MALICIOUS
84
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The PDF file contains multiple embedded JavaScript streams, and is encrypted with JavaScript actions. This indicates the document is designed to execute malicious JavaScript upon opening. The high number of streams and the encryption suggest obfuscation to hide the payload. The primary attack pattern involves leveraging PDF's scripting capabilities to deliver a malicious payload, likely a downloader.
Heuristics 5
-
Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj4435_001.js323e170c05f7b0a5d03211ca5c4b742c6436843f898ece66b0a021ed5dc201ec |
pdf-javascript-stream | PDF /JS object 4435 at offset 0x11AE16 | 33 bytes |
javascript_obj4437_002.jsf09cfe64780fde7be9b357d31c837f0a8f52b30f97cba4d10aba42418ff632fd |
pdf-javascript-stream | PDF /JS object 4437 at offset 0x11AF38 | 46 bytes |
javascript_obj4438_003.js12e0635e4b7c6156749c877d621036d1dba2eab11638aa50a04223a46f1ba489 |
pdf-javascript-stream | PDF /JS object 4438 at offset 0x11AF99 | 50 bytes |
javascript_obj4439_004.js8945e76c073a005f7006504a0f07aba20ba017bf45ed2fc2904f046a6e94e091 |
pdf-javascript-stream | PDF /JS object 4439 at offset 0x11AFFC | 161 bytes |
javascript_obj4440_005.jse16f39f9fa3283331291706e3a76326f85507590e5d504edc698793e4e2558c9 |
pdf-javascript-stream | PDF /JS object 4440 at offset 0x11B0D3 | 94 bytes |
javascript_obj4441_006.jsbf1761f2d1d06670a1492658d8cef941cb72557bc0a5cdaf9d3ed41037a66ca2 |
pdf-javascript-stream | PDF /JS object 4441 at offset 0x11B164 | 50 bytes |
javascript_obj4442_007.jsdfe6644a1e916f6273235a71038ca7e39fa0062b3f7a7a3c2c785754c3bb82a4 |
pdf-javascript-stream | PDF /JS object 4442 at offset 0x11B1C9 | 161 bytes |
javascript_obj4444_008.jsbcf7cd4c1ba3d1813c3c2447e2d988936003dbb3735be0a4e04dea4fbde21027 |
pdf-javascript-stream | PDF /JS object 4444 at offset 0x11B2DA | 161 bytes |
javascript_obj4447_009.js0a86d2fa165e0638cc43db9ed0f29cd4d2448f0d57a908e337f07cd640d801d7 |
pdf-javascript-stream | PDF /JS object 4447 at offset 0x11B4F9 | 161 bytes |
javascript_obj4450_010.jsd249f38a82920616fd2e7cbd04d82c53c20258d2333e242cc6cccdb211f1ca15 |
pdf-javascript-stream | PDF /JS object 4450 at offset 0x11B718 | 161 bytes |
javascript_obj4453_011.js179c4aa09b19f335f503b496bde14d03a7a27e4955a8785da70aaf816b33267a |
pdf-javascript-stream | PDF /JS object 4453 at offset 0x11B946 | 161 bytes |
javascript_obj4456_012.js0402487d0b1e29a808de7f6dfb0cf3e0482750e9c9bd064beea670a226e11d3e |
pdf-javascript-stream | PDF /JS object 4456 at offset 0x11BB72 | 161 bytes |
javascript_obj4459_013.js014e0d93550d98933469cc6b4ea004865bf3b2a85be40aa7b26c4f0ab066d10c |
pdf-javascript-stream | PDF /JS object 4459 at offset 0x11BD9A | 161 bytes |
javascript_obj4462_014.js0a96c379b0c414415a116c3c78195e7d629dc10edaafbfa919aa0453ba5ce126 |
pdf-javascript-stream | PDF /JS object 4462 at offset 0x11BFC6 | 161 bytes |
javascript_obj4464_015.js03f78a073922ca0f4f066bf36b3af47d4a34ace6de54efd4ef1450c93c3cb03a |
