Malicious PDF — malware analysis report

Static analysis result for SHA-256 a9e848df3cde299e…

MALICIOUS

PDF

224.8 KB Created: YBéDQ©Ï´Æ6‰ÊasØÐöè]V Authoring application: ¶íÞÿðCۗ06ÕÖíø ßü E‹ (via ¶íÞëî…zӐ9!‡ÀõèMYú^ÅX˜‹’)
MD5: a072e70e5772db0ab27fe68103434d0b SHA-1: 3f4d7afd80cfaff8f16aae9620891b6fd530d6b3 SHA-256: a9e848df3cde299e4f3dc33f6c29480a3d95e2904986642577842260eaa41a10
84 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF file contains embedded JavaScript, which is used to hide malicious content and potentially redirect the user to a malicious site. The 'PDF_IMAGE_LURE' heuristic indicates that the document is an image-only lure, typical for phishing attacks. The presence of JavaScript and the image lure suggest the document is designed to trick the user into interacting with malicious content.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4161

Heuristics 5

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 224 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0496_000.js
1b7b63d77ae68d7190e06f6005bedd9888dc06a58487e8abad9c07030f5d4bb3		 pdf-javascript-stream PDF /JS object 496 at offset 0x7DA7 69 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.