MALICIOUS
86
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
This PDF file contains multiple embedded JavaScript streams, with a high-confidence heuristic indicating the use of eval(). The presence of 'PDF_EVAL' and 'PDF_JAVASCRIPT' firings strongly suggests that the embedded JavaScript is being executed to perform malicious actions. The 'SE_INVOICE_LURE' heuristic indicates the document's content is likely a social engineering lure, such as a fake invoice, to trick the user into interacting with the malicious JavaScript. The script's primary function appears to be downloading and executing a second-stage payload, though the specific URLs are benign or not extractable from the provided evidence.
Heuristics 7
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/pdfx/1.3/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_005_off0000555f.js397d6d93509729635feadda45f42ca06d8eee196605e12f33727fb40f1e0bf34 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x555F | 1733 bytes |
stream_010_off00005f4c.js90938c24c12786726edac836c851be790bdf7dafb4ba39ce49d699b370fbc6a7 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x5F4C | 2603 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
stream_023_off00009a5a.js581f96ec2439a629d74b72fd7c4d79f4206a32c4201b16200963e926de6537c9 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x9A5A | 1335 bytes |
stream_024_off00009e04.js5d15eb90420722f085af111c6ed741abe9edad934bf21ba7abb56565b819592a |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x9E04 | 6185 bytes |
stream_027_off0000b16e.jsbd2a9d944551986148e039b9b0a48c4e2ffead07147f443a674c4f6cac45ce7a |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xB16E | 3571 bytes |
stream_033_off0000ec01.jsbe886aa50ffd41d0f9f4bb94f73da4b20c91f2b1824b291d0c032bc89cd32d41 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xEC01 | 2854 bytes |
stream_035_off0000f4de.js0ef5fc61610dd937a75f12093b45d7e0400f4af4d4de04fa55635a958deb799a |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xF4DE | 9578 bytes |
stream_036_off000102bc.jsfd4206c0f8abd34382910d01440d530a49a308bebc9255abfab3a8c7f0ef0948 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x102BC | 55526 bytes |
stream_113_off000522e9.jsc62452289174129ae9f1884517087d88190df9441697ca1554048d3085a4ac49 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x522E9 | 3995 bytes |
stream_114_off000525e7.jse7709df0953c5b6d8034f200cd906a0667a63e3a914613ea1b36426643643b3f |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x525E7 | 493 bytes |
objstm_5166_00.bin176a93f181260c558770201df31e0333e1ec7b2dcdbfa9ebb3a83c9f866129b1 |
pdf-objstm-decoded | PDF /ObjStm 5166 0 obj (inflated) | 23266 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
objstm_5167_00.binc9c3984ebfed5aa05480792239f16f54430176c9e0affbd4d1bcadd18ac8f6f4 |
pdf-objstm-decoded | PDF /ObjStm 5167 0 obj (inflated) | 20971 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 long base64-like blob(s).
