MALICIOUS
82
Risk Score
Machine Learning
- Nyx PDF Classifier suspicious score 0.2963
Heuristics 3
-
Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOADPDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ocsp.verisign.com0 In PDF document text
- http://www.microsoft.com/exportingIn PDF document text
- http://www.sysinternals.comIn PDF document text
- https://www.verisign.com/rpaIn PDF document text
- https://www.verisign.com/rpa01In PDF document text
- http://crl.verisign.com/pca3.crl0In PDF document text
- http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DIn PDF document text
- https://www.verisign.com/rpa0In PDF document text
- http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0In PDF document text
- http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0In PDF document text
- http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn PDF document text
- http://www.microsoft.com/pki/certs/CSPCA.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn PDF document text
- http://www.microsoft.com/pki/certs/tspca.crt0In PDF document text
- http://technet.microsoft.com/sysinternalsIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_006_off00007d13.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x7D13 | 198504 bytes |
SHA-256: 5ad240fbbaf7bd0484a90a89e2f1190fc377e5af0f218b313c0d3ad756cb7327 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
actual_type=PE; declared_or_context_type=PDF; filename=stream_006_off00007d13.bin; kind=decompressed-pdf-stream
|
|||
icc_00_off000029fb.icc |
pdf-icc-profile | PDF ICC profile at offset 0x29FB | 1320 bytes |
SHA-256: eb03db58ff1f226c83103a11f30b5520f9b68a7ced67daa78992723e3ea0411d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.