PDF malware analysis — malicious · 8eca1148b8a4e4da

MALICIOUS

PDF

17.0 KB Authoring application: LlXR5VFdurXnF3

MD5: 2271aa3de89389bbf07116c5536793ba SHA-1: 99363772e9f614d47d0b203b9dcb353c49d6b21b SHA-256: 8eca1148b8a4e4da97c60d5a5e239d90180559beeff713309b039d443c0a59d7

78 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF file contains multiple indicators of malicious JavaScript execution, including an OpenAction trigger and embedded JS streams. The presence of these elements strongly suggests the document is designed to automatically run a script upon opening. This script is likely intended to download and execute a second-stage payload, a common technique for delivering malware. The document body's content is generic and truncated, providing no specific lure.

Heuristics 5

OpenAction trigger high PDF_OPENACTION

PDF has an /OpenAction that launches, submits, or opens an external target
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED

The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.

Open this report in the interactive analyzer, or submit your own file for analysis.