Malicious PDF — malware analysis report

Static analysis result for SHA-256 d868c08df243c763…

MALICIOUS

PDF

235.9 KB Created: ¦@2ÙÄë0†ä‡)@§q Authoring application: “@™QsJ¹Áê+š&±;‰†ÀnsŒ m (via £qN‚œ® tاÊuþ!"ÿݙ²ê8,\§ HñWÒ®¸ä•cËî[)
MD5: 23edc9ec6fedb2914b2b4e8eab9812c6 SHA-1: 2d432154c928b75cf71453f2cd227321eacc8e8f SHA-256: d868c08df243c763e1e645cf962a83e324cb69975a76afaee8a58d70b3bbea99
64 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1553.005 Mark-of-the-Web Bypass

The PDF file contains multiple embedded JavaScript streams, and is also flagged as being encrypted with JavaScript. This indicates that the document is designed to conceal malicious code, likely for execution upon opening or interaction. The presence of JavaScript actions and embedded JS streams suggests an attempt to download and execute a second-stage payload or perform other malicious activities. The specific intent of the JavaScript is obscured by encryption and obfuscation, but its presence is a strong indicator of malicious intent.

Heuristics 4

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0370_000.js
e818d447d449feca13947025a2e6fb5bffd685e45a5fe28444bfea87f55fb9b9		 pdf-javascript-stream PDF /JS object 370 at offset 0x2E474 136 bytes
javascript_obj0385_001.js
fa1a6be91b15d0e022d4d1951da8129fdcb2d7304b17a4f5f01e32340c9f95a4		 pdf-javascript-stream PDF /JS object 385 at offset 0x2FEE3 64 bytes
javascript_obj0392_002.js
b715a3fafd347b3cf048548c4af00ff15cc6c4a5b7e5f78c28a40d25cb8b8e40		 pdf-javascript-stream PDF /JS object 392 at offset 0x30B35 240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.