MALICIOUS
86
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file contains embedded JavaScript, indicated by multiple heuristic firings related to PDF JavaScript actions and streams. The presence of a secondary embedded PDF with suspicious static findings further suggests malicious intent. The JavaScript is likely responsible for downloading and executing a second-stage payload, although the exact mechanism is obscured by obfuscation. The document body is unreadable, providing no direct clues to the lure.
Machine Learning
- Nyx PDF Classifier suspicious score 0.2703
Heuristics 6
-
Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGEA valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.innocalsolutions.com/default.asp?referred_id=
- http://www.masterflex.com/index.asp?referred_id=
- http://www.4oakton.com/?referred_id=
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/photoshop/1.0/
- http://ns.adobe.com/tiff/1.0/
- http://ns.adobe.com/exif/1.0/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
- http://ns.adobe.com/xap/1.0/g/img/
- http://ns.adobe.com/xap/1.0/t/pg/
- http://ns.adobe.com/xap/1.0/sType/Dimensions#
- http://ns.adobe.com/xap/1.0/sType/Font#
- http://ns.adobe.com/xap/1.0/g/
- http://www.coleparmer.com/home.aspx?referred_id=
- http://www.coleparmer.com/Product/
Extracted artifacts 16
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0214_000.js5013ae210f185f324444c5503254a24d134aa01a19a7935beea1e8070519917c |
pdf-javascript-stream | PDF /JS object 214 at offset 0x2ABFC | 81 bytes |
javascript_obj0215_001.js9921773e6c2168b7f46a7177892b4345297532400ef9a5a345d320ccb5ff0fbe |
pdf-javascript-stream | PDF /JS object 215 at offset 0x2AC84 | 64 bytes |
javascript_obj0286_025.jsfdba0f174d2d75ea28ded05dca99a18beed6ac1b209e6ceb6b558dccae6fa8d4 |
pdf-javascript-stream | PDF /JS object 286 at offset 0x2E6BD | 2346 bytes |
icc_00_off0000535f.icc2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
pdf-icc-profile | PDF ICC profile at offset 0x535F | 3144 bytes |
font_00_cff_off00011cff.bin1f6ad89482caa1ccdbcdda604cef584ae78fa849418012968b9c177bd8c286f2 |
pdf-font-stream | PDF embedded font (cff) at offset 0x11CFF | 788 bytes |
font_01_cff_off000127e9.bin18936ae00b1753a1a2d127898af62aaf2688c739b71fb0fa26adb81cc51f1ddf |
pdf-font-stream | PDF embedded font (cff) at offset 0x127E9 | 6513 bytes |
font_02_cff_off00014639.bin7e209cc29addfd5bf5520bd2e6d316e4053ab9cab9bc2808081df6d146dbd0ea |
pdf-font-stream | PDF embedded font (cff) at offset 0x14639 | 8856 bytes |
font_03_cff_off00016e64.bine8b68087cab38440e7b26248aed056f09b17d22c05f67b40ccf32a86dc921a0a |
pdf-font-stream | PDF embedded font (cff) at offset 0x16E64 | 8426 bytes |
font_04_cff_off00019428.bin34e70eabce3f378c05c7208eff7508083aaef100e37910c84cd60d02b028e2f0 |
pdf-font-stream | PDF embedded font (cff) at offset 0x19428 | 7449 bytes |
font_05_cff_off0001b178.bin3a58bc3d62b90f3a592f00eb18eb9135735bc88645fd775e4a0e0c2aefc56225 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1B178 | 1675 bytes |
font_06_cff_off0001bcb9.bin96109c84b431285a6d85b5e0632251fc50eebf3a9230401a5f4e0d67638259f9 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1BCB9 | 4856 bytes |
font_07_cff_off0001d5c1.bin6510a3044200fe26bf164e082035f3d228b81ce4d2cc252187327c2e43a16ad5 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1D5C1 | 6624 bytes |
font_08_cff_off0001ee02.binab0ddb6f14c7a621fe10fdae885b4b0bfa758fb4a60844f99756d59fef75d370 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1EE02 | 2978 bytes |
font_09_cff_off0001fd50.bin12e1b26a3a93159dfef12fe4a466101db3e70a4df9d1e1fc03bacc92935011b3 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1FD50 | 3937 bytes |
font_10_cff_off000212ed.bine60c955ce24fe7f543377e1a851711049786332e96e3ba29e621fa6526409dde |
pdf-font-stream | PDF embedded font (cff) at offset 0x212ED | 7239 bytes |
polyglot_child_pdf_off00000009.pdf926b7fc24850bc0dd5db144fd1ab1baaa166e830ace20ec71773ba0cfe79ec9b |
polyglot-child-pdf | Secondary PDF body inside pdf container at offset 0x9 | 201741 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.