MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1071.001 Web Protocols
The PDF contains embedded JavaScript that utilizes `unescape()` and `eval()` functions, indicating obfuscated code execution. This script is designed to open a URI, specifically 'https://www.familycredit.org/debtfree/enrollment.cfm'. The presence of these obfuscation techniques and the embedded URI strongly suggests an attempt to redirect the user to a malicious site, likely for phishing or to download further malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9979
Heuristics 6
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution
-
unescape() call high PDF_UNESCAPEunescape() found — often used to decode shellcode in PDF JS exploits
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.familycredit.org/debtfree/enrollment.cfm
- http://michaelbolten.com/online-pharmacy-effexor-top.html
- http://michaelbolten.com/aptos-ca-rite-aid-pharmacy-top.html
- http://michaelbolten.com/canada-pharmacies-restasis-eye-drops-top.html
- http://www.hollywoodbeachrealestate.org/percocet-online-pharmacy-top.html
- http://www.blissentertainment.com.au/online-pharmacy-ultram-top.html
- http://www.blissentertainment.com.au/Hoodia-Patch-Without-Prescription-top.html
- http://www.hollywoodbeachrealestate.org/rx-america-pharmacy-help-desk-top.html
- http://www.hollywoodbeachrealestate.org/order-valium-from-safe-online-pharmacy-top.html
- http://michaelbolten.com/pharmacy-sample-drugs-top.html
- http://www.hollywoodbeachrealestate.org/loestrin-fe-and-mail-order-pharmacy-top.html
- http://www.blissentertainment.com.au/usa-online-pharmacies-that-sell-viagra-top.html
- http://www.blissentertainment.com.au/%244-drugs-food-lion-pharmacy-list-top.html
- http://michaelbolten.com/Buy-tadalafil-top.html
- http://www.hollywoodbeachrealestate.org/pharmacy-tablet-identification-top.html
- http://www.blissentertainment.com.au/no-prescription-drug-pharmacys-online-top.html
- http://www.hollywoodbeachrealestate.org/Order-Crestor-top.html
- http://www.hollywoodbeachrealestate.org/find-pharmacy-health-questions-and-answers-top.html
- http://www.hollywoodbeachrealestate.org/understanding-health-insurance-pharmacy-tiers-top.html
- http://www.blissentertainment.com.au/Micardis-Online-top.html
- http://www.hollywoodbeachrealestate.org/u-s-medical-pharmacy-top.html
- http://www.blissentertainment.com.au/online-pharmacies-that-have-didrex-cheap-top.html
- http://michaelbolten.com/foreign-online-pharmacies-salazopyrin-top.html
- http://www.blissentertainment.com.au/Cheap-Keflex-top.html
- http://www.blissentertainment.com.au/american-pharmacies-that-carry-erfa-thyroid-top.html
- http://michaelbolten.com/Cephalexin-For-Less-top.html
- http://www.blissentertainment.com.au/Purchase-Combigan-top.html
- http://www.hollywoodbeachrealestate.org/why-can%27t-my-pharmacy-get-midrin-top.html
- http://michaelbolten.com/foreign-pharmacy-no-prescription-reviews-top.html
- http://www.blissentertainment.com.au/us-pharmacy-zyrtec-zoloft-rxpricebusterscom-top.html
- http://michaelbolten.com/usa-no-prescription-pharmacy-top.html
- http://www.hollywoodbeachrealestate.org/medical-pharmacy-willimantic-ct-top.html
- http://michaelbolten.com/Cheap-Exelon-top.html
- http://www.hollywoodbeachrealestate.org/all-med-pharmacy-top.html
- http://michaelbolten.com/aquazide-us-pharmacy-no-prescription-top.html
- http://michaelbolten.com/tri-mix-gel-compounding-pharmacy-top.html
- http://michaelbolten.com/progesterone-cream-pharmacy-wisconsin-price-top.html
- http://michaelbolten.com/Temovate-Cream-Without-Prescription-top.html
- http://www.blissentertainment.com.au/pharmacy-care-and-nutrition-top.html
- http://www.blissentertainment.com.au/fox-army-health-center-pharmacy-formulary-top.html
- http://www.hollywoodbeachrealestate.org/Lopid-Sale-top.html
- http://www.blissentertainment.com.au/online-pharmacy-diet-pills-top.html
- http://www.hollywoodbeachrealestate.org/foreign-pharmacies-ritalin-review-top.html
- http://michaelbolten.com/pharmacy-reversible-prescription-vials-top.html
- http://www.hollywoodbeachrealestate.org/no-prescription-german-pharmacy-prednisone-top.html
- http://michaelbolten.com/offshore-pharmacies-vicodin-es-top.html
- http://www.blissentertainment.com.au/phentermine-us-pharmacies-top.html
- http://www.blissentertainment.com.au/pharmacy-prescription-assistance-nevada-top.html
- http://michaelbolten.com/online-pharmacy-phendimetrazine-top.html
- http://michaelbolten.com/Purchase-Lozol-top.html
+32 more URL(s)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_002_off0000bfa0.bina5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xBFA0 | 264072 bytes |
embedded_pdf_script_0003d83f.binad3eee20be54a968600b26d4be0959236b9a1a54e33ad3eca21eb511cd64c0b5 |
pdf-embedded-script | PDF decompressed stream script payload at offset 0x3D83F | 252173 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.