MALICIOUS
114
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file is encrypted and contains JavaScript, indicating an attempt to obscure malicious content. The presence of CCITTFaxDecode related heuristics suggests exploitation of CVE-2010-0188 or a similar vulnerability. The document also contains elements of a fake invoice lure, commonly used to trick users into opening malicious attachments or clicking on links.
Heuristics 7
-
CCITTFaxDecode + active content — LibTIFF CVE-family indicator high PDF_CCITT_CVE_2010_0188_RELATEDPDF uses /CCITTFaxDecode together with JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
-
Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj1111_000.js1777cf13a85b11e8ea1dbec93e0dfcfb487bea92444fcb58d3e7f25f416306d5 |
pdf-javascript-stream | PDF /JS object 1111 at offset 0x1B398 | 92 bytes |
javascript_obj1114_003.js886a64afd1d7b5b8b0e9dec799eee508bb80bfd404f0cb86bf3a2f2ebea835f1 |
pdf-javascript-stream | PDF /JS object 1114 at offset 0x1B487 | 64 bytes |
javascript_obj1126_007.jsffc03e446e7ff2140dfb3a17202bbc38c7b081c3a301d27bd6cc18603206e1cc |
pdf-javascript-stream | PDF /JS object 1126 at offset 0x1B73E | 56 bytes |
javascript_obj1138_019.js4809789553ac2bb77bd50f62bf093c07c07a0bdc2b7c71bbc1e8e0f38d33010e |
pdf-javascript-stream | PDF /JS object 1138 at offset 0x1B9CC | 56 bytes |
javascript_obj1148_029.js83220ac8787ac711250cf273d0dfc4490e8293ecd9bc3b0af693ebcd6c5e36bf |
pdf-javascript-stream | PDF /JS object 1148 at offset 0x1BBDF | 39 bytes |
javascript_obj1157_035.jsf06298455b8ff4651f5a9d242fb76b9ade2afcff1d18bfc2486b34ca8ba4d892 |
pdf-javascript-stream | PDF /JS object 1157 at offset 0x1BF12 | 56 bytes |
javascript_obj1221_099.js60d6cc21ea28675c112ee23f968525664aacce23057034214c2c45c962ae80f2 |
pdf-javascript-stream | PDF /JS object 1221 at offset 0x1CC0B | 62 bytes |
javascript_obj1225_103.js4d5692ecabdb7b70986e1b7c3503dd0bf014528924428ecc336b9dc3b45a7283 |
pdf-javascript-stream | PDF /JS object 1225 at offset 0x1CD0D | 100 bytes |
javascript_obj1232_110.jsa55075285af011688096a34be526bee63ecefeefc8f36dafe846e7581f40fdaf |
pdf-javascript-stream | PDF /JS object 1232 at offset 0x1CECD | 56 bytes |
javascript_obj1239_117.jsacc73f4430059d29a068e7930d1020f6cbec1a11b9adf61b3032f15dca4a5ef4 |
pdf-javascript-stream | PDF /JS object 1239 at offset 0x1D065 | 98 bytes |
javascript_obj1246_124.js291158604c711b75982103d7962296feecd6fadc00997d3fa1e1d312450f10ee |
pdf-javascript-stream | PDF /JS object 1246 at offset 0x1D222 | 56 bytes |
javascript_obj1253_131.jsc892939ed4f56e3d486f824c0c4b7033aba87ac4e6298843ae4fb220ee90ef8a |
pdf-javascript-stream | PDF /JS object 1253 at offset 0x1D3B5 | 56 bytes |
javascript_obj1260_138.jsfb7b5c9bba2dea8780fa371792a185eee38106b505d2c4e5de04aed4ef3bbd15 |
pdf-javascript-stream | PDF /JS object 1260 at offset 0x1D547 | 56 bytes |
javascript_obj1273_148.js3ece971133e5234db8dbc9645e2c72959041277d98d29915129d7028692515f9 |
pdf-javascript-stream | PDF /JS object 1273 at offset 0x1D98B | 56 bytes |
