MALICIOUS
68
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 JavaScript/JScript
T1566.002 Spearphishing Attachment
T1204.001 Malicious Link
The PDF contains embedded JavaScript, flagged by heuristics, which is often used to execute malicious actions. The 'SE_CALLBACK_LURE' heuristic indicates the document attempts to trick users into calling a phone number, a common tactic in tech support scams or phishing operations. While no specific family is identified, the combination of JavaScript and a callback lure points to a social engineering attack.
Machine Learning
- Nyx PDF Classifier malicious score 0.9582
Heuristics 4
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.InsiderSoftware.com/fontlist/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://www.iec.ch
- https://www.verisign.com/rpa
- http://ocsp.verisign.com/ocsp/status0
- https://www.verisign.com/rpa0
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
- http://www.microsoft.com/typography
- https://www.verisign.com/repository/CPS��
- https://www.verisign.com
- https://www.verisign.com/repository/verisignlogo.gif0��
- https://www.verisign.com/CPS0b
- http://www.microsoft.com/truetype/0
- https://www.verisign.com/repository/RPA0
- https://www.verisign.com/repository/verisignlogo.gif0�
- https://www.verisign.com/CPS
- https://www.verisign.com/repository/CPS
Extracted artifacts 8
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
icc_00_off000426b0.icc2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
pdf-icc-profile | PDF ICC profile at offset 0x426B0 | 3144 bytes |
font_00_sfnt_off00004703.bin5f96e1e90c4ef56487c91d02c05141dca0967f8e2bbd5d67be6c4f381f0afa79 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4703 | 62160 bytes |
font_01_sfnt_off0000db59.binb661c2e877dd6b7625208ae148d736aedb24eda2d4f014262cbb7f958f538ca0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDB59 | 71216 bytes |
font_02_sfnt_off0001abb4.bin8b62f203a4ab5c2ac76368029c584b4fa12fffc17f3b6e4e43a9997416807d21 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1ABB4 | 11156 bytes |
font_03_sfnt_off0001cb65.bind375c22ace40f0b973d7308d85023b2e0e49d40dc51da45552d116868346475e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1CB65 | 37232 bytes |
font_04_sfnt_off000239bc.binafeb9e1e920aae3aca3f295f1bbccba46b16423dac14b1b5fde4b661de9198cc |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x239BC | 46764 bytes |
font_05_sfnt_off0002c237.bin95592346b00d039686aa3d7e22eae3d52b011e7e842a5c123f73e89ea766cd35 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2C237 | 22628 bytes |
font_06_sfnt_off000382e2.bin6cf6df6beee88aa138f821122d0c1969b348cebe09cafe5b5f6a7eb8c27107a0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x382E2 | 32640 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.