MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file contains multiple embedded JavaScript streams and triggers JavaScript actions, including the use of eval(). This indicates an attempt to execute arbitrary code. The presence of an embedded file and numerous streams suggests obfuscation or a multi-stage attack. The primary malicious IOC is the URL http://www.advdelphisys.com/, which is likely used to download a secondary payload.
Heuristics 8
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.advdelphisys.com/
- http://www.monotype.comMonotype
- http://www.olms.dol.gov
- http://www.adobe.com/products/acrobat/readstep.h\
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://ns.adobe.com/xap/1.0/t/pg/
- http://purl.org/dc/elements/1.1/
- http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.html
- http://ns.adobe.com/iX/1.0/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ClientEnvironmentbeb3462d625d0908f9f83f9eb33269867ac9843b5139ac5d3cda3ffcbda539d9 |
pdf-embedded-file | PDF EmbeddedFile object 1025 at offset 0x8CDDC | 1002 bytes |
javascript_obj1252_000.js3a1171d5c29a38e4d6ee9145e1a28845c833c1d0195915aee008bea71b971a75 |
pdf-javascript-stream | PDF /JS object 1252 at offset 0x526B8 | 34 bytes |
javascript_obj1253_001.jsad3beb36c9be904cb528af802aca057ca0f97e99bd6c0401cf86f05dc45ba258 |
pdf-javascript-stream | PDF /JS object 1253 at offset 0x5270E | 54 bytes |
javascript_obj1254_002.js011b69045b66b6966dda07e6574c3e601347369aec52dfa520c28ea3c80c4546 |
pdf-javascript-stream | PDF /JS object 1254 at offset 0x5277A | 48 bytes |
javascript_obj1255_003.js3aafe97981aa219647c6afeeefc2f4f22721d2604cdc1ec43aa4ab12754926d5 |
pdf-javascript-stream | PDF /JS object 1255 at offset 0x527E4 | 51 bytes |
javascript_obj1257_005.jsacb2b89f84755059d88c59f29ba927217c66aa24b0b7e082f0d4ea869f5f4206 |
pdf-javascript-stream | PDF /JS object 1257 at offset 0x528A1 | 53 bytes |
javascript_obj1263_006.js43568d8dc529b9fe39029fa296993215eaf60156ef86b8186cbc2d2ee24d2b76 |
pdf-javascript-stream | PDF /JS object 1263 at offset 0x52A2A | 68 bytes |
javascript_obj1264_007.js948d246143266b551322fee0ce6809f6228f1d2c6e954998905235689e805af8 |
pdf-javascript-stream | PDF /JS object 1264 at offset 0x52AA4 | 52 bytes |
javascript_obj1269_008.js0eb1aad3aee3cb327cae7671ec2675aacfc7f1150c775919aa03e6a08a3925c9 |
pdf-javascript-stream | PDF /JS object 1269 at offset 0x52BD4 | 52 bytes |
javascript_obj1270_009.jsb1a9fb15b55bae252ec2934fefa0390bb1221220f729b18c6c57ed7de71ebebf |
pdf-javascript-stream | PDF /JS object 1270 at offset 0x52C3E | 38 bytes |
javascript_obj1271_010.js75ba8fe718bf1aa28c28b0badf17592b43c66f649b97d55fb1ad820ef5cb16eb |
pdf-javascript-stream | PDF /JS object 1271 at offset 0x52C9A | 43 bytes |
javascript_obj1273_011.js5bfd1fcd6dbbeb0427be95ca6f2538ef873a86bf11feb7a053a2e3f880b3a2b2 |
pdf-javascript-stream | PDF /JS object 1273 at offset 0x52D58 | 47 bytes |
javascript_obj1277_012.js0fb0bc5871c4772aaf6ad76554d1f02b8542fccb3435e8b8bb2e5bd06ecfdbc1 |
pdf-javascript-stream | PDF /JS object 1277 at offset 0x52E0C | 35 bytes |
javascript_obj1286_015.js15db25e9f31cc1db67b813a9f5752a0b3a0990aeb733dcd3a675650ae36e7194 |
