MALICIOUS
78
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file contains embedded JavaScript and is configured with an OpenAction trigger, indicating an attempt to automatically execute code when the document is opened. The presence of JavaScript streams and the PDF_JAVASCRIPT heuristic strongly suggest that the embedded script is malicious. While the script's exact function is not fully detailed, its presence in conjunction with the OpenAction points to a likely download and execution of a second-stage payload.
Heuristics 5
-
OpenAction trigger high PDF_OPENACTIONPDF has an /OpenAction that launches, submits, or opens an external target
-
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEXHex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILEDThe cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0005_000.js161938572d98964eaca72fef2592b48686d5f2813d270ddd4bbb02534042fb02 |
pdf-javascript-stream | PDF /JS object 5 at offset 0x15A5 | 3906 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.