MALICIOUS
88
Risk Score
🔏 Digital signature Signed
A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The PDF file exhibits multiple suspicious characteristics, including embedded files and JavaScript actions. One embedded file, 'embedded_file_obj0003.bin', is particularly large and flagged as a potential payload. The presence of JavaScript and embedded files strongly indicates an attempt to download and execute a secondary malicious payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.7298
Heuristics 8
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.services-publics.lu/assistants/public-defo?ECITIZ_ACTIVITY_PATH=Usager&ECITIZ_PROCESS_ID=MULT-DEFO&FORM_TYPE_ID=PARQUET_CASIER Referenced by PDF JavaScript
- http://w.evcspbisl/sitnspbi-eoEII_CIIYPT=sgrapEII_RCS_DML-EOapFR_YEI=AQE_AIRReferenced by PDF JavaScript
- http://wwsrie-ulc.uassat/ulcdf?CTZATVT_AHUae&mReferenced by PDF JavaScript
- http://ocsp.verisign.com0Referenced by PDF JavaScript
- http://www.monotype.comMonotypeReferenced by PDF JavaScript
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
- http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
- http://ns.adobe.com/pdf/1.3/Referenced by PDF JavaScript
- http://ns.adobe.com/xap/1.0/mm/Referenced by PDF JavaScript
- http://purl.org/dc/elements/1.1/Referenced by PDF JavaScript
- http://ns.adobe.com/xfa/promoted-desc/Referenced by PDF JavaScript
- http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript
- http://ns.adobe.com/xdp/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xci/2.8/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-template/2.8/Referenced by PDF JavaScript
- http://www.w3.org/1999/xhtmlReferenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-template/2.6/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-locale-set/2.7/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-locale-set/2.6/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-form/2.8/Referenced by PDF JavaScript
- http://crl.verisign.com/tss-ca.crl0Referenced by PDF JavaScript
- http://crl.verisign.com/ThawteTimestampingCA.crl0Referenced by PDF JavaScript
- https://www.verisign.com/rpaReferenced by PDF JavaScript
- https://www.verisign.com/rpa01Referenced by PDF JavaScript
- http://crl.verisign.com/pca3.crl0Referenced by PDF JavaScript
- http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DReferenced by PDF JavaScript
- https://www.verisign.com/rpa0Referenced by PDF JavaScript
- http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0Referenced by PDF JavaScript
- http://www.adobe.com/typehttp://www.adobe.com/type/legal.htmlReferenced by PDF JavaScript
- http://ocsp.verisign.com/ocsp/status0Referenced by PDF JavaScript
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0Referenced by PDF JavaScript
- http://www.microsoft.com/typographyReferenced by PDF JavaScript
- http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript
- http://ns.adobe.com/xfdf/In PDF document text
Extracted artifacts 14
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0001.bin |
pdf-embedded-file | PDF EmbeddedFile object 1 at offset 0xD48 | 163 bytes |
SHA-256: f89a7ea6f4981982f79e1dd7c260b7decca329425592bbceb6e836233432db38 |
|||
embedded_file_obj0002.bin |
pdf-embedded-file | PDF EmbeddedFile object 2 at offset 0xE39 | 1865 bytes |
SHA-256: c0ff34361d0f29dcf5b32f3663cf7871be6743314472ab36e1bf697e48fe37ef |
|||
embedded_file_obj0003.bin |
pdf-embedded-file | PDF EmbeddedFile object 3 at offset 0x1186 | 302323 bytes |
SHA-256: 9a972ab3aba9719910bb3c83b7bf26b7cd75c337346f0a73f6b9f075d2a67b90 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
4465 of 7309 identifiers look randomly generated (e.g. 'CHUAAHISN5AWcb6vlRwA0Fqx2IpwZ7PZKAZcYT6f'); 59 string-concatenation chain(s) — consistent with name-mangling obfuscation. Carved artifact contains 2 long base64-like blob(s).
|
|||
embedded_file_obj0004.bin |
pdf-embedded-file | PDF EmbeddedFile object 4 at offset 0x2A815 | 5615 bytes |
SHA-256: bae54e3600ae615bf3fb783f9d056684ba872ac2166c4eb2a68ca4ee68db1598 |
|||
embedded_file_obj0005.bin |
pdf-embedded-file | PDF EmbeddedFile object 5 at offset 0x2ABC2 | 568 bytes |
SHA-256: 81920c6b4f4d3d48e7fa787b9ce1f7263749d557524beaf1523eff625319769f |
|||
embedded_file_obj0006.bin |
pdf-embedded-file | PDF EmbeddedFile object 6 at offset 0x2AD13 | 121 bytes |
SHA-256: 90938f9e3cdf6db2eeee31ed7c949f3b0952b799b670df73d2e56d31bfcc8d34 |
|||
embedded_file_obj0007.bin |
pdf-embedded-file | PDF EmbeddedFile object 7 at offset 0x2ADD0 | 1535 bytes |
SHA-256: 57284e035654e7e3d8dd0c3b32b4f90b83779138adce9ca2dbded5b9d36ce021 |
|||
embedded_file_obj0008.bin |
pdf-embedded-file | PDF EmbeddedFile object 8 at offset 0x2B095 | 80 bytes |
SHA-256: 2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19 |
|||
stream_002_off0000034d.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x34D | 1313 bytes |
SHA-256: f94e41f586bf3f20bc1deeac4bfbda388a61db43f25fbd6304ba73f5653368cf |
|||
stream_003_off0000052b.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x52B | 902 bytes |
SHA-256: 1b2ec98752b966f601d5223a750559cf13d562ac5e5c6d1fcc7217835b01f5fd |
|||
stream_017_off0003b48f.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3B48F | 367087 bytes |
SHA-256: b8e2518b116c26bab0e9f8c1672daf405dedad561157502b657e9005be2029aa |
|||
stream_018_off0006dca2.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x6DCA2 | 352198 bytes |
SHA-256: 1e8564d3d89047875dccaa98279599de9d7ddf77240906041f1156ba8edf3315 |
|||
objstm_0042_00.bin |
pdf-objstm-decoded | PDF /ObjStm 42 0 obj (inflated) | 592 bytes |
SHA-256: 44021cf6079418bf15b3a212398ffc33521d4e37c0e5f94d11dc29851b20f352 |
|||
font_00_sfnt_off0002b1ab.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2B1AB | 95975 bytes |
SHA-256: c29e5b1537bee8c88b3ffca56c5f24a45ec8da374cf9d4c0b4a78d04fc230949 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.