Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6f2ca813d5514d7…

MALICIOUS

PDF

11.01 MB
MD5: 40736f622db7e6b3325760f0b68588b4 SHA-1: 260839fcb474f9281d11ebab0be7022e863eb5bd SHA-256: b6f2ca813d5514d7f113c69e3328f2f07877a5ec683cbd22ff88b9d762a0781c
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains heuristics indicating JavaScript actions and embedded JS streams, along with encryption that hides the payload. The document is identified as an advance-fee scam lure, instructing the user to scan a QR code, which is a common tactic for phishing or malware delivery. The presence of JavaScript and encryption suggests a multi-stage attack designed to evade static analysis.

Heuristics 9

  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_cff_off000539f5.bin
97ae8e3be4d739403e3063026ed9c193beb6b74ba52da1a4604dc0f3d3a15368		 pdf-font-stream PDF embedded font (cff) at offset 0x539F5 428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.