MALICIOUS
64
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1027 Obfuscated Files or Information
The PDF file is encrypted and contains embedded JavaScript, indicating an attempt to conceal malicious activity. The presence of JavaScript actions and streams suggests that the script is likely used to download and execute a second-stage payload or to obfuscate the document's true content. The high confidence heuristic 'PDF_ENCRYPTED_WITH_JS' strongly supports this assessment.
Heuristics 4
-
Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj1046_000.jsec5ad928ebe5dfa53575665fbaa9382f60aad7e8791f49a135b99c3d789276d1 |
pdf-javascript-stream | PDF /JS object 1046 at offset 0x26021 | 140 bytes |
javascript_obj1047_001.js16a58ab086e5475ec1b0e4d156e2512e73ef2d4ca5a129f39ac4cf8cf18e0dda |
pdf-javascript-stream | PDF /JS object 1047 at offset 0x260E6 | 54 bytes |
javascript_obj1048_002.js5627032f698f5547bb7c260694a83dcd3033c6c4fcc308623fb19fe0e38b1de5 |
pdf-javascript-stream | PDF /JS object 1048 at offset 0x2614F | 54 bytes |
javascript_obj1049_003.jsf4e3c3aaae26b7a4411bdf318421c6491e24d43d1130eafa73702ec862dd5b71 |
pdf-javascript-stream | PDF /JS object 1049 at offset 0x261B7 | 71 bytes |
javascript_obj1050_004.js80dc03f68d25067f0942cf6de588447ab61b086d0897ee5a4435840afcd4b261 |
pdf-javascript-stream | PDF /JS object 1050 at offset 0x26232 | 54 bytes |
javascript_obj1051_005.js312c81e8a7a588fe961cfca285a06fb1ba1ba8d79f5594f1128411ce513caf7d |
pdf-javascript-stream | PDF /JS object 1051 at offset 0x26299 | 71 bytes |
javascript_obj1052_006.jsfa6ecaeaca466fdaf0bc09270b62af8c94fb3f121d1d4bf2e5113404e8d80a26 |
pdf-javascript-stream | PDF /JS object 1052 at offset 0x26311 | 54 bytes |
javascript_obj1053_007.js08ac6284026eeb56f8b30372b2f28cfc14a8eed13f86ee6761b988352a5e4178 |
pdf-javascript-stream | PDF /JS object 1053 at offset 0x26378 | 76 bytes |
javascript_obj1054_008.js4c4abdffb3b385d935876cb6e62bd0aa96bab38806aa3df61362d667df8109d6 |
pdf-javascript-stream | PDF /JS object 1054 at offset 0x263FA | 54 bytes |
javascript_obj1055_009.jse2b44eedd67f41e9c77b732b0f015fd2eace75b767994831420b0a5a0aef2ff6 |
pdf-javascript-stream | PDF /JS object 1055 at offset 0x26462 | 54 bytes |
javascript_obj1056_010.js3a1d30c6850f9224bbb7f7d4df768988d85750244b3b4ab842702fa8d39ff165 |
pdf-javascript-stream | PDF /JS object 1056 at offset 0x264CC | 71 bytes |
javascript_obj1057_011.jsc7a484d4fbf3b91a20d872e0b51a45ffcd33b47e140918f1e4c20f054f5cdc76 |
pdf-javascript-stream | PDF /JS object 1057 at offset 0x26549 | 54 bytes |
javascript_obj1058_012.jsdfef24477493b0bef67ef0618ab11814f225104a54516505002a7332bfd5b7da |
pdf-javascript-stream | PDF /JS object 1058 at offset 0x265B0 | 71 bytes |
javascript_obj1059_013.js6a3ec10a036328539b7e8202cc22dc9d4b5bfbd6cf03581843cd82d4f46b5981 |
pdf-javascript-stream | PDF /JS object 1059 at offset 0x2662D | 54 bytes |
javascript_obj1060_014.js1dd8a47a364a66069629583c031f4714f87b6e69a24717450c196b7eff617608 |
