Malicious PDF — malware analysis report

Heuristics 6

• Correlated malicious PDF JavaScript signals critical PDF_CORRELATED_MALICIOUS_JS
  PDF JavaScript or auto-action content is corroborated by exploit staging, ML, or suspicious extracted-artifact findings. This correlation promotes old exploit-kit PDFs that otherwise remain in the suspicious band because each individual signal is intentionally weighted conservatively.
• ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
  Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
• JavaScript action low PDF_JAVASCRIPT
  PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• Additional-actions dictionary low PDF_AA
  PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
• ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
  ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation

Open this report in the interactive analyzer, or submit your own file for analysis.