Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a4af8186082394a…

MALICIOUS

PDF

277.5 KB
MD5: 3b3aba4b2a105e065f021492520249fe SHA-1: 23a2cb22cb58c446de75341d479e27b78a8548f6 SHA-256: 3a4af8186082394affd65df6848feb68835cd85952ef8453127cf8693c61610d
134 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

This PDF file exhibits multiple high and medium severity heuristic firings indicating malicious intent. Specifically, it contains embedded JavaScript and is encrypted with JavaScript, suggesting an attempt to hide a malicious payload. The presence of RichMedia (Flash) and the use of ASCIIHexDecode filters further support this. The JavaScript action and embedded JS stream are likely used to download and execute a second-stage payload, though the exact nature of the payload is obscured.

Heuristics 8

  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser exited 1. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.

Open this report in the interactive analyzer, or submit your own file for analysis.