MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF file contains an embedded SWF file which ClamAV identifies as malicious, likely an exploit kit component. The PDF itself is encrypted and appears to be an image-only lure, indicating a multi-stage attack. The presence of an embedded, undecodable file further supports the malicious nature.
Machine Learning
- Nyx PDF Classifier clean score 0.0373
Heuristics 7
-
RichMedia (Flash) high PDF_RICHMEDIAPDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
-
PDF embedded file could not be fully decoded medium PDF_EMBEDDED_FILE_UNDECODEDA declared PDF /EmbeddedFile stream uses filters that the scanner could not decode. The raw stream was carved for artifact triage because malformed or unsupported attachment filters can hide payload content from normal extraction.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTEDPDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
-
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.deltatestingltd In PDF document text
- http://www-935.ibm.com/services/us/en/security/infographic/cybersecurityindex.htmlIn PDF document text
- http://dealbook.nytimes.com//2014/10/02/jpmorgan-discovers-further-cyber-security-In PDF document text
- http://www.ft.com/cms/s/0/3d9d6f24-5524-11e4-89e8-00144feab7deIn PDF document text
- http://www.lockheedmartin.com/us/what-we-do/information-technology/cyber-security/cyber-kill-chain.htmlIn PDF document text
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8_swf_infected.swf |
pdf-embedded-file | PDF EmbeddedFile object 675 at offset 0x9D529 | 38178 bytes |
SHA-256: a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8 |
|||
|
Detection
ClamAV:
Swf.Exploit.Kit-117
Obfuscation or payload:
likely
actual_type=SWF; declared_or_context_type=PDF; filename=a144312a028740233a05c96a64b0b2d5a7ff14abe34938806c56a2a5e0698ac8_swf_infected.swf; kind=pdf-embedded-file Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
icc_00_off0003e093.icc |
pdf-icc-profile | PDF ICC profile at offset 0x3E093 | 1960 bytes |
SHA-256: cda96247dc9e5f58d9de130f6288b8b43bca6c23ebc1b62f1aaaa03c45284fd2 |
|||
font_00_sfnt_off00069ec6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x69EC6 | 36767 bytes |
SHA-256: 2980e7cbe4ae992efb9eacf062469367b57cc35eb36596a0dd649f90e7f901a3 |
|||
font_01_cff_off000724ad.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x724AD | 4646 bytes |
SHA-256: 719d02109977adbbe4b80a78f4b0d53c841368a74d3cc491b8625829b41c8efd |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.44, consistent with packed or encrypted content.
|
|||
embedded_file_obj0675_undecoded.bin |
pdf-embedded-file-undecodable | PDF EmbeddedFile object 675 at offset 0x9D892; filter decode failed | 35744 bytes |
SHA-256: 635dace94b83a5791f9f9d55230859656e4bb9f8dee5d9eacbf373e542cc0e66 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.