MALICIOUS
98
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
The PDF contains multiple JavaScript streams, some of which are designed to validate user input for form fields, suggesting a form-filling or data-collection purpose. One script explicitly prompts the user to download Adobe Reader, linking to a legitimate Adobe URL, but the overall context of the encrypted PDF with JavaScript actions points towards malicious intent, likely a phishing or scam lure. The ML classifier also flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 0.6582
Heuristics 6
-
Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.adobe.nl/products/acrobat/readstep.html
- http://www.monotype.comhttp://www.monotype.com/html/type/license.html
- http://www.monotype.comMonotype
- http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlNOTIFICATION
- http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.html
- http://www.iec.ch
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0040_003.jsdd4e86ff46931388298d522a0c25afc2a74df361f28fb6ad9f104ffc1f5056c1 |
pdf-javascript-stream | PDF /JS object 40 at offset 0x3894 | 38 bytes |
javascript_obj0041_004.js6aeb2fc8f6b0dba7b9d76914b437aa0140bcd183b4c2b0d2b66173e7a39a1974 |
pdf-javascript-stream | PDF /JS object 41 at offset 0x38E8 | 41 bytes |
javascript_obj0050_006.js39a6e192956526268f967ecd62963e349a4f9d8f93aae343ab46d49e74a1faac |
pdf-javascript-stream | PDF /JS object 50 at offset 0x3F52 | 185 bytes |
javascript_obj0099_007.js09c13223a9edb138181d4aa87044b4b522b7d05aa50ae98d96796be4af6a870d |
pdf-javascript-stream | PDF /JS object 99 at offset 0x73E6 | 183 bytes |
javascript_obj0103_008.js2c02b0f39c946a70222fce74c6b9a29312aca8d12ffeef5608de321cfc7686e6 |
pdf-javascript-stream | PDF /JS object 103 at offset 0x78C6 | 128 bytes |
javascript_obj0104_009.js30718e8554e684e75bade9d646412a00f869244611e5589a80012ab114e3fdea |
pdf-javascript-stream | PDF /JS object 104 at offset 0x7993 | 195 bytes |
javascript_obj0106_010.js715a709fdf52da47ea73afa3297aede4df5ac6753f1483d1e4e5a211e67bd108 |
pdf-javascript-stream | PDF /JS object 106 at offset 0x7C26 | 202 bytes |
javascript_obj0109_011.jsd669075ac4e19411c5b201874c3e34c0a2f2427450521a45a8d7177e4d976033 |
pdf-javascript-stream | PDF /JS object 109 at offset 0x7FC8 | 207 bytes |
javascript_obj0112_012.jsc46157ef2eb9a3b0e6938e8b6b9047b28037a9f11ae4422851d9541ad6799638 |
pdf-javascript-stream | PDF /JS object 112 at offset 0x8349 | 156 bytes |
javascript_obj0124_013.js0db0e145a04be4c67455450a5495c6a54f5f634b29f5dff555449c32d29ee820 |
pdf-javascript-stream | PDF /JS object 124 at offset 0x8A78 | 256 bytes |
javascript_obj0125_014.js3d544555bcbdd7dc959c08f5424fdb6dd49d0b451b2a1015152c0c6bc81da1c2 |
pdf-javascript-stream | PDF /JS object 125 at offset 0x8BCC | 118 bytes |
javascript_obj0126_015.js7eca804ba24c4b79f352f0ae5fb58e3acaf786d7ae6eb69eba05977f7d8638a7 |
pdf-javascript-stream | PDF /JS object 126 at offset 0x8C8B | 47 bytes |
javascript_obj0129_016.js718a0ba324a0da3fa3bc5281ae859e091e89c61d813e1a85f9222c2b354dac4c |
pdf-javascript-stream | PDF /JS object 129 at offset 0x8D55 | 114 bytes |
