MALICIOUS
72
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1027 Obfuscated Files or Information
This PDF file exhibits multiple indicators of malicious intent, including the presence of JavaScript actions and embedded JS streams. The PDF is also encrypted with JavaScript, which is a strong indicator that the payload is intentionally hidden from static analysis. The heuristics suggest that the JavaScript is used to obfuscate or conceal the malicious content, likely for the purpose of delivering a second-stage payload. No specific IOCs were extracted, and the document body was unreadable.
Heuristics 5
-
Encrypted PDF carries /JS — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/JS). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0136_000.js27b240afbce3624704f69f06ca89158b18595d4c8ba95b395fa60cf59f5593f3 |
pdf-javascript-stream | PDF /JS object 136 at offset 0x11938 | 38 bytes |
javascript_obj0137_001.js3daba3bc025bf89aeb1d85c8a8c1f1f6e59e11fa0f7d8a49c8475ce971877a45 |
pdf-javascript-stream | PDF /JS object 137 at offset 0x1198A | 41 bytes |
javascript_obj0138_002.js1b9c880f2c0846a4952f2130166f3ca952296e464819ed350e33398198f760af |
pdf-javascript-stream | PDF /JS object 138 at offset 0x11A8D | 38 bytes |
javascript_obj0139_003.js7374f72c1d04660177dc0e8b00c54caedf46bf883d0660cb2412268eaca9c65d |
pdf-javascript-stream | PDF /JS object 139 at offset 0x11AE2 | 41 bytes |
javascript_obj0140_004.js4911e54149709cd05b14753ddac70c297bc95935c0816b626822ae2d43bd3fb1 |
pdf-javascript-stream | PDF /JS object 140 at offset 0x11C6E | 38 bytes |
javascript_obj0141_005.js56df9ec7d9dbf46df75add678623559eb9322d10fea64bb1cdae19e098d97f36 |
pdf-javascript-stream | PDF /JS object 141 at offset 0x11CC3 | 41 bytes |
javascript_obj0142_006.js5a3e7f03f90406516dcbaece12c2cfe7a031d9a67ba9dbf0eb5a41d6897bcb2a |
pdf-javascript-stream | PDF /JS object 142 at offset 0x11E59 | 38 bytes |
javascript_obj0143_007.jsd761711530b07ec21b59c19871e8e74ace7edd248d887e0b637dd7859b0fb191 |
pdf-javascript-stream | PDF /JS object 143 at offset 0x11EAC | 41 bytes |
javascript_obj0144_008.jse93cbcf00c693e4ba241826ddbf39ebbe6fa2d837402d7592b8322b987856672 |
pdf-javascript-stream | PDF /JS object 144 at offset 0x11FB2 | 38 bytes |
javascript_obj0145_009.jsa2cce4f91929ad8653bc45f4787201faf376c2227b6c10f2d79414105a5e908d |
pdf-javascript-stream | PDF /JS object 145 at offset 0x12004 | 41 bytes |
javascript_obj0146_010.jsac8e63a5d29c9cad24c6643e32c5029dc53f00e76ed53fa19cde7e3067fe6314 |
pdf-javascript-stream | PDF /JS object 146 at offset 0x12106 | 38 bytes |
javascript_obj0147_011.jsc34c2266d03a7c884cfc2c14262f6676258af953c6af49d4a9cd29c6e6586cab |
pdf-javascript-stream | PDF /JS object 147 at offset 0x12159 | 41 bytes |
javascript_obj0149_012.js59f3131516505b398f8063220a3f7753b701d5475e1811a557ad95c9bd3ad7fe |
pdf-javascript-stream | PDF /JS object 149 at offset 0x122FF | 38 bytes |
javascript_obj0150_013.jsd14e86310440bd03695e12b31596f516026a63feccb02a5bc8deb75e51a817e3 |
pdf-javascript-stream | PDF /JS object 150 at offset 0x12354 | 41 bytes |
