MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file contains multiple high-severity heuristic firings indicating the presence of an OpenAction trigger and a Launch action, both of which are used to execute embedded content. The PDF is also flagged as encrypted with JavaScript in its OpenAction, suggesting that a payload is hidden from static analysis and likely executed automatically upon opening. The specific nature of the payload cannot be determined due to the encryption and lack of script content, but the techniques used are consistent with delivering a second-stage exploit or downloader.
Heuristics 3
-
OpenAction trigger high PDF_OPENACTIONPDF has an /OpenAction that launches, submits, or opens an external target
-
Launch action high PDF_LAUNCHPDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
-
Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
Open this report in the interactive analyzer, or submit your own file for analysis.