Malicious PDF — malware analysis report

Static analysis result for SHA-256 f73162e08caf9349…

MALICIOUS

PDF

212.5 KB Created: QÁ< 0^§ÊÙþ§ Authoring application: E¨m]OIt_û—ÎÍb©ä5yŸÞpìÁ (via T˜|@DXtJdöˆÖ„X ó40Ş`÷ÓýõóÀ͓â()
MD5: cbf783ac98827638d63b45598e7266d7 SHA-1: 4cb71ed2f3635dbb18cff745f989587f47e5380e SHA-256: f73162e08caf934998ee525dff43a74dc34c132a6bc19fd603aeb182169b59ba
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF file contains embedded JavaScript streams and is encrypted with JavaScript, indicating an attempt to obfuscate its content and hide malicious actions. The presence of a Remote GoTo action further suggests redirection or execution of external content. While the document body is unreadable, the heuristics strongly point to a malicious PDF designed to conceal and execute code, likely for further exploitation.

Heuristics 6

  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • Remote GoTo action medium PDF_GOTO_REMOTE
    PDF references a remote or embedded document via GoToR/GoToE with an extension-less or unresolved target
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0168_001.js
73b6244e37b15102e7d6b1fc284e106dcf54d64e67aec95bbea51416a042933b		 pdf-javascript-stream PDF /JS object 168 at offset 0x29C87 33 bytes
javascript_obj0170_003.js
07a1d151dfe765d35de27c7f727dc1efbf0215767189fd3e37c26a6e60b4ed56		 pdf-javascript-stream PDF /JS object 170 at offset 0x29D17 33 bytes
javascript_obj0172_005.js
1bf3474434a77462603474fc1b5aa94ae3b4c2d989428b756bf8101e697505a9		 pdf-javascript-stream PDF /JS object 172 at offset 0x29DA8 33 bytes
javascript_obj0174_007.js
e84bc6df75206f8f0a102543463431f27d9adabbd4a2e6e275d19b6b21be2519		 pdf-javascript-stream PDF /JS object 174 at offset 0x29E38 33 bytes
javascript_obj0175_008.js
50a21f9867b19ae9e8628f17c4c27bb58645063b342e253ccebe85a2276ce4d7		 pdf-javascript-stream PDF /JS object 175 at offset 0x29E82 48 bytes
javascript_obj0177_010.js
304afda89abb70f8305467819e92fc422fa765884572ab55fc663018eca856b2		 pdf-javascript-stream PDF /JS object 177 at offset 0x29F0A 48 bytes
javascript_obj0179_012.js
6d3d2b892d0647e6b0da739afae92e412c4cd63cfdac136d99c774499210cf30		 pdf-javascript-stream PDF /JS object 179 at offset 0x29F91 48 bytes
javascript_obj0181_014.js
1274cd06282e98c233a777af8b0abd168068846c6bd3490eddebc8ab9bfa1eae		 pdf-javascript-stream PDF /JS object 181 at offset 0x2A01B 48 bytes
javascript_obj0183_016.js
e410e5f7a077f606c976c672dfaedfd50d714998501f27fee99a8f8d42cc9eb5		 pdf-javascript-stream PDF /JS object 183 at offset 0x2A0A3 48 bytes
javascript_obj0185_018.js
34a2fb9caf89274b038146d9b99b05a3e2d77db16f1d981160f57f7be4614757		 pdf-javascript-stream PDF /JS object 185 at offset 0x2A12A 48 bytes
javascript_obj0187_020.js
61589e83afe89748eb6d0255c876d528780ecb288f03ec12084329e76030638b		 pdf-javascript-stream PDF /JS object 187 at offset 0x2A1B3 46 bytes
javascript_obj0189_022.js
d8feff6cd4212f659111f98a6be2f9d6909f2d38b9bee8268a85edad9499e822		 pdf-javascript-stream PDF /JS object 189 at offset 0x2A23E 48 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.