MALICIOUS
86
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.002 Spearphishing Attachment
The PDF file contains multiple embedded JavaScript streams, and is flagged as encrypted with JavaScript, indicating an attempt to obfuscate malicious content. The presence of AcroForm buttons with action triggers further suggests interactive elements designed to initiate script execution. The high number of streams points to significant obfuscation. The primary attack pattern involves leveraging JavaScript within the PDF to conceal and execute a payload.
Heuristics 6
-
Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj1090_000.jsc6a1faf474507b8e5421e4e332f68af9b3564e5668e7395bf49bea46ac63a9f2 |
pdf-javascript-stream | PDF /JS object 1090 at offset 0x4D16 | 247 bytes |
javascript_obj1092_001.jsa7258a2b15d6a339cb681c5ac5a51c88ab5aa18f29a9e6a2f1e73fdc0d320f83 |
pdf-javascript-stream | PDF /JS object 1092 at offset 0x4E66 | 159 bytes |
javascript_obj1520_004.js8b44f72fa89e3a633e6778465e243c0440297aed1d2a10d773301b2d223dfc54 |
pdf-javascript-stream | PDF /JS object 1520 at offset 0x1FDE3 | 87 bytes |
javascript_obj1523_005.js1ed3199508e34bc90969cdbb0390b912a534283b6b47c290270c656cf8fb1597 |
pdf-javascript-stream | PDF /JS object 1523 at offset 0x1FEC5 | 90 bytes |
javascript_obj1524_006.jsb96159d50767cb8f39ab4609389e55de5c8177caa55444dc494bac05d5b99d93 |
pdf-javascript-stream | PDF /JS object 1524 at offset 0x1FF4A | 90 bytes |
javascript_obj1525_007.jsbfff207c5cd109da913b3c12debecf1e10bc795058fa522ef4477107026b001b |
pdf-javascript-stream | PDF /JS object 1525 at offset 0x1FFCD | 187 bytes |
javascript_obj1526_008.js8028bf20b115fe728d005179e81101c95e8637ad444d83253ff70b91c45167a8 |
pdf-javascript-stream | PDF /JS object 1526 at offset 0x200B2 | 185 bytes |
javascript_obj1527_009.js359c09a0516dffe79c3b8575cdc6fbe3252a7cb48da0f3715c4301891fdfd32d |
pdf-javascript-stream | PDF /JS object 1527 at offset 0x20199 | 70 bytes |
javascript_obj1530_010.js8775c6f3edbd0ab894fd9e1ff093ee33c54e0923751457ae08616a7efaf37ac0 |
pdf-javascript-stream | PDF /JS object 1530 at offset 0x2037E | 54 bytes |
javascript_obj1533_011.js6ab6e8cb736061b52630349a278cc720949063de78db0ed8744b867844fb7305 |
pdf-javascript-stream | PDF /JS object 1533 at offset 0x2043C | 98 bytes |
javascript_obj1534_012.jsc11b00f0fe614609f6be6c26715ca66889096d408fa10b566c2ea60a0613d2f6 |
pdf-javascript-stream | PDF /JS object 1534 at offset 0x204C7 | 67 bytes |
javascript_obj1535_013.jsa7340139b45772f6c8280061a4a8eb4cabd22bc16cd7c9889823d25971ab34ed |
pdf-javascript-stream | PDF /JS object 1535 at offset 0x20533 | 98 bytes |
javascript_obj1536_014.jsf63b8ad824c677e90630828cffa5056a97b3b68f98669b70ac5e6b586f2b52f4 |
pdf-javascript-stream | PDF /JS object 1536 at offset 0x205BE | 67 bytes |
javascript_obj1538_015.js839de068ce2c8bea93cc54fdacd53bba1a2700ebf84995c6d7579269ffb6b64f |
pdf-javascript-stream | PDF /JS object 1538 at offset 0x2065A | 214 bytes |
javascript_obj1541_016.jsd38d2cfd72e386e978478e3ab95cbfc90512349dd197c45a513947ec529b9e92 |
