SUSPICIOUS
44
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF is encrypted and contains an OpenAction, a common technique to obfuscate malicious content and hide payloads from static analysis. The presence of embedded URLs, specifically 'http://anzeigen.automatisieren.org', suggests a potential download or redirection mechanism. The heuristic 'PDF_ENCRYPTED_WITH_JS' indicates that JavaScript may be involved in the execution flow, likely to trigger the payload.
Machine Learning
- Nyx PDF Classifier clean score 0.0135
Heuristics 3
-
Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://anzeigen.automatisieren.org In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ManifestItem#In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/g/img/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/t/pg/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/Dimensions#In PDF document text
- http://ns.adobe.com/xap/1.0/g/In PDF document text
- http://www.iec.chIn PDF document text
Extracted artifacts 28
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_029_off00029c65.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x29C65 | 22324 bytes |
SHA-256: c863db5685b5c61cfe94115858391808f14a79c97291a01cf0f400e302279c7e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
412 of 620 identifiers look randomly generated (e.g. 'DrU7bdhiqcRXEE1RDKklOvBg1PuxVUxV2KsE86XX'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
stream_135_off000eb242.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xEB242 | 39521 bytes |
SHA-256: ba40891f62a4a83d9ffdb7ccec7c8ded61b05d73b6927283863d3cc23e473e95 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
383 of 556 identifiers look randomly generated (e.g. 'DBAMDAwMDAwQDA4PEA8ODBMTFBQTExwbGxscHx8f'); 9 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
stream_158_off0017d221.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x17D221 | 11800 bytes |
SHA-256: bc397bf6a90d448cd98c79a74308a487141069a3c8a0af7bb045e632390ec063 |
|||
icc_00_off00020b96.icc |
pdf-icc-profile | PDF ICC profile at offset 0x20B96 | 3144 bytes |
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
|||
font_00_cff_off000ff4c4.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xFF4C4 | 4743 bytes |
SHA-256: 48992f1fdaa51cffbab540b4dfcd699466835a8ef3e995d7eae53eed88a35d0b |
|||
font_01_cff_off001005d7.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1005D7 | 6123 bytes |
SHA-256: 14a98ad7399d6aa94dd8f2963a874bbd54f0c57bf4d81cd1200bd0eded3c0b94 |
|||
font_02_cff_off00101b24.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x101B24 | 7494 bytes |
SHA-256: a1f2ff2601c72eeab3b359e755014e1e5ef4888469ceff78f947dd53e0ae1d27 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.
|
|||
font_03_cff_off0010354e.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x10354E | 2556 bytes |
SHA-256: f28676ed02b4aa58324b87f33f8cb1141680fb6aba355873a16109eb036c1142 |
|||
font_04_cff_off00103ecc.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x103ECC | 10161 bytes |
SHA-256: 1c2810fc02f5add03693e889005aff928e9f440f4d1bf66837382fb5c6f64a08 |
|||
font_05_cff_off00105ebd.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x105EBD | 6817 bytes |
SHA-256: 01ac2a26265d690d6f2584927f761fefef50ec47c4ced866f538e05a7403930b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
|
|||
font_06_cff_off0010766e.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x10766E | 251 bytes |
SHA-256: 64c598f365d927a4edd9ae2af72d2b0b2960fbba5192d7ef1b33afcf74c8c580 |
|||
font_07_cff_off0015b28f.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x15B28F | 3512 bytes |
SHA-256: 50023c8e3aec60addfd0bb7d5eae71be4aa9830db2746f8bf8f5b842deb64cc0 |
|||
font_08_cff_off0015bfc7.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x15BFC7 | 4148 bytes |
SHA-256: 423ef7a313bd776de7fb81095b170c39fea23f0de88e42cb6e10032a646e9164 |
|||
font_09_cff_off0015d178.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x15D178 | 3372 bytes |
SHA-256: 8d852c58e7750db4700c95e2743e89b86e33f09f2de5b53af9932f9b4edf6a8f |
|||
font_10_cff_off0015de94.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x15DE94 | 4378 bytes |
SHA-256: 1bfdfe00e1f0031865b1f5693a140df539903c72651a77a0f09dd25841ab6644 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.
|
|||
font_11_cff_off0015ee11.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x15EE11 | 2886 bytes |
SHA-256: af514478fb33112a6e2d3b20b29634f312cd6c49e3e207f2167df9ecbbd16110 |
|||
font_12_cff_off0015f8ca.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x15F8CA | 6086 bytes |
SHA-256: aa58c0753b75d24cabfc2d29cf21afa5473854fa842ec6adcc1525838e6dafc4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.
|
|||
font_13_cff_off00161d18.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x161D18 | 1891 bytes |
SHA-256: 7979803019b66d3cba12b09d66e47ed2dc168a515f775e77d057d2adcac1c749 |
|||
font_14_cff_off00162401.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x162401 | 4697 bytes |
SHA-256: 26af31d81532cb5eb302b37a00f6aa477beae5f03d20c00ca582469e504e50d7 |
|||
font_15_cff_off0016345a.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x16345A | 2375 bytes |
SHA-256: 3763eca8baee686cb13f2b816e024b808fe64537ede2e77584efc8e39f719ca7 |
|||
font_16_cff_off00163cd3.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x163CD3 | 3288 bytes |
SHA-256: c825aa42940183619715eff68dba4991bda63141a23a404940cfc1092b99c1bf |
|||
font_17_cff_off001699d6.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1699D6 | 1588 bytes |
SHA-256: 289cc6405da0c75a57d89fe9b208546c06286644b00aa40b4ee8bcf426d18632 |
|||
font_18_cff_off0016b248.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x16B248 | 6866 bytes |
SHA-256: 079bcc20d88906a3ebb4624144f25ab9adb51f151abdcd2db658b904185d1187 |
|||
font_19_cff_off0016c5a0.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x16C5A0 | 179 bytes |
SHA-256: 3812062ca87f21174a700d05c83d08a88f758e64668742271e720dc54e80003d |
|||
font_20_cff_off0016c6a6.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x16C6A6 | 4346 bytes |
SHA-256: c824803cd15ab4c1192750a064d8e9064835d5130bf1ebbfd18f832e0ffc3f25 |
|||
font_21_cff_off0016d5b2.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x16D5B2 | 2161 bytes |
SHA-256: a61db8d5b61716ebb6bc84a4f00e6ce062782358857a0a6ad753d7bb190a0005 |
|||
font_22_cff_off0016e290.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x16E290 | 4657 bytes |
SHA-256: fc84035512e115debbb334d4b94f997277700167ca9b3988ef891a43fc20fe5a |
|||
font_23_sfnt_off00178a53.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x178A53 | 12556 bytes |
SHA-256: e2c9a7b78e8c6829822d5e133bddf4629a724b9b78e500da77f4c6bc3ab00b57 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.