MALICIOUS
70
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1140 Deobfuscate/Decode Files or Information
The PDF contains embedded JavaScript, which is often used to execute malicious code or redirect users. The presence of a 'Password-protected archive handoff' heuristic, combined with a 'Callback phishing phone lure', strongly suggests the document is designed to deceive the user into calling a fraudulent support number, likely to obtain credentials or payment, or to download a password-protected malicious archive.
Machine Learning
- Nyx PDF Classifier clean score 0.0002
Heuristics 4
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.cs.ucsb.edu/~seclab/projects/torpig/index.html
- http://www.iec.ch
Extracted artifacts 12
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_026_off002af603.binb06d2f02762eb36bde1104938fdfbbcfc48607180edfbefdccff009b9855a413 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2AF603 | 39592 bytes |
icc_00_off00000869.icc2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
pdf-icc-profile | PDF ICC profile at offset 0x869 | 3144 bytes |
icc_01_off0000132c.icceda03c8910c87b8a3e3c1ffbc35d223da8ae1d0dcfbad0c153c4eefbff436723 |
pdf-icc-profile | PDF ICC profile at offset 0x132C | 1328 bytes |
font_00_sfnt_off002ad0b8.bincea9b128e59c0ccfe1c46069993f9f7c09ce4de231298b43fa85a20689f78ef2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2AD0B8 | 9968 bytes |
font_01_sfnt_off002ae6cd.binc5ee179b973116c57172c85e9ddaf146c15957799fb20a9b95e1bf5f833e2306 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2AE6CD | 4756 bytes |
font_03_sfnt_off002b663a.bin164df63478dd466fdaa3ec1cbd1b41967289b3835172c4b05183b98c433f2681 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2B663A | 6920 bytes |
font_04_sfnt_off002b7a05.binbaf791bd3d09a329c64c151b23dbaf3379bcbb417d042c7b440d019f67bee993 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2B7A05 | 4992 bytes |
font_05_sfnt_off002b87bb.binaaaa8d0906ea488b3165bda581f21d93bcfd8b5e173f46c8e2cd4437b38f752d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2B87BB | 15752 bytes |
font_06_sfnt_off002bb7f4.binbd76648c95acfe686e8f935b99afcf23c77c84e6f3e51b38bfccfaa7cdd48cfd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2BB7F4 | 20524 bytes |
font_07_sfnt_off002bf46c.bin1864ca6bb718fefeb85bb8f2ce83ca836e61521fd44890b45da57e9b15241a99 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2BF46C | 4004 bytes |
font_08_sfnt_off002c01d2.bin1ea74c69bddaa5815b875e1d51e5bb70e6785f201bef080677e6266f174e618f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2C01D2 | 12672 bytes |
font_09_sfnt_off002c2a02.bina00d5643c45a375d6898c6117421801e1cb32f14f9a64ffa9ebbe641afc8fcb9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2C2A02 | 40580 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.