javascript_obj0130_017.jsfe1d2e3911f5b8cc4b8d81ac3c9a54a69b3b52a739505ff737d8e3f7b72706d7 |
pdf-javascript-stream | PDF /JS object 130 at offset 0x8E04 | 125 bytes |
javascript_obj0134_018.js06f3236952bcef9fab7bfc14e917047b8f231dbac1fa958cdea40a33ffb111ac |
pdf-javascript-stream | PDF /JS object 134 at offset 0x8F58 | 784 bytes |
javascript_obj0154_023.js367666dd9d22e9b521d5bbcd76a57f759819effd9514b5b8c053b8ffcacbfe22 |
pdf-javascript-stream | PDF /JS object 154 at offset 0xB949 | 652 bytes |
javascript_obj0155_024.js9e0c27ad8dfdb947d2558e870cbb9f29f1d0121bd1a5edec90ddc25270a3c8f3 |
pdf-javascript-stream | PDF /JS object 155 at offset 0xBA3D | 646 bytes |
javascript_obj0308_025.jsda50785931a1803e99e43198caebde2453adcab686379b085f2cf13024ccbe07 |
pdf-javascript-stream | PDF /JS object 308 at offset 0x3BE13 | 567 bytes |
javascript_obj0313_026.js2d1cbb9e0c035166f45104938f2c73971a2517dbb18bb724988988db4485bdef |
pdf-javascript-stream | PDF /JS object 313 at offset 0x3EAE0 | 321 bytes |
javascript_obj0314_027.jsd0386924b79c7b059cdc01ed097b1666c6a45cf8627e9b32852d4c44651606ae |
pdf-javascript-stream | PDF /JS object 314 at offset 0x3EBFA | 699 bytes |
javascript_obj0315_028.jsf1c35e4f020e537c107f3dc5180a1f4141edfe3cb46e0b3b372548fc004f84ef |
pdf-javascript-stream | PDF /JS object 315 at offset 0x3ED6D | 1741 bytes |
javascript_obj0316_029.js0540a36c216523c332549a87ee463f8684e390135864123faeffda0aa9f8a063 |
pdf-javascript-stream | PDF /JS object 316 at offset 0x3F012 | 587 bytes |
javascript_obj0317_030.js3d7d820c08a52a3fef26b27045d26e9b6ee40654b0602b00a00f2836303e4e81 |
pdf-javascript-stream | PDF /JS object 317 at offset 0x3F151 | 614 bytes |
javascript_obj0318_031.jsf77d6f3a9b04e740ae9c3afae46916879406a13858e880299bf970c81deeed0c |
pdf-javascript-stream | PDF /JS object 318 at offset 0x3F2D6 | 429 bytes |
javascript_obj0319_032.js1653bd3bdf486b9f2c24ce3020eba5a0d3996f31726014b30e43a80bff9c9664 |
pdf-javascript-stream | PDF /JS object 319 at offset 0x3F427 | 324 bytes |
javascript_obj0320_033.jsa6e0897ba8023b3b12038aa14d874adc496a0a02f2928a149c02c5990d8ab7f5 |
pdf-javascript-stream | PDF /JS object 320 at offset 0x3F51E | 2004 bytes |
javascript_obj0321_034.js56f6fe517bf900ef142d4796428b497321b062b17b34edc2b81792c34dd76c36 |
pdf-javascript-stream | PDF /JS object 321 at offset 0x3F7AF | 1205 bytes |
javascript_obj0326_035.js0359e434b773d54279b387258e9ec1c99e680d4936571c26b802761518398e98 |
pdf-javascript-stream | PDF /JS object 326 at offset 0x4096C | 337 bytes |
stream_023_off0000bb7b.bin3fcbc78accea7c4b324d9202e62a8927d0f81b8bef01372ecb05e010b40a7eb1 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xBB7B | 261650 bytes |
stream_098_off00042168.bin4735e29f6b4dfaae31ceba3a66c7548a579b3b0ad8f9ec68bc6e90b0597d7de3 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x42168 | 308015 bytes |
icc_00_off0003f9c4.icc2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
pdf-icc-profile | PDF ICC profile at offset 0x3F9C4 | 3144 bytes |
javascript_obj0292_000.jsca6db76aac3f7771357dea7aaaa1b18742724c22fb8ad7134abe3525d12fe226 |
pdf-javascript-stream | PDF /JS object 292 at offset 0x13FF | 256 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.