pdf-javascript-stream | PDF /JS object 4464 at offset 0x11C1B6 | 34 bytes |
javascript_obj4465_016.jsd8b2b8b9b1d865d9ab703d09f4816c4a0c099f20eb66f755072344ad7f5dfecd |
pdf-javascript-stream | PDF /JS object 4465 at offset 0x11C209 | 161 bytes |
javascript_obj4467_017.jsdc9d0f4ad0bdf7f0e65c6633cd3bc73099f531a5efb72b754987313542ebf798 |
pdf-javascript-stream | PDF /JS object 4467 at offset 0x11C319 | 162 bytes |
javascript_obj4470_018.js04faf73a1c6e3c6bab849a1b765315a3db5b43992055502b0deaa645fb4b0fe3 |
pdf-javascript-stream | PDF /JS object 4470 at offset 0x11C54A | 162 bytes |
javascript_obj4473_019.jse0b354b294a3f74515a21161b99c82eed8552522abacdbe9f746b9116ee5f6ee |
pdf-javascript-stream | PDF /JS object 4473 at offset 0x11C77D | 162 bytes |
javascript_obj4475_020.js6b309369706c0f9ffc51b32cb2e260b0a9d46d43bf39934aa4c52fde268483df |
pdf-javascript-stream | PDF /JS object 4475 at offset 0x11C968 | 162 bytes |
javascript_obj4476_021.js39e33675d1274899fd0bd1bbe7ec777b0d8862c20c58fe8bc15a9d708f0cf911 |
pdf-javascript-stream | PDF /JS object 4476 at offset 0x11CA44 | 162 bytes |
javascript_obj4479_024.js417abbeb434c6f13f5fcb2591c3acb6a2b409c412776218deb208f907730cec8 |
pdf-javascript-stream | PDF /JS object 4479 at offset 0x11CBA9 | 162 bytes |
javascript_obj4480_025.jsd60bf82eb8683e48febdf42e1624c178e472131aae5c05dc6b16a698971d0c70 |
pdf-javascript-stream | PDF /JS object 4480 at offset 0x11CC86 | 162 bytes |
javascript_obj4481_026.js8afefafdd8ada0ea122a571724ce932380784bc471960d10f552d022fb44ac6a |
pdf-javascript-stream | PDF /JS object 4481 at offset 0x11CD60 | 162 bytes |
javascript_obj4482_027.js53c450c2c6f5f9ddd860361b75a8d14abb0701b2322b64b480fef39060e4bebb |
pdf-javascript-stream | PDF /JS object 4482 at offset 0x11CE3A | 162 bytes |
javascript_obj4483_028.jsef002f62da2c3da3e954e0bb328716cf88a0f673ae06000d177eea2224b9c13f |
pdf-javascript-stream | PDF /JS object 4483 at offset 0x11CF14 | 162 bytes |
javascript_obj4484_029.js801e3cf599898b49f8f476f6d3176cf1af74364884600af065942b8c770fb33d |
pdf-javascript-stream | PDF /JS object 4484 at offset 0x11CFEF | 162 bytes |
javascript_obj4485_030.jsf25471377e73c2c2e7fd4bc4ed8779589e3ae9074aea621d0a9b673b1a2d3932 |
pdf-javascript-stream | PDF /JS object 4485 at offset 0x11D0CD | 162 bytes |
javascript_obj4486_031.js329f3e3714b6b3017d37a6abb9f3e0825e1563aaabcf278cfd5753a554b761f5 |
pdf-javascript-stream | PDF /JS object 4486 at offset 0x11D1A6 | 162 bytes |
javascript_obj4489_034.js879191b2f0880ade8d94f58770e9b9e543275e929449a3b930b21252fc2ea0d5 |
pdf-javascript-stream | PDF /JS object 4489 at offset 0x11D30B | 162 bytes |
javascript_obj4490_035.js2d73f40368b247e20a817ddf1080b135da94f8489fbe26ceaaedd5f4318532e5 |
pdf-javascript-stream | PDF /JS object 4490 at offset 0x11D3E8 | 162 bytes |
javascript_obj4491_036.js0109096f7fcfc3e0e25ffc8ba8f7f41b536dce763eefcac5d4158425c8a21626 |
pdf-javascript-stream | PDF /JS object 4491 at offset 0x11D4C4 | 162 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.