MALICIOUS
84
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 JavaScript
T1566.002 Spearphishing Attachment
The PDF file contains embedded JavaScript and uses ASCIIHexDecode and ASCII85Decode filters, indicating an attempt to obfuscate malicious content. The presence of PDF_ENCRYPTED_WITH_JS suggests that the document is encrypted and uses JavaScript to bypass static analysis, likely to deliver a secondary payload or exploit a vulnerability in the PDF reader. The document body is heavily truncated and unreadable, providing no further context on the specific lure.
Heuristics 5
-
Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEXHex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
Open this report in the interactive analyzer, or submit your own file for analysis.