MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF contains multiple embedded JavaScript streams, with a high-confidence heuristic firing for eval() usage. This indicates the script is designed to execute arbitrary code. The presence of embedded files and JavaScript actions suggests a downloader or dropper functionality. The specific JavaScript streams are listed as IOCs, but their exact behavior is obscured by obfuscation.
Heuristics 8
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ClientEnvironmentfd6693dc5f3baaff40af3ffe1bae4cbb45fea3c5628c0f91e2f62fe208e67d8d |
pdf-embedded-file | PDF EmbeddedFile object 26 at offset 0x399F2 | 1071 bytes |
javascript_obj0604_000.js1a1595bfc65af92d241ad8340189da23ec09068b6c2d672b12112da7bf490790 |
pdf-javascript-stream | PDF /JS object 604 at offset 0x30647 | 83 bytes |
javascript_obj0605_001.jse57b1390406b55e6780ce1ad705c15c71d41dc96f7b1685b06d8f4ec36eec39a |
pdf-javascript-stream | PDF /JS object 605 at offset 0x306CA | 83 bytes |
javascript_obj0608_003.jsc457b1eeddf01ee7c72ce49d6e32a6719275b9364eed7087983dc42efc600f94 |
pdf-javascript-stream | PDF /JS object 608 at offset 0x30811 | 103 bytes |
javascript_obj0609_004.js5e0f471ae6cfb000bb23e8a68b0da15bd778c4c4ea38372190c50aec5f620514 |
pdf-javascript-stream | PDF /JS object 609 at offset 0x308AF | 107 bytes |
javascript_obj0610_005.jsafb075d32dd04f0737e8efc7da535e664f50b1ecfd2052ad6c42851a8b8b3b3a |
pdf-javascript-stream | PDF /JS object 610 at offset 0x3094E | 83 bytes |
javascript_obj0612_006.jsfa7faae1cc8c7e548226854c419048b4c67e13996a2223c2021fddc0a687e24f |
pdf-javascript-stream | PDF /JS object 612 at offset 0x30A54 | 75 bytes |
javascript_obj0613_007.jsd755f2e386ead3ae08bfb8ba9f57ff7e3a2cdf1770ba1d07eb023f3abd5720ff |
pdf-javascript-stream | PDF /JS object 613 at offset 0x30AD0 | 74 bytes |
javascript_obj0614_008.jsa24b725ef687e001314b8d844044c9e695094387c49328b931c0625a906f0073 |
pdf-javascript-stream | PDF /JS object 614 at offset 0x30B4A | 74 bytes |
javascript_obj0615_009.js3ab09c62be35d6f648ad0620334b5d8d3f633c9e0007d63d6da976d616417948 |
pdf-javascript-stream | PDF /JS object 615 at offset 0x30BC4 | 74 bytes |
javascript_obj0621_010.js6b3fb62a3e8aed04cab9926785df98d32daff5e6982b811703e9d5641321eb7f |
pdf-javascript-stream | PDF /JS object 621 at offset 0x30F4A | 103 bytes |
javascript_obj0623_011.js8cb730cbf37633682066b2fc9ef2eb883eadd52526b1b84d623ee22c02dd0931 |
pdf-javascript-stream | PDF /JS object 623 at offset 0x31029 | 108 bytes |
javascript_obj0624_012.jsb236dde897c7c7343820c93a02eb78e263dcb9bd94afd9bb882b604fcff3db1e |
pdf-javascript-stream | PDF /JS object 624 at offset 0x310CA | 102 bytes |
javascript_obj0626_013.js9dbf67cf8ec4ccd4ae8c0f998f782beb1eb5782d87b141ac42144d3cae2823f2 |
pdf-javascript-stream | PDF /JS object 626 at offset 0x311A7 | 108 bytes |
javascript_obj0627_014.js374da50f14678a295e417eea071d7aa1c0ab47fca0ae9ffde22f8a4b0ac322fd |