|
|||
objstm_5168_00.bin22456c1df2f51a282e7f0079fbfeea91118be2ac6a9da7c2edfd99586a722953 |
pdf-objstm-decoded | PDF /ObjStm 5168 0 obj (inflated) | 1406 bytes |
objstm_5169_00.binc668b0d1dbe7d2b11f9e8719b55e47399fe2383e237525ee834b333d3e8272b4 |
pdf-objstm-decoded | PDF /ObjStm 5169 0 obj (inflated) | 5511 bytes |
font_00_cff_off00023c6f.bina04f6dce4f42a1ee29a202744df41c1d0e3e799890553355fab878b9cc66d1ca |
pdf-font-stream | PDF embedded font (cff) at offset 0x23C6F | 520 bytes |
font_01_cff_off00023ee4.bin2e2e85ed48fd099e74ccc5b552853aed08c098abff4832ec52e45135cc8ccd68 |
pdf-font-stream | PDF embedded font (cff) at offset 0x23EE4 | 3656 bytes |
font_02_cff_off00024bc2.binecc8d45be14cfd57e124d8bfe079bd5ea104ed5f9380215de609beca94b67717 |
pdf-font-stream | PDF embedded font (cff) at offset 0x24BC2 | 3465 bytes |
font_03_cff_off00025786.bin72ed3ac0254744a63361a9df6fe404e2532947389187c6f750fbadf4669118d3 |
pdf-font-stream | PDF embedded font (cff) at offset 0x25786 | 5938 bytes |
font_04_cff_off00026ba4.binf7578711c6050b11dd76327cd64be76ff7933e010ae5ca31bf92a1916508d226 |
pdf-font-stream | PDF embedded font (cff) at offset 0x26BA4 | 5491 bytes |
font_05_cff_off00061589.bin67d1e421bd0c7a3f898ab5b931c68d47f5e43b177bc17f32a5a7c1f354ecf867 |
pdf-font-stream | PDF embedded font (cff) at offset 0x61589 | 5595 bytes |
font_06_cff_off00062847.binf385cd77927c46e6e61f0fb4e94c4013c1f397535ac26c60259ea3bd37ec29fb |
pdf-font-stream | PDF embedded font (cff) at offset 0x62847 | 5226 bytes |
font_07_cff_off000639ce.bincf1c70e46837e195cee642320c5a84c9a8b6c5f47641567ab9bc7e734ddb97e3 |
pdf-font-stream | PDF embedded font (cff) at offset 0x639CE | 4831 bytes |
font_08_cff_off000662c8.bin3a67aa154d48a68f91d3e3f8bfbd74984577bb33ae2884297c85c86bdbca5ff4 |
pdf-font-stream | PDF embedded font (cff) at offset 0x662C8 | 5722 bytes |
font_09_cff_off0006761a.binfe7091e6722f7c526624265598c1d05035b0aa86b57a36280ab2ed80163fb1d4 |
pdf-font-stream | PDF embedded font (cff) at offset 0x6761A | 5290 bytes |
font_10_cff_off000a0601.bin20832658a7e78786bbd255458fc72f68446153e8ac7dc2de650fabe3203f6da8 |
pdf-font-stream | PDF embedded font (cff) at offset 0xA0601 | 1272 bytes |
font_11_cff_off000a5aa7.bine82807c88fa2f82a999af743d15c7b092ae7298f046fef4cb77318d8174b7935 |
pdf-font-stream | PDF embedded font (cff) at offset 0xA5AA7 | 1785 bytes |
font_12_cff_off000bfb67.bine9d8c99cd8e86c97296b34aca921bb89cada95e7fdc670e57e91fbe1f4d5fc95 |
pdf-font-stream | PDF embedded font (cff) at offset 0xBFB67 | 5575 bytes |
font_13_cff_off000c0e5a.bin44b6c4a20c9f4158ecf8d631136faf00b2036773912b2adedd851dbde8372530 |
pdf-font-stream | PDF embedded font (cff) at offset 0xC0E5A | 5594 bytes |
font_14_cff_off000c2169.binbc832621532810b0de266ddbce3f0c75dc71a262b3fee590031a2c9a213bec0b |
pdf-font-stream | PDF embedded font (cff) at offset 0xC2169 | 5718 bytes |
font_15_cff_off000c34a6.bin71a0b47a9760069ed1d891a202f7907382b50649d09282ca2c2555e65a0a5a76 |
pdf-font-stream | PDF embedded font (cff) at offset 0xC34A6 | 6194 bytes |
font_16_cff_off000d393a.bin8bf13b68a963aa01c6c0c8d0d27058616b3d6ce2128eb5a8351519b8adfbdecf |
pdf-font-stream | PDF embedded font (cff) at offset 0xD393A | 2290 bytes |
font_17_cff_off000d5b75.bin8478167736eb2846bb7daa01020dbff1b345e9e205d422727490bb85e89621f9 |
pdf-font-stream | PDF embedded font (cff) at offset 0xD5B75 | 5697 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.