MALICIOUS
64
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is a PDF file containing an embedded JavaScript payload. The heuristic 'PDF_EMBEDDED_SCRIPT_PAYLOAD' indicates the presence of this script, which is likely designed to download and execute a second-stage payload from a remote source. The 'PDF_UNESCAPE' heuristic suggests obfuscation techniques were used within the script. While many URLs are benign, several remain unknown and could be related to the payload delivery.
Machine Learning
- Nyx PDF Classifier clean score 0.0103
Heuristics 4
-
unescape() call high PDF_UNESCAPEunescape() found — often used to decode shellcode in PDF JS exploits
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://adtrack.ministerial5.com/clicknew/?a=637394
- http://ly.lygo.com/ly/tpSite/images/freeAd2.jpg
- http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=728x90&section=209094
- http://ad.yieldmanager.com/pixel?id=1901600&t=2
- https://c.compete.com/bootstrap/
- http://c.compete.com/bootstrap/
- http://members.tripod.com/adm/img/common/ot_smallframe.gif?rand=489765
- http://members.tripod.com/adm/img/common/ot_adserved.gif?rand=489765
- http://members.tripod.com/adm/partner/criteo_ld_kw.js
- http://scripts.lycos.com/catman/init.js
- http://members.tripod.com/adm/img/common/ot_noscript.gif?rand=489765
- http://loadus.exelator.com/load/?p=398&g=003&ctg=&subctg=&kw=&refkw=
- http://ads.pro-market.net/ads/scripts/site-132783.js
Extracted artifacts 8
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_020_off00011422.bin8138fa6879cf8070d8614aeaf8a4f7b8a18d3091ce68ddf5b73ec3abbce70bce |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x11422 | 6247 bytes |
embedded_pdf_script_000166b0.bindbf2950789f9538f675998e2e83d2fc20a46751d96f8ce443de672fde5e2a6b1 |
pdf-embedded-script | PDF decompressed stream script payload at offset 0x166B0 | 106449 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
|
|||
font_00_cff_off0000a8a3.bin92e8001e7cf64f7f03513e28099e89d51002655e1aed105c0374ae732501737d |
pdf-font-stream | PDF embedded font (cff) at offset 0xA8A3 | 261 bytes |
font_01_sfnt_off0000a9f6.bin027943a72d054ad1daee6ff32a4ba887f277c9b34d38c20f7f59b7bb0b831cc1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA9F6 | 7740 bytes |
font_02_cff_off0000d437.bind9bf2b4f6af4401d6d1930451ca31d43e8a321f8f3fd45b508c7fad074e4dd72 |
pdf-font-stream | PDF embedded font (cff) at offset 0xD437 | 1865 bytes |
font_03_cff_off0001127d.bine982f0bfa74d9add13609cee53d07e9dfadd1620f4f9f7cee90512b3d3ad9dcd |
pdf-font-stream | PDF embedded font (cff) at offset 0x1127D | 356 bytes |
font_05_cff_off00012743.bin884c274e07dbfa06ed25b3b269a5105e915ba7bdd881e6bcc4e3879fdb4ceb07 |
pdf-font-stream | PDF embedded font (cff) at offset 0x12743 | 848 bytes |
font_06_cff_off00012a73.bin1ab43e75ab8b80e3d59be25dfbbf3e3beeaad1fb02f3047b6a28112c2137fda3 |
pdf-font-stream | PDF embedded font (cff) at offset 0x12A73 | 6963 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.