Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c5393b81f845056…

MALICIOUS

PDF

65.4 KB Created: ´®ïãó}E&(B [ ÿ õÈ"ØÅ Authoring application: ¶æ¼¾¦||Yò (via ±÷¯¼¡.7]JU«RQªØ +ØÕ^߶Ðq!ÙZrTY±)
MD5: 5b15a5b1982612424c5659cf1a5e5bbb SHA-1: 09f32507ed494f5f928ac3ce5687b2000b521127 SHA-256: 9c5393b81f84505610abc3a0f68dc0cd4831b313ba98d5982bb563863ebeb98f
72 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

This PDF file exhibits multiple indicators of malicious intent, including JavaScript actions and an encrypted payload hidden via an OpenAction. The presence of embedded JavaScript streams, combined with PDF-specific heuristics like ASCII85Decode filters and AcroForm button actions, suggests an attempt to obscure and deliver a malicious payload. The exact nature of the payload is not discernible due to obfuscation and encryption, but the overall pattern points towards a phishing or exploit delivery mechanism.

Heuristics 5

  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0080_003.js
c6c136ca50e34cc48ae1e6d55fa3aa33c733ff715cd70fa3e9740c4e74a30365		 pdf-javascript-stream PDF /JS object 80 at offset 0x5351 41 bytes
javascript_obj0081_004.js
c06e67cabc4246d36d247c24490975e4cfec6d90e3d4cc0ada79d6e9e52015a1		 pdf-javascript-stream PDF /JS object 81 at offset 0x53AB 38 bytes
javascript_obj0084_006.js
cd5f039af054c84e40a61d94ae2e5ca8fc108ecbb6410df497f03d343b1bb1f9		 pdf-javascript-stream PDF /JS object 84 at offset 0xF0B3 38 bytes
javascript_obj0087_009.js
6b8f55c7641a7cd3afe1a9213adddf23a53ac6da8cb872e5b8b8622f11b30d4f		 pdf-javascript-stream PDF /JS object 87 at offset 0xF19F 41 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.