 at offset 0x6A241 | 64 bytes |
javascript_obj2668_007.js77e8709e757e1861d3c1576dea17a0a31533ba269a6177140da11f0cc5b6ad08 |
pdf-javascript-stream | PDF /JS object 2668 at offset 0x6A386 | 64 bytes |
javascript_obj2669_008.jsba8861a33d9505c54717f5269cddca7c5ad6bdad4645756e6907bc6ab7a22270 |
pdf-javascript-stream | PDF /JS object 2669 at offset 0x6A3F0 | 64 bytes |
javascript_obj2670_009.js64d5cd9d3768920989bad91221e7e191d90bcb1d3929d47652eccabe28b49c1e |
pdf-javascript-stream | PDF /JS object 2670 at offset 0x6A45A | 64 bytes |
javascript_obj2775_010.js76f1622a4072f0bf5fdd840569d7fd1696537a3d307eee9193399eb5e5346482 |
pdf-javascript-stream | PDF /JS object 2775 at offset 0x9E573 | 64 bytes |
javascript_obj2789_011.js42095bc56f88f4f4db5ff15252c0341afb8a173e18fc3cbcc5035f2db7d324fc |
pdf-javascript-stream | PDF /JS object 2789 at offset 0x9EA31 | 64 bytes |
javascript_obj2797_012.js09a407edc01e13b8b5f721d643ddb541fec04d9c271769a4ffc5819f89411c29 |
pdf-javascript-stream | PDF /JS object 2797 at offset 0x9EB7E | 64 bytes |
javascript_obj2811_013.js7946aefe74851b16aad53ea29d854ae3e7481eda590a5d424c7fb300226fe733 |
pdf-javascript-stream | PDF /JS object 2811 at offset 0x9ECCA | 64 bytes |
javascript_obj2841_014.jsf0c27c0ff6df75f5030dade28466a6effb234922d469b6dc86d2838ef20a6011 |
pdf-javascript-stream | PDF /JS object 2841 at offset 0x9EE15 | 64 bytes |
javascript_obj2855_015.jsc4afa885bc9b0027a3e70185726be0ca5e86f9153b65ed5060b7b4d47d52ff2f |
pdf-javascript-stream | PDF /JS object 2855 at offset 0x9EF5E | 64 bytes |
javascript_obj2869_016.js9d8992e552f9e59442b9c9cd64e395e009f5119c5ad78385f5922a448ac42989 |
pdf-javascript-stream | PDF /JS object 2869 at offset 0x9F0A8 | 64 bytes |
javascript_obj2886_017.js7f156b6bd977cfe0e0f9bc728dca2e51b590ef3577208e0182f254ff30ef0ba1 |
pdf-javascript-stream | PDF /JS object 2886 at offset 0x9F1F5 | 64 bytes |
javascript_obj2894_018.js7d3213aea931065661e61e48ba7e338b0d514182067d62169f6c5edee997b936 |
pdf-javascript-stream | PDF /JS object 2894 at offset 0x9F33F | 64 bytes |
javascript_obj2911_019.jsd2ecef96f4ee423503b6a3193a6937d76ebb977cb3aa269f731ff4e544230314 |
pdf-javascript-stream | PDF /JS object 2911 at offset 0x9F48A | 64 bytes |
javascript_obj2920_020.js1e2d2d11653ba7b2b2db2e4b31bc1e4b0edfbaee359642d2726ac6cd458c216b |
pdf-javascript-stream | PDF /JS object 2920 at offset 0x9F5CB | 80 bytes |
javascript_obj2921_021.jsfca330614a319e1f6c2f5a42cc3036f8f77391825f8750c9bab4dab523234482 |
pdf-javascript-stream | PDF /JS object 2921 at offset 0x9F646 | 64 bytes |
javascript_obj2922_022.js25fe2424c53cc5bbe03948135e4dd1c2059eabc027d06ab7d54fe9d381372284 |
pdf-javascript-stream | PDF /JS object 2922 at offset 0x9F6B2 | 64 bytes |
javascript_obj2925_023.js4faa2232e914468cb1e5da0451f9700506bd5a2dff34a2b1dac7e52306562566 |
pdf-javascript-stream | PDF /JS object 2925 at offset 0x9F7F4 | 80 bytes |
javascript_obj2926_024.js6a9c113596594836da4aaaa49d960e424851d34fefe6b9e58670dfeca8b16474 |
pdf-javascript-stream | PDF /JS object 2926 at offset 0x9F86E | 64 bytes |
javascript_obj2927_025.jsc06f93acd475061b37ca81922ca88a0cab8404c2f2d4d28a1dd70f56ea6f0750 |
pdf-javascript-stream | PDF /JS object 2927 at offset 0x9F8D7 | 64 bytes |
javascript_obj2930_026.js0e8810346c62f2c0681669641a6553814fb37466cc0af49d228745420a08364c |
pdf-javascript-stream | PDF /JS object 2930 at offset 0x9FA19 | 80 bytes |
javascript_obj2931_027.jse8652aeaa282969d53c86df935e1bcf13e06b1d99859927356502e28f72cf783 |
pdf-javascript-stream | PDF /JS object 2931 at offset 0x9FA93 | 64 bytes |
javascript_obj2932_028.js97237a2cedadd279855cb515c3c6483071424ca7fa04ea5c0b600460d19791e8 |
pdf-javascript-stream | PDF /JS object 2932 at offset 0x9FAFE | 64 bytes |
javascript_obj2946_029.jsd8e31bce748877f2bdc7ef15c8a42351f70deae495c92f1b4e1ddd14daa0b32b |
pdf-javascript-stream | PDF /JS object 2946 at offset 0x9FC4C | 64 bytes |
javascript_obj2948_030.js3c70927a7233ea2f47644596ea42b81015383b22b53a277bc4570b54378573db |
pdf-javascript-stream | PDF /JS object 2948 at offset 0x9FDAF | 64 bytes |
javascript_obj2950_031.js3b2be3a9bc913915d7a670817ae9d3f1a5a758cc2bed085631217b91af4fa1e7 |
pdf-javascript-stream | PDF /JS object 2950 at offset 0x9FF11 | 64 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.