MALICIOUS
64
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.002 Spearphishing Attachment
T1027 Obfuscated Files or Information
The PDF file contains multiple indicators of malicious JavaScript, including embedded JS streams and JavaScript actions. The presence of PDF_ENCRYPTED_WITH_JS indicates that the payload is intentionally hidden from static analysis, suggesting an attempt to evade detection. The obfuscated nature of the content and the use of JavaScript point towards a downloader or exploit delivery mechanism.
Machine Learning
- Nyx PDF Classifier suspicious score 0.4992
Heuristics 4
-
Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Additional-actions dictionary low PDF_AAPDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
Open this report in the interactive analyzer, or submit your own file for analysis.