MALICIOUS
78
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious File
The PDF file contains multiple heuristic firings indicating malicious intent, including an OpenAction trigger and the use of ASCIIHexDecode filters with exploit indicators. The presence of XFA forms and AcroForm buttons with actions further suggests a crafted document for exploitation. While no specific document body content or scripts were extracted for direct analysis of user-facing lures, the structural indicators strongly point to a malicious PDF designed to exploit vulnerabilities upon opening.
Heuristics 5
-
OpenAction trigger high PDF_OPENACTIONPDF has an /OpenAction that launches, submits, or opens an external target
-
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEXHex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILEDThe cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
Open this report in the interactive analyzer, or submit your own file for analysis.