MALICIOUS
134
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1027 Obfuscated Files or Information
The PDF file contains embedded JavaScript, which is often used to hide malicious payloads or redirect users to malicious sites. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' strongly suggests the document's content is designed to defraud the user. The presence of encrypted PDF content with JavaScript further indicates an attempt to conceal the malicious activity. No specific IOCs were extracted, but the combination of PDF, JavaScript, and the scam lure points to a social engineering attack.
Heuristics 8
-
Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
Additional-actions dictionary medium PDF_AAPDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENTOptional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0109_002.js8d8d39c240d76d5744f15072c9fd5e73576a074152a91506fa690a6af2163e16 |
pdf-javascript-stream | PDF /JS object 109 at offset 0x291C | 63 bytes |
javascript_obj0108_003.js3d1cfa25b5c576a1bb87a95a8b8086e54676468ec56ee912c199cc6979806d8d |
pdf-javascript-stream | PDF /JS object 108 at offset 0xAD58 | 63 bytes |
javascript_obj0107_004.jse657a713bd3a7215c04dd2b4d3d4c8a66b290fb0c2eb00da70fd8da0578c1779 |
pdf-javascript-stream | PDF /JS object 107 at offset 0xB0CF | 63 bytes |
javascript_obj0106_005.jsb023d97a741f81f0e49e988ffe8eeaa1a40ded1ee9f3e7ea5194eb5d3effec6a |
pdf-javascript-stream | PDF /JS object 106 at offset 0xB444 | 63 bytes |
javascript_obj0105_006.js48925e8f1e08482784435bce05d78a7732f62f1011324f678179318da4a2e72b |
pdf-javascript-stream | PDF /JS object 105 at offset 0xB7B7 | 63 bytes |
javascript_obj0104_007.js7dccc3857e70dd9f39b9a4df68694ae09a1f4986f2d0333a7229faa14e2b05a8 |
pdf-javascript-stream | PDF /JS object 104 at offset 0xBB2D | 63 bytes |
javascript_obj0103_008.js18ff7fe3ac262efc1260877ca0b39e03d72caf4f5673c76699e6895e4119dde3 |
pdf-javascript-stream | PDF /JS object 103 at offset 0xBEA2 | 63 bytes |
javascript_obj0102_009.js3ca849979ac3dd3c7101a6c6969d05daae6d41da12a3f9897c4ac531ddb1aa81 |
pdf-javascript-stream | PDF /JS object 102 at offset 0xC215 | 63 bytes |
javascript_obj0101_010.js4db7cadafc5afbd8a845f237f647ac49d58c49a0d67e461d4f98d318a09462bd |
pdf-javascript-stream | PDF /JS object 101 at offset 0xC58D | 63 bytes |
javascript_obj0100_011.js79ddbee2ffba85cfda140578832da191f4c3bd6a598bc552a86d14547b7f2a23 |
pdf-javascript-stream | PDF /JS object 100 at offset 0xC901 | 63 bytes |
javascript_obj0099_012.js1e9ca928d32b2df319cf6b266121f49aaa71079b76ce60b5e1b352fe1a9c3d00 |
pdf-javascript-stream | PDF /JS object 99 at offset 0xCC75 | 63 bytes |
javascript_obj0098_013.jsa8995aaa951ebf154fbdedf8cd10c88db73c89d0c557b3cd922e010e944e59a7 |
pdf-javascript-stream | PDF /JS object 98 at offset 0xCFE8 | 63 bytes |
javascript_obj0097_014.js6e3c22bdf03e7967b12a05e5b6b2b7263a72e9fc0fad938bbde9fa7baf7f11e2 |
pdf-javascript-stream | PDF /JS object 97 at offset 0xD35A | 63 bytes |
javascript_obj0096_015.jsbcabf61cb70255d7c7b3959aa420c7163641b070fed2eadb4eb1c07616f218f3 |
