Malicious PDF — malware analysis report

Static analysis result for SHA-256 d30e6569b31ab17d…

MALICIOUS

PDF

312.7 KB Authoring application: PyMuPDF
MD5: d3b43f86792c0a42681d41e942281860 SHA-1: 96b27722e5569d7272896a99b96be482e1cbdfd6 SHA-256: d30e6569b31ab17d28901bc3a1105b617b447fc2212dae110380228b429a0b98
102 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File T1204.002 Malicious File: User Execution: Malicious Attachment T1059.001 Command and Scripting Interpreter: PowerShell T1059.003 Command and Scripting Interpreter: Windows Command Shell T1059.007 Command and Scripting Interpreter: JavaScript

The PDF file contains embedded JavaScript and triggers a critical heuristic for CVE-2026-34621, indicating a vulnerability exploit. The deobfuscated JavaScript stream is large and contains suspicious elements, suggesting it's designed to download and execute a secondary payload. The presence of multiple JavaScript streams and an embedded file further supports this malicious intent.

Heuristics 7

  • Adobe Acrobat/Reader privileged API chain — CVE-2026-34621 critical CVE exact CVE_2026_34621
    PDF JavaScript matches the CVE-2026-34621 exploit chain: Acrobat internal UI/share APIs, swConn prototype/getter manipulation, and privileged RSS or file-read APIs used for staged command-and-control.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js
ac4aa71c501d251717ff180f71d09f948b98863a4f321d6425e972c101ee65c0		 pdf-javascript-stream PDF /JS object 11 at offset 0x185FA 643 bytes
acroform_b64_00.js
30b37c04b7674373a869ca58f4e954426a1eb4b2dcc8e9bc96af01153e15d561		 deobfuscated-js PDF AcroForm base64 (raw) at offset 0x4AC 73936 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.