pdf-javascript-stream | PDF /JS object 1060 at offset 0x26695 | 76 bytes |
javascript_obj1061_015.jsd3663e86ebc701813f48811633dc0518d55e8f8a77358ac79c4be9073d4f3119 |
pdf-javascript-stream | PDF /JS object 1061 at offset 0x26715 | 33 bytes |
javascript_obj1063_017.js2d4c1057c6ba4f82d785f110603e9ff4a1d735d82f85a9d60b1d1042bf6077a1 |
pdf-javascript-stream | PDF /JS object 1063 at offset 0x267B9 | 33 bytes |
javascript_obj1065_019.js496efb810c332376fdb58e986fea53188835f00ca3317ffad6be98b5e4f021d2 |
pdf-javascript-stream | PDF /JS object 1065 at offset 0x2685A | 33 bytes |
javascript_obj1067_021.js4271559c5f566be2ce7013821877d30644135bbfddfe63b616e3a31390229e65 |
pdf-javascript-stream | PDF /JS object 1067 at offset 0x268FB | 33 bytes |
javascript_obj1069_023.js3efc6256c2c427a3fb132d3412c0a78542a85ac5e5a65c23b326e9b317389850 |
pdf-javascript-stream | PDF /JS object 1069 at offset 0x2699F | 41 bytes |
javascript_obj1070_024.js755945cd41877a80b1b6c101f00314f2fc3600fbf4c05207717a5377567a5337 |
pdf-javascript-stream | PDF /JS object 1070 at offset 0x269FA | 38 bytes |
javascript_obj1071_025.js80fa9e0e6d2fb560e64c5e2d28e8fbd2732f6f9e947b9517f7bbc2a427eaf478 |
pdf-javascript-stream | PDF /JS object 1071 at offset 0x26A51 | 33 bytes |
javascript_obj0006_027.js900f41ae31391daeac4ff9024e445fbfd8a735974b2f7c5496583b5281a2db86 |
pdf-javascript-stream | PDF /JS object 6 at offset 0x2AB22 | 33 bytes |
javascript_obj0008_029.js5b89d3a924164ac25561f18b50bc58776c132c7714f0a27a79c8a6e6a1aaa7ca |
pdf-javascript-stream | PDF /JS object 8 at offset 0x2ABC0 | 54 bytes |
javascript_obj0009_030.js2bcc578b390cb19eae414dd5cf4d1d388c8e412f202c4049c72b389af39a4846 |
pdf-javascript-stream | PDF /JS object 9 at offset 0x2AC25 | 33 bytes |
javascript_obj0011_032.jsf3254046eef654e3fcc7b96c895b878c249058e6d1403bf9438761d2b35d8f01 |
pdf-javascript-stream | PDF /JS object 11 at offset 0x2ACC3 | 54 bytes |
javascript_obj0012_033.js062158fc27f70bf3f98f35f8afd3c228d10e407fffaaf7bc021bc3e1352e7d39 |
pdf-javascript-stream | PDF /JS object 12 at offset 0x2AD28 | 33 bytes |
javascript_obj0014_035.jse311b64ae9daf7978f7a9b80965795fd908c7b39736c13b8b391a81a8f22219f |
pdf-javascript-stream | PDF /JS object 14 at offset 0x2ADC7 | 54 bytes |
javascript_obj0015_036.jse7fbf758a5314de1a186b1b1a41b82eb8a84081922c82dea32573d6c64c6dab2 |
pdf-javascript-stream | PDF /JS object 15 at offset 0x2AE2E | 54 bytes |
javascript_obj0016_037.js52360979b14feaf6a863e96138ad569704dc08abe5671c6fdd762503d40d31f4 |
pdf-javascript-stream | PDF /JS object 16 at offset 0x2AE94 | 54 bytes |
javascript_obj0017_038.jsdff59676d9517d41b7740d6003e046d31fc9dc250d431ee6e58a7a7fef2027bf |
pdf-javascript-stream | PDF /JS object 17 at offset 0x2AEF9 | 54 bytes |
javascript_obj0018_039.js72fc732c87da2db6baf667597fb3f19ffa9698188874128e122b8254e72c35cb |
pdf-javascript-stream | PDF /JS object 18 at offset 0x2AF5F | 54 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.