pdf-javascript-stream | PDF /JS object 96 at offset 0xD6CC | 63 bytes |
javascript_obj0095_016.js311a3d97b64b38869949a94b93bd51db3c11dda9c3d8214be67412f916ca3f62 |
pdf-javascript-stream | PDF /JS object 95 at offset 0xDA41 | 63 bytes |
javascript_obj0094_017.js43e7da9a37fd5d561afdf43ec51b953ef940fd63408502cff796e9ac5341b2ce |
pdf-javascript-stream | PDF /JS object 94 at offset 0xDDB4 | 63 bytes |
javascript_obj0093_018.jse1ffadee36f5f222a0b5bedf11fa0e3019744c2b8a49bc0e1d1e229133848b88 |
pdf-javascript-stream | PDF /JS object 93 at offset 0xE128 | 63 bytes |
javascript_obj0092_019.jsb9dc851c424608d3397380d24adbb7c4f98aafe3544d62ee6a193f9f2124d7ea |
pdf-javascript-stream | PDF /JS object 92 at offset 0xE498 | 63 bytes |
javascript_obj0091_020.js11b0217d8f28b85cc79fcb1d2cbcfa1ff8c9f1467ad4bb81215bdc64e5324500 |
pdf-javascript-stream | PDF /JS object 91 at offset 0xE809 | 63 bytes |
javascript_obj0090_021.js7cf0da5c2eccde5da1e4e7ed515b68fd29f81fdcfaa8180b61afc3d57a9808fa |
pdf-javascript-stream | PDF /JS object 90 at offset 0xEB79 | 63 bytes |
javascript_obj0089_022.jsb67e9887121ac8f9993d26dc001f8df10679289c8aebeaee03101e7d3af32851 |
pdf-javascript-stream | PDF /JS object 89 at offset 0xEEEC | 63 bytes |
javascript_obj0088_023.jsce1f986bba5cff97e2e33a909de6927cd1db4c3d180631fcb646dbc82ea6edd5 |
pdf-javascript-stream | PDF /JS object 88 at offset 0xF25F | 63 bytes |
javascript_obj0087_024.js6743a672e78ae08b207f493828b3d3616d3bfa2fc1243c8835f7195f0bac61a3 |
pdf-javascript-stream | PDF /JS object 87 at offset 0xF5CF | 63 bytes |
javascript_obj0086_025.js0751f6b8612a9992754ffd553ac591507a68f72d0170f16f87d22c8dee015e9a |
pdf-javascript-stream | PDF /JS object 86 at offset 0xF942 | 63 bytes |
javascript_obj0085_026.jse7dabc8127a5d5f1f40aa12756a5c24263c26f0afc280994db476d292cf051f8 |
pdf-javascript-stream | PDF /JS object 85 at offset 0xFCB3 | 63 bytes |
javascript_obj0084_027.js5192b8fa84b300e86b93f76bdadd7b4d7e150fdaa4f93021babb80eeb531d22d |
pdf-javascript-stream | PDF /JS object 84 at offset 0x10028 | 63 bytes |
javascript_obj0083_028.js934b9430c1f43144a17da05dacf7f4a1c8e5f35781363e0e3c9f1c1184a90fde |
pdf-javascript-stream | PDF /JS object 83 at offset 0x10398 | 63 bytes |
javascript_obj0082_029.js727f9cd4fe421747e37667194fa330774fcec58ef819fef7587941cdad908551 |
pdf-javascript-stream | PDF /JS object 82 at offset 0x1070A | 63 bytes |
javascript_obj0081_030.js62d9947f95dbbc96c872ac815caf4f0420009442531b0e7763745478e6527601 |
pdf-javascript-stream | PDF /JS object 81 at offset 0x10A80 | 63 bytes |
javascript_obj0080_031.jse7927b2bc270a5ee778bcf26ee3e56a39eae2cb8723fc1807f9b291f9d5956fb |
pdf-javascript-stream | PDF /JS object 80 at offset 0x10DF3 | 63 bytes |
javascript_obj0079_032.jsd0e88b41dc388a421721db5506c58432fcb208da2ef8b168403269b1ec9ec03e |
pdf-javascript-stream | PDF /JS object 79 at offset 0x11165 | 63 bytes |
javascript_obj0078_033.jsb575af417cea9fb5299e0048fdbdd3dc54d5983dc5ae9526584b138f89f86f2e |
pdf-javascript-stream | PDF /JS object 78 at offset 0x114D6 | 63 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.