Malicious PDF — malware analysis report

Static analysis result for SHA-256 42dd246e211116ce…

MALICIOUS

PDF

35.0 KB Created: Æ/#˼> çÖ¢À&6—»–¨ Authoring application: ³Púþpԇ“B÷×6m (via ³CúþzԂ“C÷Û6zC)
MD5: 466ac1efd34cfd8d2e9a3bb599cc4eaa SHA-1: 58e2b310d831b2c7814d6b96b40e3313fd107d9e SHA-256: 42dd246e211116ce0fea6dbfddc2515ff303c60b4ccfa04445f6b38a3cd991e9
64 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file is encrypted and contains embedded JavaScript, which is a common technique to obfuscate malicious content and evade static analysis. The presence of PDF_ENCRYPTED_WITH_JS and PDF_JS heuristics indicates that the JavaScript is likely used to deliver the actual payload. The embedded JavaScript stream, though large, is not directly readable due to obfuscation, preventing a more detailed analysis of its specific actions. However, the combination of encryption and JavaScript strongly suggests an attempt to conceal a malicious function, such as downloading a second-stage payload.

Heuristics 4

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0009_000.js
739222a2a5ed3dd27eb6823781c7d31c62dc711e437db8856b42e835103b4213		 pdf-javascript-stream PDF /JS object 9 at offset 0x3CD 33168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.