MALICIOUS
60
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file contains an embedded script payload and a hidden external HTML iframe, indicating malicious intent. The embedded script is likely responsible for downloading and executing a second-stage payload from one of the unknown-reputation URLs. The presence of these elements strongly suggests a malicious PDF designed to exploit vulnerabilities and deliver further malware.
Machine Learning
- Nyx PDF Classifier suspicious score 0.4226
Heuristics 3
-
PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAMEPDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://count33.51yes.com/click.aspx?id=334798931&logo=6
- http://mtv.myshw.net/my.htm
- http://mtv.myshw.net/Happy1.htm
- http://mtv.myshw.net/Laoding1.Htm
- http://mtv.myshw.net/chengxu/my.htm
- http://mtv.myshw.net/chengxu/index.htm
- http://www.591my.cn/11/vip.htm
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
Extracted artifacts 11
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_035_off000af2bc.bina1ef5044e53130340c05fb6ea3651c54217e84f9b025c91fb1f612ef88e28f26 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xAF2BC | 23860 bytes |
stream_036_off000b2db3.bindea33af2cba217c55f6a838ade8fd419235a9c6e778373fd674e0a4b2f23fddf |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xB2DB3 | 10252 bytes |
embedded_pdf_script_000cdd61.bin731f03b696fbd780f0ce39b3afd15b4f1b92b1e257062c39f9c54edc198d7580 |
pdf-embedded-script | PDF decompressed stream script payload at offset 0xCDD61 | 843955 bytes |
icc_00_off000ae778.icc2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
pdf-icc-profile | PDF ICC profile at offset 0xAE778 | 3144 bytes |
font_00_sfnt_off00032a5f.bin4545f8701c20fdcf89b7de2af4263942b8b729b509a26f6ff181fa4eb208f5f3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x32A5F | 18528 bytes |
font_01_sfnt_off00034a43.bind74e57d35052083e8fc33ecaa1b08dccf86c67a482236dd514f37b031b65dbe0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x34A43 | 27428 bytes |
font_02_sfnt_off000385df.bin720e5c1a8570246abc82c5d137397617d3acfd35051aea1296e279d43e07043f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x385DF | 10992 bytes |
font_03_sfnt_off0003a359.bine21f5bc8988650471584198fab88f5be2f06a64ae08f688b5d6d0c649cafb6f0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3A359 | 218568 bytes |
font_04_sfnt_off0003e377.bin18176dc9de368ab75e569939bae7528800caa5c99949f7a2b352d448252a6eef |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3E377 | 22704 bytes |
font_05_sfnt_off00095aed.binb8b273cca1c42cc629213af1c5a7da28fc1e67aae0bcac3b4fcaca47b2dbacc9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x95AED | 52356 bytes |
font_07_sfnt_off000b4696.bin8ac1bca95adf0557013e78c8678627d86f3390b730b026898bb9f998f9a11e9e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB4696 | 20064 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.