Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b87617ed8438596…

MALICIOUS

PDF

962.9 KB Created: åÁ„ù¾æ2ùJp{ßÄe!ÅOÿ©[n Authoring application: ĸ٪áþ*ƒ4c (via ɏ¹´ñ-ª'd€–6tž] ½ ,Ýä&è÷·Ëÿ7Æìo‰ÃýgÖ=³ÎîðFn)
MD5: a6d5f4b63dc710c655e58efce0e409eb SHA-1: 6fe5671e7525c58285f256713d1a66bbb11ce5d8 SHA-256: 7b87617ed84385964fbc8c72f3cb87a4b9298e52e4ca570d75792ad637c87869
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file was flagged as malicious by an ML classifier and exhibits high-confidence heuristics for JavaScript-based obfuscation and encryption. Multiple embedded JavaScript streams were extracted, containing calls to functions like 'popCode', 'popSigle', and 'moveToIntra', suggesting an attempt to hide or dynamically reveal content. The lack of readable document body text further supports the idea that the content is intentionally obscured.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7535

Heuristics 4

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj1352_000.js
baaf2e4b285b514e693a44c1b3b7170320a1b1036a18a37c571f36fa27b38e28		 pdf-javascript-stream PDF /JS object 1352 at offset 0x42EDF 40 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L132-4')
javascript_obj1355_001.js
7df6ab83ff0489a4742aaac89ca697274e17c7247f864f100ca397ea20ae574a		 pdf-javascript-stream PDF /JS object 1355 at offset 0x43A88 40 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L132-8')
javascript_obj1357_002.js
b26b7e9d596da630832598277d497b5193671973ecae902f8a5a06b5aa08d8bf		 pdf-javascript-stream PDF /JS object 1357 at offset 0x44496 40 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L132-9')
javascript_obj1358_003.js
c28f7850390996ec608caafb511a3cd91a1f168c7e6bacf3a426c7dac0d3491b		 pdf-javascript-stream PDF /JS object 1358 at offset 0x445A8 63 bytes
Preview script
First 1,000 lines of the extracted script
popSigle('Direction d�partementale du travail et de l\'emploi')
javascript_obj1360_004.js
a41d301f20b24e15614d5794ad0341fc6f7b8e08b17ec9fbd71df8cd8d611210		 pdf-javascript-stream PDF /JS object 1360 at offset 0x447FB 41 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L132-10')
javascript_obj1362_005.js
ca30c4533ed716d32e44c2d6dee30b609a2612cdbe9cb474302408c5d640a53b		 pdf-javascript-stream PDF /JS object 1362 at offset 0x45206 38 bytes
Preview script
First 1,000 lines of the extracted script
popSigle('Immeuble de grande hauteur')
javascript_obj1363_006.js
839dcbebe2e454c061c10bf862c4a2ae63bcc0ed41c5de8335839b380ae2c692		 pdf-javascript-stream PDF /JS object 1363 at offset 0x4531A 40 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L412-1')
javascript_obj1364_007.js
09d12dbcf6827c2aa9db635f7063de5c23b2c5f4a35b3cfa7d89409b786df357		 pdf-javascript-stream PDF /JS object 1364 at offset 0x4542C 40 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L412-2')
javascript_obj1366_008.js
00535d48a0ecfd0a3d7adc0cae91a8ff455429a2cece8f4d99263057e30a8a61		 pdf-javascript-stream PDF /JS object 1366 at offset 0x45D71 41 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L122-45')
javascript_obj1367_009.js
49079fe257946e434b130e1c8085afcf6a714c2a548d0e5035fb6d07f6f5f7ee		 pdf-javascript-stream PDF /JS object 1367 at offset 0x45E7C 40 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L412-7')
javascript_obj1369_010.js
48bf3569af670ef115f4a6629e416c7c3ce18ef20180db5f30c368004eb30b1c		 pdf-javascript-stream PDF /JS object 1369 at offset 0x467E6 48 bytes
Preview script
First 1,000 lines of the extracted script
popSigle('Soci�t� nationale des chemins de fer')
javascript_obj1370_011.js
4a7e9325109a9f21c4b717b9b89eba51d1ecc7d020bb1e15d8bc8370fb54dc5e		 pdf-javascript-stream PDF /JS object 1370 at offset 0x46904 62 bytes
Preview script
First 1,000 lines of the extracted script
popSigle('Agence centrale des organismes de s�curit� sociale')
javascript_obj1377_012.js
d6310b278c2f782a0e69a69cb489139e8d5ef778d317cfbd1ee2c9f630e43fd7		 pdf-javascript-stream PDF /JS object 1377 at offset 0x48ACA 40 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L311-2')
javascript_obj1378_013.js
d39a8e60e4d42f5f959c98d9f0446903e79d841e9f6a6e3fe3df4d4b21471e2f		 pdf-javascript-stream PDF /JS object 1378 at offset 0x48BE0 40 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L311-5')
