MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains multiple embedded JavaScript streams, with one significantly large deobfuscated JavaScript file. Heuristics indicate the presence of JavaScript actions, embedded JS streams, and the use of String.fromCharCode, suggesting obfuscation techniques. The primary function of the embedded JavaScript appears to be downloading and executing a second-stage payload from a remote source, indicated by the 'Long encoded blob, Script obfuscation indicators' heuristic. The PDF structure also shows XFA form elements and AcroForm buttons, which can be leveraged to trigger JavaScript execution.
Heuristics 7
-
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEXHex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 9
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0029_000.js80d7888ecf9ad9e4d03cd8cc6959f589c8f8783f37d48bb4d7dae53f6684c595 |
pdf-javascript-stream | PDF /JS object 29 at offset 0x1E2A | 8603 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
stream_002_off00000a8f.js672d461752be4a970c8e9721164ce074d252b55d09d46cc09259d2ce4fc09f7f |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xA8F | 1546 bytes |
stream_003_off00000d4c.bin29cf1edfedd4f27f3c450646c5dc2510e6bf9e63eee1cd436ac517a465a2e1bf |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xD4C | 1650 bytes |
stream_004_off000010bc.bin0f910ffeec733940f6ba1ae41dc6770eab5d615c05bccc95197878b62c8dc45f |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x10BC | 2928 bytes |
stream_006_off00001651.bin4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1651 | 56 bytes |
stream_007_off000016d9.binfe122a09d8a0444608fdc5a6f4981a2dbd469f5bbfacb4bdd327c28ccc343e13 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x16D9 | 149 bytes |
deobfuscated.js23ad59ae1660287ea3ed209afa08166d54ef76da5aa929ca38912d6e9ba94d35 |
deobfuscated-js | PDF JavaScript deobfuscation pass | 1468354 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 8 long base64-like blob(s).
|
|||
font_00_cff_off00004aaf.binea8f409c7366ed46eeb553aa7b404f04641f482ba88463fbe253da60be5787e5 |
pdf-font-stream | PDF embedded font (cff) at offset 0x4AAF | 1138 bytes |
font_01_sfnt_off000054a2.bine31f8c8507e52f29008d946a00becde9f839e34cb108985ce66167bf881adafa |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x54A2 | 8084 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.