Malicious PDF — malware analysis report

Static analysis result for SHA-256 9807bb338bab53b3…

MALICIOUS

PDF

160.1 KB
MD5: 4174373cfb5136a69393cfe57c7c30b5 SHA-1: fadd099e6a9e9ed3fbf764cb9f93bd7f43a021e8 SHA-256: 9807bb338bab53b39fd8d73d534ef9cbad98b660227b3192ffac555d3649a626
180 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The PDF file is encrypted and contains an OpenAction that triggers a launch action. The heuristic PDF_LAUNCH_COMMAND indicates that the launch action targets a specific, albeit obfuscated, command. This suggests the document is designed to execute a malicious payload upon opening, likely to download and run further malware. The encrypted nature and launch action point towards an exploit delivery mechanism.

Heuristics 4

  • /Launch action target: �Tv�����#qZ���\(ߦ�\\���|�Iw" hie critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target — references a known-dangerous executable (cmd, PowerShell, etc.).
  • OpenAction trigger high PDF_OPENACTION
    PDF has an /OpenAction that launches, submits, or opens an external target
  • Launch action high PDF_LAUNCH
    PDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.

Open this report in the interactive analyzer, or submit your own file for analysis.