pdf-javascript-stream | PDF /JS object 1286 at offset 0x54B5E | 53 bytes |
javascript_obj1287_016.js37cba162c45cc497ccfabffa10e19a4594277f8f45f4eb07164d1b740dc8aa6c |
pdf-javascript-stream | PDF /JS object 1287 at offset 0x54BC5 | 37 bytes |
javascript_obj1290_018.jsb49875e7a786cc7d62191be88c49afc7a7f53551d4ec30ddf24c3fd7583d7233 |
pdf-javascript-stream | PDF /JS object 1290 at offset 0x54C93 | 33 bytes |
javascript_obj1292_020.js4eb7d5ace7194418d2ca5bc75cbf1493c6d7310a7cf2edd0215d7a8ba209df69 |
pdf-javascript-stream | PDF /JS object 1292 at offset 0x54D24 | 47 bytes |
javascript_obj1294_021.jsd142b227ef353e292510aacdf9509469e367287182a0ee3ddd10130546ef3d45 |
pdf-javascript-stream | PDF /JS object 1294 at offset 0x54DD7 | 46 bytes |
javascript_obj1298_022.js9e58df098f822aaa721ed10dcebdad81bb5a1237f57b3d2ab894dd7e22b381a4 |
pdf-javascript-stream | PDF /JS object 1298 at offset 0x54F12 | 59 bytes |
javascript_obj1300_023.js97d4961192fe0adef35677e51ca072bd70429e8e9aa55d02744c0e4262f499a0 |
pdf-javascript-stream | PDF /JS object 1300 at offset 0x54FDC | 48 bytes |
javascript_obj1303_024.js7e0807da407b7681e052a2ac612ae17b162df02b71e1249809ec4de5528d4c5d |
pdf-javascript-stream | PDF /JS object 1303 at offset 0x550A5 | 56 bytes |
javascript_obj1305_025.js5ac9b01a6870ec29a1cb91df721807e91e62e17e2594874d6da94017a9617dbb |
pdf-javascript-stream | PDF /JS object 1305 at offset 0x55165 | 59 bytes |
javascript_obj1307_026.js33595198d6819a3bb1f9ade0cb3d0dc864c58c1b2c871a4c8d127892e43e8818 |
pdf-javascript-stream | PDF /JS object 1307 at offset 0x5522C | 57 bytes |
javascript_obj1312_027.js2a7f7eeccd6e0f1c2d5f3853c2712947e6f02f5365310ce3ad4347bf7190ff92 |
pdf-javascript-stream | PDF /JS object 1312 at offset 0x55396 | 66 bytes |
javascript_obj1314_028.js1d2a6e349c743912089cadfd9cc026a38f06c3a717feb835d65838ad2024a65a |
pdf-javascript-stream | PDF /JS object 1314 at offset 0x55468 | 63 bytes |
javascript_obj1316_029.js8af14d4bcfa43789b7492523c723805c1d28215dfe83b471654347713c052335 |
pdf-javascript-stream | PDF /JS object 1316 at offset 0x55535 | 59 bytes |
javascript_obj1318_030.js53db24e58427768002f53fd3a8c4e1b5c55c35a7dc544d0cdf3eba1e5178e0b6 |
pdf-javascript-stream | PDF /JS object 1318 at offset 0x555F8 | 65 bytes |
javascript_obj1319_031.jsc2e6b56da9eaf64b4435e817c688a39e837635e65c9550b1880bffcd36a8defd |
pdf-javascript-stream | PDF /JS object 1319 at offset 0x55669 | 162 bytes |
javascript_obj1321_032.js4e619262277086c0fa9493f20043e236b838ec4cf933981a9ea5cc0d4c01d0c5 |
pdf-javascript-stream | PDF /JS object 1321 at offset 0x558FE | 106 bytes |
javascript_obj1322_033.js46d680a99e51f3a29f99b4cffd2121bbab1719982aca54bc6d3f86624d30ba52 |
pdf-javascript-stream | PDF /JS object 1322 at offset 0x559A0 | 49 bytes |
javascript_obj1328_037.js2c44f622282dffd17742bb5ef78a8f001f345a30097360af9ecc1db2c4439043 |
pdf-javascript-stream | PDF /JS object 1328 at offset 0x55B6F | 54 bytes |
javascript_obj1332_038.js64379f2bd499310a0fd1ea3856e8a6f73b84c55906772e65555aaed5e9f77a38 |
pdf-javascript-stream | PDF /JS object 1332 at offset 0x55CBA | 53 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.