MALICIOUS
104
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF is heavily obfuscated and encrypted, preventing direct content analysis. Heuristics indicate it uses an image-only lure and prompts the user for a password to open an archive, a common tactic to bypass gateway scanning. The presence of embedded JavaScript and a high stream count further suggest malicious intent, likely to download and execute a secondary payload.
Machine Learning
- Nyx PDF Classifier clean score 0.1511
Heuristics 5
-
Encrypted PDF carries /jS — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/jS). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.organized-crime.de/kvlInterdiscDimStudyOC-TOC-9-3-2006.pdf
- http://www.organized-crime.de/puben01.html
- http://www.rcmp-grc.gc.ca/organizedcrime/octa_e.htm
- http://www.criminologia.net/pdf/reic/ano7-2009/a72009art9.pdf
- http://www.defensa.gob.es/ceseden/Galerias/destacados/publicaciones/docSegyDef/ficheros/048_LA_
- http://www.interior.gob.es/file/11/11187/11187.pdf
- http://www.minetur.gob.es/industria/anpaq/convencion/documents/convdrog.pdf
- http://ceesg.org/files/formacion/legais-lexislacion-
- http://www.jaimevegas.es/cms/downloads/1997_Detencion%20y%20apertura%20de%20paquetes%20
- http://www.organized-crime.de/kvlInterdiscDimStudyOC-TOC-9-3-
- http://www.mjusticia.gob.es/cs/Satellite/1292338970192?blobheader=application%2Fpdf&blobheader
- http://www.iustel.com/v2/revistas/detalle_revista.asp?id_noticia=409675&d=1
- http://www.abogacia.es/wp-
- http://penal.blogs.lexnova.es/2014/08/28/algunas-cuestiones-
- http://penal.blogs.lexnova.es/2014/08/28/algunas-
- http://www.sandrocalvani.it/docs/20080920_Speeches_060810.pdf
- http://www.cni.es/es/queescni/ciclo/
- http://www.elprofesionaldelainformacion.com/contenidos/2002/julio/11.pdf
- http://www.cni.es/comun/recursos/descargas/ev_113.pdf
- http://www.intelpage.info/fuentes-de-inteligencia.html
- http://www.elprofesionaldelainformacion.com/contenidos/2003/julio/3.pdf
- http://eco.mdp.edu.ar/cendocu/repositorio/01052.pdf
- http://www.serviciosdeinteligencia.es/es/revista/numero-8/
- http://penal.blogs.lexnova.es/2014/08/28/algunas-cuestiones-sobre-la-orden-europea-de-investigacion/
- http://www.cni.es/es/queescni/funciones/comofunciona/index.html
- http://www.cni.es/es/ons/introduccion/
- http://www.defensa.gob.es/Galerias/ooee/emad/fichero/EMD-CIFAS-esp.pdf
- http://www.interior.gob.es/estructuras-organica-87/secretaria-de-estado-de-seguridad-1187
- http://www.lamoncloa.gob.es/serviciosdeprensa/notasprensa/Documents/_Informe_Seguridad_Nacional%20Accesible%20y%20Definivo.pdf
- http://www.interior.gob.es/documents/642317/1201237/El+sistema+archiv%C3%ADstico+del+Ministerio+del+Interior+-+normativa.+2%C2%AA%20ed.+%28NIPO+126-08-104-8%29.pdf/03a14003-47da-4dba-b266-07be858fce17
- http://www.unodc.org/documents/data-and-
- http://www.ivac.ehu.es/p278-
- http://www.raco.cat/index.php/RCSP/article/view/264676/352326
- http://ccj.sagepub.com/cgi/content/abstract/24/3/263
- https://www.europol.europa.eu/faq#n77
- https://www.europol.europa.eu/sites/default/files/publications/es_euorganisedcrimesitrep04-
- https://www.ncjrs.gov/pdffiles1/nij/grants/199047.pdf
- http://www.unodc.org/documents/treaties/UNTOC/Publications/TOC%20Convention/TOCebook-
- http://www.unodc.org/documents/treaties/UNTOC/Publications/TOC%20Convention/TOCebook-s.pdf
- http://www.boe.es/doue/2008/300/L00042-
- http://www.boe.es/boe/dias/1998/09/28/pdfs/A32349-32366.pdf
- https://www.guardiacivil.es/es/institucional/historiaguacivil/index.html
- https://www.guardiacivil.es/es/institucional/historiaguacivil/La_Fundacion.html
- https://www.unodc.org/documents/data-and-analysis/tocta/Globalization_of_Crime-ExSum-
- https://www.unodc.org/pdf/convention_1988_es.pdf
- http://www.unodc.org/documents/organized-
- https://wcd.coe.int/ViewDoc.jsp?Ref=Rec(2005)9&Language=lanEnglish&Ver=original&Site=COE&BackC
- https://wcd.coe.int/ViewDoc.jsp?Ref=Rec(2005)10&Language=lanEnglish&Site=COE&BackColorInternet
- http://dialnet.unirioja.es.are.uab.cat/servlet/articulo?codigo=3004311
- http://dialnet.unirioja.es/servlet/articulo?codigo=75834
+51 more URL(s)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_151_off000e2959.js88b979beb991f72e06f5b9be4a86225758ed0a93260ab06ee368d9071347e0b6 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xE2959 | 23116 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.