MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
This PDF file contains numerous JavaScript streams and triggers JavaScript actions, including the use of eval() and String.fromCharCode. The high number of streams suggests obfuscation or a heap spray. While no specific malicious URLs or scripts were directly extracted and reconstructed, the heavy reliance on JavaScript execution within the PDF indicates a malicious intent, likely to download and execute a secondary payload or exploit a vulnerability.
Heuristics 8
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.adobe.com/products/acrobat/readstep.h\
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://ns.adobe.com/xap/1.0/t/pg/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/iX/1.0/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ClientEnvironmentbeb3462d625d0908f9f83f9eb33269867ac9843b5139ac5d3cda3ffcbda539d9 |
pdf-embedded-file | PDF EmbeddedFile object 1025 at offset 0x609E5 | 1002 bytes |
javascript_obj1252_000.js3a1171d5c29a38e4d6ee9145e1a28845c833c1d0195915aee008bea71b971a75 |
pdf-javascript-stream | PDF /JS object 1252 at offset 0x28968 | 34 bytes |
javascript_obj1253_001.jsad3beb36c9be904cb528af802aca057ca0f97e99bd6c0401cf86f05dc45ba258 |
pdf-javascript-stream | PDF /JS object 1253 at offset 0x289BE | 54 bytes |
javascript_obj1254_002.js011b69045b66b6966dda07e6574c3e601347369aec52dfa520c28ea3c80c4546 |
pdf-javascript-stream | PDF /JS object 1254 at offset 0x28A2A | 48 bytes |
javascript_obj1255_003.js3aafe97981aa219647c6afeeefc2f4f22721d2604cdc1ec43aa4ab12754926d5 |
pdf-javascript-stream | PDF /JS object 1255 at offset 0x28A94 | 51 bytes |
javascript_obj1257_005.jsacb2b89f84755059d88c59f29ba927217c66aa24b0b7e082f0d4ea869f5f4206 |
pdf-javascript-stream | PDF /JS object 1257 at offset 0x28B51 | 53 bytes |
javascript_obj1263_006.js43568d8dc529b9fe39029fa296993215eaf60156ef86b8186cbc2d2ee24d2b76 |
pdf-javascript-stream | PDF /JS object 1263 at offset 0x28CDA | 68 bytes |
javascript_obj1264_007.js948d246143266b551322fee0ce6809f6228f1d2c6e954998905235689e805af8 |
pdf-javascript-stream | PDF /JS object 1264 at offset 0x28D54 | 52 bytes |
javascript_obj1269_008.js0eb1aad3aee3cb327cae7671ec2675aacfc7f1150c775919aa03e6a08a3925c9 |
pdf-javascript-stream | PDF /JS object 1269 at offset 0x28E84 | 52 bytes |
javascript_obj1270_009.jsb1a9fb15b55bae252ec2934fefa0390bb1221220f729b18c6c57ed7de71ebebf |
pdf-javascript-stream | PDF /JS object 1270 at offset 0x28EEE | 38 bytes |
javascript_obj1271_010.js75ba8fe718bf1aa28c28b0badf17592b43c66f649b97d55fb1ad820ef5cb16eb |
pdf-javascript-stream | PDF /JS object 1271 at offset 0x28F4A | 43 bytes |
javascript_obj1273_011.js5bfd1fcd6dbbeb0427be95ca6f2538ef873a86bf11feb7a053a2e3f880b3a2b2 |
pdf-javascript-stream | PDF /JS object 1273 at offset 0x29008 | 47 bytes |
javascript_obj1277_012.js0fb0bc5871c4772aaf6ad76554d1f02b8542fccb3435e8b8bb2e5bd06ecfdbc1 |
pdf-javascript-stream | PDF /JS object 1277 at offset 0x290BC | 35 bytes |
javascript_obj1286_015.js15db25e9f31cc1db67b813a9f5752a0b3a0990aeb733dcd3a675650ae36e7194 |
