MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains embedded JavaScript, indicated by multiple PDF_JAVASCRIPT and PDF_JS heuristic firings. The SE_CALLBACK_LURE heuristic suggests the document is designed to trick the user into calling a phone number, consistent with callback phishing or tech-support scams. The embedded JavaScript likely facilitates this by executing malicious actions, potentially downloading further payloads or establishing communication. While specific JavaScript content is not detailed, its presence and the callback lure strongly suggest a malicious intent.
Heuristics 5
-
ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTIONClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.InsiderSoftware.com/fontlist/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
Extracted artifacts 11
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0159_000.js143cc6ba40bcc00058d21bcf2dbb83982267341d54e179cc67e1fabdeea672d8 |
pdf-javascript-stream | PDF /JS object 159 at offset 0x4AD40 | 242 bytes |
javascript_obj0160_001.jsf22049e229e85fad53da2d311278cfe9082de589f79cafe666f8509bcc752f34 |
pdf-javascript-stream | PDF /JS object 160 at offset 0x4AE50 | 276 bytes |
javascript_obj0161_002.jsd14f3782280049970f4a07440f807ce5b5fb813a83e40f7c4f3d2bf7dda9fc3d |
pdf-javascript-stream | PDF /JS object 161 at offset 0x4AF77 | 44585 bytes |
icc_00_off00041ab0.icc2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
pdf-icc-profile | PDF ICC profile at offset 0x41AB0 | 3144 bytes |
font_00_sfnt_off00003b09.bin5f96e1e90c4ef56487c91d02c05141dca0967f8e2bbd5d67be6c4f381f0afa79 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3B09 | 62160 bytes |
font_01_sfnt_off0000cf5f.binb661c2e877dd6b7625208ae148d736aedb24eda2d4f014262cbb7f958f538ca0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCF5F | 71216 bytes |
font_02_sfnt_off00019fba.bin8b62f203a4ab5c2ac76368029c584b4fa12fffc17f3b6e4e43a9997416807d21 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x19FBA | 11156 bytes |
font_03_sfnt_off0001bf6b.bind375c22ace40f0b973d7308d85023b2e0e49d40dc51da45552d116868346475e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1BF6B | 37232 bytes |
font_04_sfnt_off00022dc2.binafeb9e1e920aae3aca3f295f1bbccba46b16423dac14b1b5fde4b661de9198cc |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x22DC2 | 46764 bytes |
font_05_sfnt_off0002b63d.bin95592346b00d039686aa3d7e22eae3d52b011e7e842a5c123f73e89ea766cd35 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2B63D | 22628 bytes |
font_06_sfnt_off000376e2.bin6cf6df6beee88aa138f821122d0c1969b348cebe09cafe5b5f6a7eb8c27107a0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x376E2 | 32640 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.