pdf-javascript-stream | PDF /JS object 627 at offset 0x31248 | 105 bytes |
javascript_obj0628_015.jsb6b89238a2d8b58400274afb8f9a6a86ae8269dcc61d78b321f90b0937c63822 |
pdf-javascript-stream | PDF /JS object 628 at offset 0x312E7 | 83 bytes |
javascript_obj0630_016.js64b881aeb9e5e65a0406f2730919429beadfd0893ed2674d4758d1c979dc293f |
pdf-javascript-stream | PDF /JS object 630 at offset 0x313ED | 107 bytes |
javascript_obj0632_017.js0ec427a7c35fad626a8063edade41129f3fcab642eede5852563ddb3ce25b267 |
pdf-javascript-stream | PDF /JS object 632 at offset 0x314CD | 83 bytes |
javascript_obj0634_018.js146d51e549052422ee005a9396f33bb549a85e38112ef7803353defec870b99d |
pdf-javascript-stream | PDF /JS object 634 at offset 0x315D3 | 83 bytes |
javascript_obj0637_019.jseca48326f2eabb04ce6b145c12f53b17c3513cfd919632f36c48293ca756e9b7 |
pdf-javascript-stream | PDF /JS object 637 at offset 0x3175C | 65 bytes |
javascript_obj0639_020.js72615f0b36a0023f5f179574e0aee6532e3eef6010476db03c8ec457826afeac |
pdf-javascript-stream | PDF /JS object 639 at offset 0x31848 | 122 bytes |
javascript_obj0655_031.js75a5e81c524fcd598f560fcb5eaab1fc374841d9afb7828a29bdb538c972017d |
pdf-javascript-stream | PDF /JS object 655 at offset 0x31D20 | 35 bytes |
javascript_obj0658_032.js953a047a34f453bed455da01fd86dabc8697abbcfc4281d985cd56b928508178 |
pdf-javascript-stream | PDF /JS object 658 at offset 0x31F5A | 74 bytes |
javascript_obj0660_033.jsc20144e5151178531412ab7a66fac499fe5141667357d2130a17cdb927361ce5 |
pdf-javascript-stream | PDF /JS object 660 at offset 0x3204E | 74 bytes |
javascript_obj0662_034.jsaa71278c61c4cc9dfed88c2d729b9764c09be2cba1bef7e8cdd5b2b9a4804863 |
pdf-javascript-stream | PDF /JS object 662 at offset 0x32142 | 75 bytes |
javascript_obj0664_035.js9f0fa221f1002da3b4ab4aa3e5b280dc5a8f1f90a973316f53dd0f11749de908 |
pdf-javascript-stream | PDF /JS object 664 at offset 0x3223A | 75 bytes |
javascript_obj0666_036.js18af4d0680179aa87c07743068e455f7c9e15b8cc8a42e3d2526ce3a5878fd51 |
pdf-javascript-stream | PDF /JS object 666 at offset 0x32330 | 75 bytes |
javascript_obj0668_037.jse7f46a1999896d3a1b87d488844e7370d0985d0a928a13948a5c8941ec2d7a9b |
pdf-javascript-stream | PDF /JS object 668 at offset 0x32426 | 75 bytes |
javascript_obj0670_038.js02f10f2fbe778d2fe313c28aa578e771b8134afdbf7155af714cd2bd40838d08 |
pdf-javascript-stream | PDF /JS object 670 at offset 0x3251C | 75 bytes |
javascript_obj0672_039.jse1c76bd12e4a6721d4846c41b98802e3f8f75b3f7b6a5effe390f6db872a8ebe |
pdf-javascript-stream | PDF /JS object 672 at offset 0x32612 | 75 bytes |
javascript_obj0674_040.js460a2f223c4ac697fa8fdbc7a59f08502733e415271b9c4056f00f451d684dc9 |
pdf-javascript-stream | PDF /JS object 674 at offset 0x32708 | 75 bytes |
javascript_obj0681_041.js585f1d8c4c3d693003c17580965c2ed1096c8e9dc5840f3a813aea446746ae7a |
pdf-javascript-stream | PDF /JS object 681 at offset 0x32A9D | 106 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.