MALICIOUS
64
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
The PDF is encrypted and contains only images, preventing static analysis of its content. This technique is often used to obscure malicious payloads or to create a deceptive lure. The 'PDF_IMAGE_ONLY_LURE' heuristic confirms the presence of images without text, supporting the attack pattern. The encryption itself is flagged by 'PDF_ENCRYPTED'. Without further content, the exact malicious intent cannot be determined, but the structure suggests a delivery mechanism for a social engineering attack.
Machine Learning
- Nyx PDF Classifier clean score 0.0004
Heuristics 3
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTEDPDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.impletum.zavod-irc.si/ In PDF document text
- http://vizita.si/In PDF document text
- http://www.planet-lepote.comIn PDF document text
- http://www.podjetnik.si/In PDF document text
- http://www.hofman-telekom.siIn PDF document text
- http://www.leila.si/In PDF document text
- http://www.planet-lepote.com/In PDF document text
- http://www.stenal.si/In PDF document text
- http://d111.fnm.uni-In PDF document text
- http://www.svetoglasov.si/In PDF document text
- http://www.planet.si/In PDF document text
- http://www.poslovni-bazar.si/In PDF document text
- http://www.blazkos.com/In PDF document text
- http://www.dashofer.si/?section=3&layer=1&content=10&cid=4332&PHPSESSIIn PDF document text
- http://www.planet-In PDF document text
- http://www.podjetnik.si/default.asp?KatID=59&ClanekID=4182In PDF document text
- http://www.leila.si/dokumenti/pssj.pdfIn PDF document text
- http://www.svetoglasov.si/news.php?article_id=130In PDF document text
- http://www.planet.si/portal/site/planet/template.RAW/?javax.portlet.tpst=6d739e1In PDF document text
- http://d111.fnm.uni-mb.si/moodledata/40/Proksemija.pdfIn PDF document text
- http://www.genspot.com/dogodek-381/urejena-poslovna-zenska-poslovni-In PDF document text
- http://www.hofman-telekom.si/SLO/Izdelki/Tel_centrale/Samsung/DCS/dcs.htmIn PDF document text
- http://www.impletum.zavod-In PDF document text
- http://www.stenal.si/kontakt.phpIn PDF document text
- http://www.blazkos.com/prvi-vtis-in-govorica-telesa.phpIn PDF document text
- http://vizita.si/clanek/dusevnost/kakouspesno-zensko.htmlIn PDF document text
- http://pdfsearchpro.com/10-poglavje-poslovni-bonton-in-protokol-ppt.htmlIn PDF document text
- http://www.monotype.comMonotypeIn PDF document text
- http://ocsp.verisign.com0In PDF document text
- http://www.monotype.comHowardIn PDF document text
- http://sl.wikipedia.org/In PDF document text
- http://kreativitaoblikovanje.blogspot.com/In PDF document text
- http://www.jutarnji.hr/In PDF document text
- http://kreativitaoblikovanje.blogspot.com/2010_03_01_archive.htmlIn PDF document text
- http://www.jutarnji.hr/poslovni-bonton---nije-dovoljno-biti-pristojan-za-In PDF document text
- http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlIn PDF document text
- https://www.verisign.com/rpaIn PDF document text
- http://ocsp.verisign.com/ocsp/status0In PDF document text
- https://www.verisign.com/rpa0In PDF document text
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0In PDF document text
- http://www.microsoft.com/typographyIn PDF document text
- http://www.microsoft.com/truetype/fonts/wingdings/http://www.microsoft.com/truetype/designers/bandh/In PDF document text
- https://www.verisign.com/repository/CPS��In PDF document text
- https://www.verisign.comIn PDF document text
- https://www.verisign.com/repository/verisignlogo.gif0��In PDF document text
- https://www.verisign.com/CPS0bIn PDF document text
- http://crl.verisign.com/ThawteTimestampingCA.crl0In PDF document text
- http://crl.verisign.com/tss-ca.crl0In PDF document text
- http://www.monotype.com/html/mtname/ms_couriernew.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlIn PDF document text
- https://www.verisign.com/repository/RPA0In PDF document text
+4 more URL(s)
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_178_off0010160d.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x10160D | 105596 bytes |
SHA-256: 3bf00670a1a10757e36b693a547ce7b2e6202dd058839873de00c9a023e03937 |
|||
stream_181_off00116afd.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x116AFD | 25256 bytes |
SHA-256: 87c5f0f4a93a94e6e2d9a693ac4dc47a99f6d897ef37318b66c011bcb1df793b |
|||
font_00_sfnt_off000d3587.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD3587 | 91792 bytes |
SHA-256: 88d68cf0b684ff36853f3b72928ae6c8b42caaf4f33bcb23ad795a8e7ddac8b8 |
|||
font_01_sfnt_off000d6dc0.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD6DC0 | 32864 bytes |
SHA-256: c941a3f947c77d94485b7a8630367148422912cc8f2e77df652592e1d823af92 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.