SUSPICIOUS
44
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a heuristic indicating it's a lure for a password-protected archive, suggesting a delivery mechanism to hide a malicious payload. It also embeds a URL that could be used for further stages of the attack. No scripts were extracted from this sample, limiting the ability to determine specific execution methods.
Machine Learning
- Nyx PDF Classifier clean score 0.0008
Heuristics 3
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://thelivinbrand.com/is/is.php PDF link annotation
- http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c26d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC26D | 12340 bytes |
SHA-256: 8cfa53d1ad4b9c44fd50763e2b771a3d74e900fbd4a10f1be120e571d3195c7a |
|||
font_01_sfnt_off0000d46c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD46C | 23648 bytes |
SHA-256: 6e7eba5b20609166ae36076aabd0e04ff30af0fbdf9619d35274725eca0a414a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.