pdf-javascript-stream | PDF /JS object 1286 at offset 0x2A306 | 53 bytes |
javascript_obj1287_016.js37cba162c45cc497ccfabffa10e19a4594277f8f45f4eb07164d1b740dc8aa6c |
pdf-javascript-stream | PDF /JS object 1287 at offset 0x2A36D | 37 bytes |
javascript_obj1290_018.jsb49875e7a786cc7d62191be88c49afc7a7f53551d4ec30ddf24c3fd7583d7233 |
pdf-javascript-stream | PDF /JS object 1290 at offset 0x2A43B | 33 bytes |
javascript_obj1292_020.js4eb7d5ace7194418d2ca5bc75cbf1493c6d7310a7cf2edd0215d7a8ba209df69 |
pdf-javascript-stream | PDF /JS object 1292 at offset 0x2A4CC | 47 bytes |
javascript_obj1294_021.jsd142b227ef353e292510aacdf9509469e367287182a0ee3ddd10130546ef3d45 |
pdf-javascript-stream | PDF /JS object 1294 at offset 0x2A57F | 46 bytes |
javascript_obj1298_022.js9e58df098f822aaa721ed10dcebdad81bb5a1237f57b3d2ab894dd7e22b381a4 |
pdf-javascript-stream | PDF /JS object 1298 at offset 0x2A6BA | 59 bytes |
javascript_obj1300_023.js97d4961192fe0adef35677e51ca072bd70429e8e9aa55d02744c0e4262f499a0 |
pdf-javascript-stream | PDF /JS object 1300 at offset 0x2A784 | 48 bytes |
javascript_obj1303_024.js7e0807da407b7681e052a2ac612ae17b162df02b71e1249809ec4de5528d4c5d |
pdf-javascript-stream | PDF /JS object 1303 at offset 0x2A84D | 56 bytes |
javascript_obj1305_025.js5ac9b01a6870ec29a1cb91df721807e91e62e17e2594874d6da94017a9617dbb |
pdf-javascript-stream | PDF /JS object 1305 at offset 0x2A90D | 59 bytes |
javascript_obj1307_026.js33595198d6819a3bb1f9ade0cb3d0dc864c58c1b2c871a4c8d127892e43e8818 |
pdf-javascript-stream | PDF /JS object 1307 at offset 0x2A9D4 | 57 bytes |
javascript_obj1312_027.js2a7f7eeccd6e0f1c2d5f3853c2712947e6f02f5365310ce3ad4347bf7190ff92 |
pdf-javascript-stream | PDF /JS object 1312 at offset 0x2AB3E | 66 bytes |
javascript_obj1314_028.js1d2a6e349c743912089cadfd9cc026a38f06c3a717feb835d65838ad2024a65a |
pdf-javascript-stream | PDF /JS object 1314 at offset 0x2AC10 | 63 bytes |
javascript_obj1316_029.js8af14d4bcfa43789b7492523c723805c1d28215dfe83b471654347713c052335 |
pdf-javascript-stream | PDF /JS object 1316 at offset 0x2ACDD | 59 bytes |
javascript_obj1318_030.js53db24e58427768002f53fd3a8c4e1b5c55c35a7dc544d0cdf3eba1e5178e0b6 |
pdf-javascript-stream | PDF /JS object 1318 at offset 0x2ADA0 | 65 bytes |
javascript_obj1319_031.jsc2e6b56da9eaf64b4435e817c688a39e837635e65c9550b1880bffcd36a8defd |
pdf-javascript-stream | PDF /JS object 1319 at offset 0x2AE11 | 162 bytes |
javascript_obj1321_032.js4e619262277086c0fa9493f20043e236b838ec4cf933981a9ea5cc0d4c01d0c5 |
pdf-javascript-stream | PDF /JS object 1321 at offset 0x2B00C | 106 bytes |
javascript_obj1322_033.js46d680a99e51f3a29f99b4cffd2121bbab1719982aca54bc6d3f86624d30ba52 |
pdf-javascript-stream | PDF /JS object 1322 at offset 0x2B0AE | 49 bytes |
javascript_obj1328_037.js2c44f622282dffd17742bb5ef78a8f001f345a30097360af9ecc1db2c4439043 |
pdf-javascript-stream | PDF /JS object 1328 at offset 0x2B27D | 54 bytes |
javascript_obj1332_038.js64379f2bd499310a0fd1ea3856e8a6f73b84c55906772e65555aaed5e9f77a38 |
pdf-javascript-stream | PDF /JS object 1332 at offset 0x2B3C8 | 53 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.