javascript_obj1280_155.jsd7f69f64f944f279b62190a12fa264d5c73552f2ffa9e806a3607df782d7db8e |
pdf-javascript-stream | PDF /JS object 1280 at offset 0x1DB1E | 56 bytes |
javascript_obj1299_174.jsd35923073de115d21a264cb15bde63b69c245db8c90a02f75a8d5f05233431c3 |
pdf-javascript-stream | PDF /JS object 1299 at offset 0x1DF1E | 56 bytes |
javascript_obj1306_181.jsaa60a2f04957d514e94226bed94040940f3e2d1d37608c47aafb20c49b6981dd |
pdf-javascript-stream | PDF /JS object 1306 at offset 0x1E0B4 | 56 bytes |
javascript_obj1313_188.js03fd2e9e170051c8df3bdc872ec38932e79dbd7cba7eb2f9e6bf406c3bd79acd |
pdf-javascript-stream | PDF /JS object 1313 at offset 0x1E246 | 56 bytes |
javascript_obj1320_195.jsbb6f9dc84710eb2684abefa72677829515088f075de5115e2fcd61b4270d0d05 |
pdf-javascript-stream | PDF /JS object 1320 at offset 0x1E3D9 | 56 bytes |
javascript_obj1327_202.jse38674e438b2e9bd249d69e7142c1ee02ed5ff7ea7da2f50345cbd3227cf69ef |
pdf-javascript-stream | PDF /JS object 1327 at offset 0x1E56C | 56 bytes |
javascript_obj1334_209.jsdf515a0d8dce4720012d95b8def7bf17cab7221dfc5bc3ced2f5a83416baefa0 |
pdf-javascript-stream | PDF /JS object 1334 at offset 0x1E6FE | 56 bytes |
javascript_obj1341_216.js4aa6aea30ebdb857b6ea1626f438d544e3beb6b5c145ac9391a6abf00f360162 |
pdf-javascript-stream | PDF /JS object 1341 at offset 0x1E898 | 98 bytes |
javascript_obj1348_223.jsf01bd4d9f88e1a6325169e8a679770f91be52eb0af31c947a94999c168feedad |
pdf-javascript-stream | PDF /JS object 1348 at offset 0x1EA53 | 56 bytes |
javascript_obj1355_230.js18edc4b1a4716a9791810770153fea38ad9a10e1e8ef237f09dff4702b79c6d3 |
pdf-javascript-stream | PDF /JS object 1355 at offset 0x1EBE4 | 56 bytes |
javascript_obj1374_249.js7f947c5f229a0c585a800db2ada2f3e56ef0429e3fe1a06ef2e7efdc0affa947 |
pdf-javascript-stream | PDF /JS object 1374 at offset 0x1EFE4 | 56 bytes |
javascript_obj1381_256.js7713bd5d40de61f3d7dfdcb7c229c4224f6206ad9a6b17894213da32c82da23f |
pdf-javascript-stream | PDF /JS object 1381 at offset 0x1F175 | 56 bytes |
javascript_obj1388_263.js3cc82b2d6a53a7b3d8965bb157e1f8bcbae5a692e006af923234ff3d0d8e64bd |
pdf-javascript-stream | PDF /JS object 1388 at offset 0x1F308 | 56 bytes |
javascript_obj1392_267.js6b137680f94d251896ddb9fec46fbc1b630ab200297814dc1ebf0f6c77c766b2 |
pdf-javascript-stream | PDF /JS object 1392 at offset 0x1F404 | 100 bytes |
javascript_obj1395_270.jsfb2636669ff1cab6af2a04137ecd57c6a7cb7cbfde63b3f6e3bb240af48b97f1 |
pdf-javascript-stream | PDF /JS object 1395 at offset 0x1F4F0 | 39 bytes |
javascript_obj1396_271.jsd6dcb4f0c3d914f030758a34eacdad783d7785c984eb01ac7b4c1cf894b91257 |
pdf-javascript-stream | PDF /JS object 1396 at offset 0x1F53F | 42 bytes |
javascript_obj1402_277.js3883ea1791402a0b1d45e1bf19fc57c60327bd417fcdedebd4f7facb758d4482 |
pdf-javascript-stream | PDF /JS object 1402 at offset 0x1F692 | 39 bytes |
javascript_obj1403_278.jsddf77a48851fbd54db6216ba1a25d8c441041732aaa37e4c369d4d79713dcc83 |
pdf-javascript-stream | PDF /JS object 1403 at offset 0x1F6E2 | 42 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.