MALICIOUS
72
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
This PDF file is flagged as malicious due to the presence of embedded JavaScript, which is used to obscure the actual content and likely deliver a secondary payload. The PDF is encrypted and uses JavaScript actions, indicating an attempt to bypass static analysis and hide malicious code. The presence of multiple small JavaScript streams suggests a complex obfuscation or loading mechanism.
Heuristics 5
-
Encrypted PDF carries /JS — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/JS). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
Extracted artifacts 12
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0111_001.js941899caf5292dc0edd1018edd0e2de8ef1cc00775a7da183e7fdd60e4177222 |
pdf-javascript-stream | PDF /JS object 111 at offset 0x15886 | 33 bytes |
javascript_obj0115_003.js0b8d0b5c26ae6edd10a37514166e6bfebd777fb9937b28cb38958919be9e541e |
pdf-javascript-stream | PDF /JS object 115 at offset 0x15BCA | 33 bytes |
javascript_obj0120_005.jsdba5aacc90c02ab6fc3eb655485ad93e416a19785ebc1ea3388e8c68914fa692 |
pdf-javascript-stream | PDF /JS object 120 at offset 0x1600E | 33 bytes |
javascript_obj0124_007.js7b7699fdae3d3622d897e89a018ce780cf05c061d3c775d2fa1cc6cd685d10c0 |
pdf-javascript-stream | PDF /JS object 124 at offset 0x16333 | 33 bytes |
javascript_obj0127_009.js393dd3984e3472cf36f22d398773ea0a6abbe716c838baaabcd1e025fce0e84d |
pdf-javascript-stream | PDF /JS object 127 at offset 0x16511 | 33 bytes |
javascript_obj0134_011.js4179eacdf05c41c6293da3be9a360ae3f970d34151796d7af61bc71bf6829c00 |
pdf-javascript-stream | PDF /JS object 134 at offset 0x16BA6 | 33 bytes |
javascript_obj0137_013.js72c7fd03d0bbb89a705b37745452b865a63f207ae875585281e41e9882afa122 |
pdf-javascript-stream | PDF /JS object 137 at offset 0x16D81 | 33 bytes |
javascript_obj0143_015.js1c17b818421ba6272b0523ffef877ecd8e6b6a4d395a3d4d8fcdd32cfe7a9721 |
pdf-javascript-stream | PDF /JS object 143 at offset 0x172EE | 33 bytes |
javascript_obj0146_017.js6df66bffa5d5ba03ff060be9a10b55077c36f90b1b97f4bc42044368cfb0f424 |
pdf-javascript-stream | PDF /JS object 146 at offset 0x174C9 | 33 bytes |
javascript_obj0152_019.js04e5e219867771ee8eff0b18278385d3af7849ad5cf10246a8106a751468decd |
pdf-javascript-stream | PDF /JS object 152 at offset 0x17A36 | 33 bytes |
javascript_obj0155_021.js65c14197afcf17926807ee1f42e5a9f6b4fe196a5a8088843b72b54ddbd6f56a |
pdf-javascript-stream | PDF /JS object 155 at offset 0x17C13 | 33 bytes |
javascript_obj0163_023.js078fd812fb3a7eade2379565a6c68f02dcf3c5ede85fddbfb36d04822fd8ad29 |
pdf-javascript-stream | PDF /JS object 163 at offset 0x18415 | 33 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.