Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec51344df45f7aa6…

MALICIOUS

PDF

32.7 KB Created: ?Z’;Ëg­Þxבñ$QOõ¢žfh Authoring application: Ÿ HúCWÿï/çÝÁ_ (via Ÿ [úCWõï*çÜÁSd·)
MD5: a9da5883f85c984de1fb68eeca7b776d SHA-1: dea816d333fc1b8d1e94456cf7271e941c2af9bd SHA-256: ec51344df45f7aa67f885dd9e21bed494cfdb2a857427177124b6052b32af96a
64 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

This PDF file is flagged as malicious due to the presence of embedded JavaScript, which is used to conceal the actual payload. The PDF is encrypted and utilizes JavaScript actions, indicating an attempt to bypass static analysis and deliver a malicious payload. The large size of the embedded JavaScript stream (30868 bytes) suggests it contains complex logic, likely for downloading and executing further stages of an attack. The specific intent is obscured by the encryption and obfuscation, but the overall pattern is consistent with phishing or credential harvesting.

Heuristics 4

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0009_000.js
397ea06b901a1456ee7bd1e29adad7c062f994540cde25a7eccd76bfd840eac8		 pdf-javascript-stream PDF /JS object 9 at offset 0x3C8 30868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.