pdf-javascript-stream | PDF /JS object 1541 at offset 0x20862 | 210 bytes |
javascript_obj1591_018.jsb9b2b05800032cd34f9b988fc99eadab286803be73e3c8bf5bd085728721f967 |
pdf-javascript-stream | PDF /JS object 1591 at offset 0x216AD | 109 bytes |
javascript_obj1593_019.js5e4ba3c563698bf83497cd9531cb1367011749ae49a47885317fc2643dfeeb85 |
pdf-javascript-stream | PDF /JS object 1593 at offset 0x2180F | 118 bytes |
javascript_obj1594_020.js546bb1b131d9ea43d18f29643a3308089ab8e85314fdfec8e1c33419ecf694ce |
pdf-javascript-stream | PDF /JS object 1594 at offset 0x218AE | 59 bytes |
javascript_obj1595_021.js7c22721bf3a8fa704cadbfd2777dcda7270994f6f641a51f7fb496bf0e5ca896 |
pdf-javascript-stream | PDF /JS object 1595 at offset 0x21912 | 67 bytes |
javascript_obj1596_022.js825b3b2216c65e25956b00c8b35544107c6fe9e0d3d6182fe872f81173fbfa28 |
pdf-javascript-stream | PDF /JS object 1596 at offset 0x2197E | 145 bytes |
javascript_obj1597_023.jsa3a4a41eb05e964954b4b58fec6af8789c2df92d461f2e2b4b498f1c91c42f97 |
pdf-javascript-stream | PDF /JS object 1597 at offset 0x21A39 | 202 bytes |
javascript_obj1598_024.jsa9f30648e0a957c427c33801d777450319bdb45f0cf0ac30d3366a1e1658bbce |
pdf-javascript-stream | PDF /JS object 1598 at offset 0x21B33 | 113 bytes |
javascript_obj1599_025.js107b25bbb63bbbf8f0e27f0791e384cba81abb305b4efac948ef9030e9c96f9c |
pdf-javascript-stream | PDF /JS object 1599 at offset 0x21BCE | 98 bytes |
javascript_obj1600_026.js41a41e7a3c037adf330bc0af8e8a46d33f3ebed465c37def949c0356fa03b086 |
pdf-javascript-stream | PDF /JS object 1600 at offset 0x21C5A | 191 bytes |
javascript_obj1601_027.jsfe2a4772145f979e45aabeb905d102aab702991d50e2caff38a9f5743f1f25fb |
pdf-javascript-stream | PDF /JS object 1601 at offset 0x21D42 | 193 bytes |
javascript_obj1602_028.jsd186ae50e7eb60b67b2b2309e6edebd38c408585d13e1b2fde3f306ed550a4a9 |
pdf-javascript-stream | PDF /JS object 1602 at offset 0x21E2B | 113 bytes |
javascript_obj1605_029.jsaea9ac824fbc7f38445fb184fa82c140e90add52eb27e2a229342ef786632bbc |
pdf-javascript-stream | PDF /JS object 1605 at offset 0x21FF5 | 137 bytes |
javascript_obj1606_030.js9fbca9b55bd948e7f90201b195f58a545b5d73818ba1d98537d32f543d78719f |
pdf-javascript-stream | PDF /JS object 1606 at offset 0x220A7 | 136 bytes |
javascript_obj1608_031.jsd19fee244de6e78a231f0ffa4a68313fed06c48dce1487fd07d58da55ff9fe47 |
pdf-javascript-stream | PDF /JS object 1608 at offset 0x2229F | 221 bytes |
javascript_obj1609_032.jsa49ab2eeecb3d17244aac3ff730beadea7928bf33f60fa273812290549b8070f |
pdf-javascript-stream | PDF /JS object 1609 at offset 0x223A9 | 221 bytes |
javascript_obj1610_033.jsf192a97d3383e149d33f12d61c387f55b8b0a81d2d4437072592873121b95bbb |
pdf-javascript-stream | PDF /JS object 1610 at offset 0x224B3 | 221 bytes |
javascript_obj1612_034.js13e72562189f3a5e8abf139cdea27b2c1b3d2a1616f99d9e32feb964d75d7fe9 |
pdf-javascript-stream | PDF /JS object 1612 at offset 0x225F0 | 256 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.