MALICIOUS
216
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains an embedded JavaScript payload that likely attempts to download and execute a second-stage payload from a remote URL. The document body and metadata suggest a lure related to downloading PowerShell, which is a common tactic for distributing malware. The presence of numerous external links, many pointing to PDF files, indicates a potential link farm or distribution network.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://mezovuduw.ru/strik?utm_term=powershell+5.0+windows+2012+r2+download PDF link annotation
- http://xegisepereti.mygamesonline.org/synthesis_of_phenyl_benzoate_from_phenol.pdfIn PDF document text
- http://changely.club/93552643069ootee.pdfIn PDF document text
- http://about-central.com/75313527200lulb7.pdfIn PDF document text
- http://digitalmicroteter.xyz/315988420617n7kl.pdfIn PDF document text
- http://pinenud.mygamesonline.org/gewumovawakeloto.pdfIn PDF document text
- http://1xbet-registrat.site/ideas_principales_del_cuento_la_gallina_degollada24d3a.pdfIn PDF document text
- http://help-violation.com/2520770484l64v5.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/povelenavuviw/number_flash_cards_printable.pdfIn PDF document text
- https://f1ddcea9-c323-452c-a4d3-aaefec61e50a.filesusr.com/ugd/defd8a_7314ebc7490e480eb226137cab7ba517.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/bajapovogam/pasomevazijep.pdfIn PDF document text
- https://s3.amazonaws.com/jefazaxal/1-_300_blacksmithing_guide_vanilla.pdfIn PDF document text
- https://s3.amazonaws.com/farefasejikap/xewaxoredefefivawogu.pdfIn PDF document text
- https://s3.amazonaws.com/farefasejikap/nigipewijupodo.pdfIn PDF document text
- https://0eb00d84-361a-45dc-b346-1af5c8eb785c.filesusr.com/ugd/d79848_4fe69d3842e14e21a5b2e02a6d06bc53.pdf?index=trueIn PDF document text
- https://064d663d-f6b2-44cf-a6ad-083da5f315e5.filesusr.com/ugd/77eba6_a6e329b0723b41bea4cb017761d05331.pdf?index=trueIn PDF document text
- http://vepitejususas.atwebpages.com/korean_embassy_visa_application_form.pdfIn PDF document text
- https://s3.amazonaws.com/zerepuzuze/titulos_de_credito_acciones_caracteristicas.pdfIn PDF document text
- https://19972ee8-34f0-4900-8009-9f590161cd02.filesusr.com/ugd/64db51_c2614186851f45439ed44c13bd8fb829.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/sesijesule/cliffs_of_dover_bass_sheet_music.pdfIn PDF document text
- https://656adf98-7a81-40bd-8d0f-2b9c27d09201.filesusr.com/ugd/268ab1_69fba9555a984a088814157bba43bb33.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_pdf_script_00012b5d.bin |
pdf-embedded-script | PDF raw stream script payload at offset 0x12B5D | 1646 bytes |
SHA-256: 1aabd8dd84b37658616f05ba0585209dbb9ad02a303e48041a734cca9f0a0d6e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 shell/COM execution token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
<?xpacket begin='' id='W5M0MpCehiHzreSzNTczkc9d'?>
<x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='Mobipocket Creator'>
<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>
<rdf:Description rdf:about=''
xmlns:dc='http://purl.org/dc/elements/1.1/'
dc:format='application/pdf'>
<dc:creator>
<rdf:Seq>
<rdf:li>Rarenepu Nidewohuko</rdf:li>
</rdf:Seq>
</dc:creator>
<dc:description>
<rdf:Alt>
<rdf:li xml:lang='x-default'>Powershell 5.0 windows 2012 r2 download. Please edit this document if you spot an error or if you want to add information. Backward compati</rdf:li>
</rdf:Alt>
</dc:description>
<dc:subject>
<rdf:Bag>
<rdf:li>Powershell 5.0 windows 2012 r2 download. Please edit this document if you spot an error or if you want to add information. Backward compati</rdf:li>
</rdf:Bag>
</dc:subject>
<dc:title>
<rdf:Alt>
<rdf:li xml:lang='x-default'>Powershell 5.0 windows 2012 r2 download</rdf:li>
</rdf:Alt>
</dc:title>
</rdf:Description>
<rdf:Description rdf:about=''
xmlns:pdf='http://ns.adobe.com/pdf/1.3/'
pdf:Producer='Mobipocket Creator'/>
<rdf:Description rdf:about=''
xmlns:xmp='http://ns.adobe.com/xap/1.0/'
xmp:CreateDate='2020-08-16T11:10:38'
xmp:CreatorTool='Mobipocket Creator'/>
<rdf:Description rdf:about=''
xmlns:xmpMM='http://ns.adobe.com/xap/1.0/mm/'
xmpMM:DocumentID='bfe432c6-0f14-46f3-a45b-d35c9d95957a'
xmpMM:InstanceID='d9353fef-eebe-4166-b87a-307b396ad925'/>
<rdf:Description rdf:about=''
xmlns:xmpRights='http://ns.adobe.com/xap/1.0/rights/'
xmpRights:Marked='True'/>
</rdf:RDF>
</x:xmpmeta>
<?xpacket end='w'?>
|
|||
font_00_sfnt_off0000e949.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE949 | 5488 bytes |
SHA-256: 3726f943d1c56ccceb2ed75886f626b33de8cdde20142c9e9643bc17cffc2e29 |
|||
font_01_sfnt_off0000fc10.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFC10 | 11544 bytes |
SHA-256: 1711ab48cc0c9d469e09c7e84225b73824bf9d8d130e52e65cc125b973b7e91d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.