MALICIOUS
114
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.002 Spearphishing Attachment
The PDF contains embedded JavaScript, flagged by multiple heuristics as malicious and correlated with the ML classifier. The document body mimics a sales confirmation for PGP software, including a download link, suggesting a social engineering lure to trick the user into executing the embedded malicious script. The script's exact function is not discernible due to obfuscation, but its presence and the document's deceptive nature strongly indicate it's designed to download and execute a secondary payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
Correlated malicious PDF JavaScript signals critical PDF_CORRELATED_MALICIOUS_JSPDF JavaScript or auto-action content is corroborated by exploit staging, ML, or suspicious extracted-artifact findings. This correlation promotes old exploit-kit PDFs that otherwise remain in the suspicious band because each individual signal is intentionally weighted conservatively.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://customers.pgp.com/download/lookup?oid=1248198-0f2b1e4cb5db36f055803cb40f5735fe
- https://support.pgp.com
Open this report in the interactive analyzer, or submit your own file for analysis.