Malicious PDF — malware analysis report

Static analysis result for SHA-256 5b19e96faf0025f9…

MALICIOUS

PDF

328.5 KB Created: à§â¤UÈ|¾é¿ŠÓ'.oâ§×3zö­E©Ôż”8‘”OÒPöx¹¦ZáÀ/YS è«]¡ŸúRz#҈ BìŽRe BÚjq7VK$ ÊC~ Authoring application: à§â¤UÈ|¾é¿ŠÓ'.oâ1G!Jï‹n¦õ;¹Òã9®…2±‹l/{CVû^ð
MD5: 3b59e9c9a89e089c19e268bf8ee77bb3 SHA-1: 4f98451a12a3ffc3070a21323051d724c9a4198b SHA-256: 5b19e96faf0025f94c34e1a429119aec1878c3e0ae9c9f3c1c91f79ccacdfdef
66 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF file contains multiple embedded JavaScript streams, and a heuristic indicates that the PDF is encrypted with JavaScript, suggesting the payload is intentionally obfuscated. The presence of AcroForm buttons and the 'PDF_IMAGE_ONLY_LURE' heuristic suggest a potential lure mechanism to trick the user into interacting with the document. The JavaScript is likely responsible for downloading and executing a second-stage payload, though its exact function cannot be determined due to obfuscation.

Heuristics 5

  • Encrypted PDF carries /JS — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JS). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0269_000.js
4ec2d61c55ae1eff5e25fa69fd0d59377d86f4010073f5bf8ee878f7fc0958b9		 pdf-javascript-stream PDF /JS object 269 at offset 0x4F71E 176 bytes
javascript_obj0265_001.js
e0675feb2b622fcccf692f08ed38e77bd4ebbb067c03d3367f3170f7f97b03d1		 pdf-javascript-stream PDF /JS object 265 at offset 0x4F8E5 64 bytes
javascript_obj0263_002.js
22a7ffdf4616460590437abf5541d00c53517ce5ffbb491de3d78bb54fae1c70		 pdf-javascript-stream PDF /JS object 263 at offset 0x4FA3C 64 bytes
javascript_obj0261_003.js
7fdf8a8622d6ee31076643c2688bb11dd3dc53b27350ad9aac4252fd4499932f		 pdf-javascript-stream PDF /JS object 261 at offset 0x4FB93 48 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.