MALICIOUS
68
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The PDF file exhibits multiple indicators of malicious intent, including embedded files and JavaScript actions. The presence of embedded script payloads and extracted files like 'embedded_file_obj0003.bin' strongly suggests that this document is a dropper or downloader for further malicious content. The benign reputation of all extracted URLs indicates that the primary threat lies within the embedded artifacts rather than external links.
Machine Learning
- Nyx PDF Classifier malicious score 0.9776
Heuristics 7
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Embedded script payload in PDF stream info PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://eblanketter.standard.no/Modules/Document/formhandler.aspx Referenced by PDF JavaScript
- http://ocsp.verisign.com0Referenced by PDF JavaScript
- http://eblanketter.standard.no/Referenced by PDF JavaScript
- http://eblanketter.standard.no/FormServerReferenced by PDF JavaScript
- http://www.adobe.com/products/acrobat/readstep2.htmlReferenced by PDF JavaScript
- http://www.adobe.com/support/products/In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xfa/promoted-desc/In PDF document text
- http://www.xfa.org/schema/xci/2.8/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-template/2.8/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-template/2.5/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-locale-set/2.7/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-locale-set/2.1/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-connection-set/2.8/Referenced by PDF JavaScript
- http://crl.verisign.com/tss-ca.crl0Referenced by PDF JavaScript
- http://crl.verisign.com/ThawteTimestampingCA.crl0Referenced by PDF JavaScript
- https://www.verisign.com/rpaReferenced by PDF JavaScript
- https://www.verisign.com/rpa01Referenced by PDF JavaScript
- http://crl.verisign.com/pca3.crl0Referenced by PDF JavaScript
- http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DReferenced by PDF JavaScript
- https://www.verisign.com/rpa0Referenced by PDF JavaScript
- http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0Referenced by PDF JavaScript
- http://www.adobe.com/typehttp://www.adobe.com/type/legal.htmlReferenced by PDF JavaScript
- http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript
- http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HReferenced by PDF JavaScript
- http://www.microsoft.com/pki/certs/CSPCA.crt0Referenced by PDF JavaScript
- http://crl.microsoft.com/pki/crl/products/tspca.crl0HReferenced by PDF JavaScript
- http://www.microsoft.com/pki/certs/tspca.crt0Referenced by PDF JavaScript
- http://www.microsoft.com/typographyReferenced by PDF JavaScript
- http://www.adobe.com/supporReferenced by PDF JavaScript
- http://ns.adobe.com/xdp/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript
- http://ns.adobe.com/xfdf/Referenced by PDF JavaScript
- http://ns.adobe.com/xfdf-transition/Referenced by PDF JavaScript
- http://ns.adobe.com/data-description/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-form/2.8/Referenced by PDF JavaScript
- http://ns.adobe.com/xtd/In PDF document text
- http://www.w3.org/2001/XMLSchemaIn PDF document text
Extracted artifacts 17
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0002.bin |
pdf-embedded-file | PDF EmbeddedFile object 2 at offset 0xDB8 | 1526 bytes |
SHA-256: 637dbe9907624321eb82c8a96f4167de9faf5a155390f9141d10dea3362e6046 |
|||
embedded_file_obj0003.bin |
pdf-embedded-file | PDF EmbeddedFile object 3 at offset 0x10A9 | 228315 bytes |
SHA-256: 5ace6fdb557bd6e0b2248263f50edb142ec0bd9438661823924c2f5266534d3e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
embedded_file_obj0005.bin |
pdf-embedded-file | PDF EmbeddedFile object 5 at offset 0x4CDD | 2936 bytes |
SHA-256: c85e8e9965050a43770fe24075fa3403deb5f55adcb0b7afeeed3ec9af9f4c13 |
|||
embedded_file_obj0006.bin |
pdf-embedded-file | PDF EmbeddedFile object 6 at offset 0x5053 | 200 bytes |
SHA-256: 4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5 |
|||
embedded_file_obj0007.bin |
pdf-embedded-file | PDF EmbeddedFile object 7 at offset 0x5146 | 324 bytes |
SHA-256: 6a0b0a12b186a4a605fb6002a7f9a12c6460c738af88fa0afa49ca882e735ac9 |
|||
embedded_file_obj0008.bin |
pdf-embedded-file | PDF EmbeddedFile object 8 at offset 0x5263 | 7062 bytes |
SHA-256: 00b402f5ccb4f389aec78364db32b06960fbf4282bc4a6b560eba299c9599bc4 |
|||
embedded_file_obj0009.bin |
pdf-embedded-file | PDF EmbeddedFile object 9 at offset 0x5612 | 1539 bytes |
SHA-256: 004372caf9fd2c8f1139bad13f8fa360649cc677d9219d56147dd11a4cfee24e |
|||
embedded_file_obj0010.bin |
pdf-embedded-file | PDF EmbeddedFile object 10 at offset 0x58CF | 80 bytes |
SHA-256: 2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19 |
|||
embedded_file_obj1106.bin |
pdf-embedded-file | PDF EmbeddedFile object 1106 at offset 0xF0D9F | 85 bytes |
SHA-256: c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb |
|||
embedded_file_obj1107.bin |
pdf-embedded-file | PDF EmbeddedFile object 1107 at offset 0xF0E55 | 10483 bytes |
SHA-256: 042ea718bdafb0844f350f3767f6f1bbb63e865ece850e11b14c03b786398654 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
embedded_file_obj1108.bin |
pdf-embedded-file | PDF EmbeddedFile object 1108 at offset 0xF1592 | 96 bytes |
SHA-256: 5d8a3ab00ece2d8abbcbcf12f41b89e2dc3f2d3e27f1524308149f9bff5eee23 |
|||
stream_013_off00016dd3.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x16DD3 | 1532 bytes |
SHA-256: f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8 |
|||
stream_014_off00016fbe.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x16FBE | 870 bytes |
SHA-256: 4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb |
|||
stream_016_off000173ef.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x173EF | 774454 bytes |
SHA-256: a2f39801573572e0f61a4271f9b1bbecd0f78b8a37964dcaea5400d2b85aa2f6 |
|||
stream_017_off0008549e.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x8549E | 751077 bytes |
SHA-256: 0a8b85bdca6d171b1b108b09d6edf274eb23bb01c675c3881a878729e7b400d9 |
|||
objstm_1110_00.bin |
pdf-objstm-decoded | PDF /ObjStm 1110 0 obj (inflated) | 2301 bytes |
SHA-256: 95f9b5c698df9896512fd5669a385c5bc75f53c3ee908ba91b55387c67a35cfe |
|||
font_00_sfnt_off00005979.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5979 | 95975 bytes |
SHA-256: c29e5b1537bee8c88b3ffca56c5f24a45ec8da374cf9d4c0b4a78d04fc230949 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.