javascript_obj0152_014.js8b1d778263ccb7b15c83527ff31c61c2e73b388e008f79a93e90b28dc3dce3fc |
pdf-javascript-stream | PDF /JS object 152 at offset 0x124F1 | 38 bytes |
javascript_obj0153_015.js2c2b8c7353e0999a6d11c8e88e02849b6f379d4ccf638c6bca409fc6a1a9be72 |
pdf-javascript-stream | PDF /JS object 153 at offset 0x12544 | 41 bytes |
javascript_obj0155_016.js70479a7f4b1bbee12a3cfa7e57b0055fe3a859dcbaaa04b277fc3ac850a92f88 |
pdf-javascript-stream | PDF /JS object 155 at offset 0x126E3 | 38 bytes |
javascript_obj0156_017.js47259590958197826734b70c1cf549ebb45ddd0ac9d6aa69102d0ca0f4c4184f |
pdf-javascript-stream | PDF /JS object 156 at offset 0x12736 | 41 bytes |
javascript_obj0160_018.jscc15927a273e1ec81112695eb3b9bbc2cf6a815695fc4cae9aa1995d03e8b5b5 |
pdf-javascript-stream | PDF /JS object 160 at offset 0x12B2A | 38 bytes |
javascript_obj0161_019.js82a1a08de0dd09f8bbc5d1cccf7e468e928a543cc392a8d8df29058a000dec1e |
pdf-javascript-stream | PDF /JS object 161 at offset 0x12B7C | 41 bytes |
javascript_obj0163_020.js18c568b555e6a219d8e156ef7b918ea3e80731258b7de4c9ad3164f8aa8e0c9e |
pdf-javascript-stream | PDF /JS object 163 at offset 0x12D1E | 38 bytes |
javascript_obj0164_021.js883f7996f63193410591ff20e66ed8eb41c0308de07794cbb10e88cfce7b8984 |
pdf-javascript-stream | PDF /JS object 164 at offset 0x12D70 | 41 bytes |
javascript_obj0166_022.js42da3e8763cabe8dc6ec569dfae1467a9dd2ee6c69244144f6ca16521d318e8f |
pdf-javascript-stream | PDF /JS object 166 at offset 0x12F0B | 38 bytes |
javascript_obj0167_023.js98bc81b03d1385738eb8368cb57c9c01a629a8b9f0452789f7b23ac9b94b0fad |
pdf-javascript-stream | PDF /JS object 167 at offset 0x12F5D | 41 bytes |
javascript_obj0169_024.js7c6f4af3eb30ac7eabb11a1b49702daf9dc9be977cd03fed9ae6dc86cdbd1653 |
pdf-javascript-stream | PDF /JS object 169 at offset 0x130FB | 38 bytes |
javascript_obj0170_025.js5a432499d89fed87c3b41ac51df1b6ec15c0e452056f2c0351ad34e9d1f0d0a4 |
pdf-javascript-stream | PDF /JS object 170 at offset 0x1314D | 41 bytes |
javascript_obj0174_026.js1389f645fe21fed23dcef1174ca702a352511de69e2bd27fc49d8274c11c8293 |
pdf-javascript-stream | PDF /JS object 174 at offset 0x13539 | 38 bytes |
javascript_obj0175_027.js6d54a68600e114783d92c2a25cb4ad6ac87c61df9662863a7c25bacb862fc072 |
pdf-javascript-stream | PDF /JS object 175 at offset 0x1358D | 41 bytes |
javascript_obj0192_028.js0c6f60cac2f5ed78fd3a37e85b6fd1670983ade63f614f6a4577ce9799f39c0d |
pdf-javascript-stream | PDF /JS object 192 at offset 0x14D9C | 38 bytes |
javascript_obj0193_029.js70a8dd84d3bf965e7308dbc6a1ebcc81ec7edc3de8235d083139f6422baf3c22 |
pdf-javascript-stream | PDF /JS object 193 at offset 0x14DEF | 41 bytes |
javascript_obj0194_030.jse02e0e59998c6315763b05bce8e988c0cc5ea78943bb75c571dde678775f89bb |
pdf-javascript-stream | PDF /JS object 194 at offset 0x14EEA | 38 bytes |
javascript_obj0195_031.jsed44d317545afa6aceb69abcf339fe72438d9dc1aa8fa40e2ccbab70b3b21ea7 |
pdf-javascript-stream | PDF /JS object 195 at offset 0x14F3C | 41 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.