javascript_obj1379_014.js
2cfc8fe915cbd47ea529d4ddf878ae64e5a3c84a5c03870843e2fa59f339fc86		 pdf-javascript-stream PDF /JS object 1379 at offset 0x48CF3 40 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L324-1')
javascript_obj1380_015.js
796cd268ded8a2e4935c4b0c32e180b55bedb7005b75ca0a15ab00e3a68098a0		 pdf-javascript-stream PDF /JS object 1380 at offset 0x48E0B 40 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L324-2')
javascript_obj1381_016.js
1d60463f606fb85be0f2978d204f6e9964cbcc9dde779fda29ebb2a4a96e82b1		 pdf-javascript-stream PDF /JS object 1381 at offset 0x48F23 40 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L324-3')
javascript_obj1384_017.js
638660d51f144197606eb2d0e0ab5efe1e9a2dfea950f56ae8fcbfbef3bde144		 pdf-javascript-stream PDF /JS object 1384 at offset 0x49976 42 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L212-4-2')
javascript_obj1386_018.js
e83b2bc3d09e9dbd866b1544ee26d1e95c76304707777860175d658041c11ce5		 pdf-javascript-stream PDF /JS object 1386 at offset 0x4A35E 40 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L140-2')
javascript_obj1392_020.js
074df1208488a0f915679f8a433e85dab2e3c0351d5af3f4079a736e94c7422e		 pdf-javascript-stream PDF /JS object 1392 at offset 0x4B791 41 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L122-14')
javascript_obj1393_021.js
2db60a8c4832f8c4fe8457ff81ce34979614b0cb87d0e0981e739bbbc93f832e		 pdf-javascript-stream PDF /JS object 1393 at offset 0x4B8AB 43 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L122-14-3')
javascript_obj1394_022.js
b863f8a564f1065ac7b520f166d81b6696742a209684b7b142de4ab8fcf5313f		 pdf-javascript-stream PDF /JS object 1394 at offset 0x4B9C7 41 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L122-41')
javascript_obj1396_023.js
f548dada64e330267995fce990d732dc9cb3c907f155394912380a9a12162e5c		 pdf-javascript-stream PDF /JS object 1396 at offset 0x4C2F8 40 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L212-1')
javascript_obj1397_024.js
5db74d969370f7657166498a188bb0d23f32bd9a39681b667ca2fc4619c534e2		 pdf-javascript-stream PDF /JS object 1397 at offset 0x4C40C 39 bytes
Preview script
First 1,000 lines of the extracted script
moveToIntra('KE5AAXXXXXX00009XAAXEXXA')
javascript_obj1400_025.js
01e2a70825c9528f030bf39a7630fe06f029c29d11a9df52e8e2c40999deb5c8		 pdf-javascript-stream PDF /JS object 1400 at offset 0x4CDF1 40 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L223-1')
javascript_obj1401_026.js
caf8428c27c0ccd1fda7a431cb9db5c83ea5d8a5d9019683e7d7d094129b17b9		 pdf-javascript-stream PDF /JS object 1401 at offset 0x4CF06 63 bytes
Preview script
First 1,000 lines of the extracted script
popSigle('D�partements d\'Outre-mer, Territoires d\'Outre-mer')
javascript_obj1406_027.js
52641834112d02a66371acd507f5f7fceaff84c49ad6c9918ff56dd3110c76bf		 pdf-javascript-stream PDF /JS object 1406 at offset 0x4E773 40 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L212-8')
javascript_obj1407_028.js
3a53b2a402d803dc876b2febba858552ed42f93a7db18b5422126e5d04378659		 pdf-javascript-stream PDF /JS object 1407 at offset 0x4E888 43 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L122-32-1')
javascript_obj1408_029.js
5e6cd9f25e025c6761940e31c3d3a6eeda1b6fe34d15b4ba25509746f2cbd41a		 pdf-javascript-stream PDF /JS object 1408 at offset 0x4E9A1 39 bytes
Preview script
First 1,000 lines of the extracted script
moveToIntra('KE5AAXXXXXX00003XAAXEXXA')
javascript_obj1409_030.js
a9fd24adf9ef16e37cc4f1a54b4b403e33e5f5c021648807334cd8ab58d0318d		 pdf-javascript-stream PDF /JS object 1409 at offset 0x4EAB6 39 bytes
Preview script
First 1,000 lines of the extracted script
popSigle('Activit� principale exerc�e')
javascript_obj1415_031.js
cc22d08309eb41eac68c46909caa2e1566512db98fc560a997558948a41a14da		 pdf-javascript-stream PDF /JS object 1415 at offset 0x50279 40 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L222-5')
javascript_obj1418_032.js
4e9bbafb554670670beb28dd1449c3f1275f2229aca8ca093d62d2918ce26d41		 pdf-javascript-stream PDF /JS object 1418 at offset 0x512EC 41 bytes
Preview script
First 1,000 lines of the extracted script
popCode('ref=CODES&dest=C. trav,L122-12')

Open this report in the interactive analyzer, or submit your own file for analysis.