PDF malware analysis — malicious · fe7e00f9e01387c9

MALICIOUS

PDF

536.5 KB Created: xu´DT0!KnÒ625ÿÇ Authoring application: lå _t,U9b&W©¹¾ÆHìu (via },ôNt9?4zom ¸÷ êE÷WZE)

MD5: 648159d049e17c46931d52597f4edb39 SHA-1: a3098bf491cf4daecdd42a92f975cf4084702366 SHA-256: fe7e00f9e01387c9344c350c68c64cdcc23bd34cfdc57ac13e607c256c2f0c42

66 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF file is encrypted and contains JavaScript, indicating an attempt to conceal its true content and behavior. The presence of JavaScript actions and embedded JS streams suggests that the script is responsible for decrypting or executing the malicious payload. The PDF_IMAGE_ONLY_LURE heuristic suggests the document may be designed to trick users into interacting with it, possibly by presenting an image that requires further action. The combination of encryption and JavaScript points to a downloader or dropper mechanism.

Heuristics 5

Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0613_001.js` `f35d13ad7cfb9d08f9063691ac68f9bb6db7c4b1fc10982e26c1015f500881e6`	pdf-javascript-stream	PDF /JS object 613 at offset 0x1E6EC	33 bytes
`javascript_obj0615_003.js` `77c615245c0c1e3fbd9bcb51b51adbfd380cdd87d798764dd0a2f4875a05452d`	pdf-javascript-stream	PDF /JS object 615 at offset 0x1E78D	33 bytes
`javascript_obj0617_005.js` `9ebd83527fc5baa85a3d7ba0eb865a0ff6bc6890ab7b1fd50390b027a32d3aa7`	pdf-javascript-stream	PDF /JS object 617 at offset 0x1E82D	33 bytes
`javascript_obj0619_007.js` `07d229bd66cc7888bf99e9875e1c62f3f45d488f58f0a4945994ca596020c6a9`	pdf-javascript-stream	PDF /JS object 619 at offset 0x1E8CE	33 bytes
`javascript_obj0007_009.js` `963cf2964f1b593e78c45184ea4fff28f0d869e066148b825abc925d50d1b884`	pdf-javascript-stream	PDF /JS object 7 at offset 0x20079	33 bytes
`javascript_obj0156_084.js` `9c68cb2e365e73e31ba51853b6810675bd0bd8e287d754485999e75eedf3dd7e`	pdf-javascript-stream	PDF /JS object 156 at offset 0x2C7D2	33 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.