MALICIOUS
214
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.001 PowerShell
This PDF file contains multiple critical heuristic firings indicating it is designed to exploit vulnerabilities and deliver a Windows executable payload. Specifically, it triggers PDF_EMBEDDED_PE_PAYLOAD and POLYGLOT_CHILD_PDF_STATIC_TRIAGE, suggesting a multi-stage attack. The presence of an embedded executable file, named 'embedded_pdf_0001706d.exe', further supports this. The document also contains JavaScript, which is often used to facilitate exploits or download additional malicious content.
Heuristics 10
-
CCITTFaxDecode + TIFF/XFA exploit prep — LibTIFF CVE-family indicator high PDF_CCITT_CVE_2010_0188_RELATEDPDF uses /CCITTFaxDecode together with TIFF/XFA exploit-preparation markers such as rawValue image-field assignment, TIFF data, or heap-spray JavaScript. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
-
Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOADPDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
-
Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGEA valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
-
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LUREPDF has 2 image(s), only 2 text block(s), carries a click-outward action, and is only 290 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/
Extracted artifacts 13
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0002.binc06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb |
pdf-embedded-file | PDF EmbeddedFile object 2 at offset 0x19FA | 85 bytes |
embedded_file_obj0003.bin0cae1494b9c99505bf126e683a1a8be36bc8d5e793ab829e266d6e2fd62ccac3 |
pdf-embedded-file | PDF EmbeddedFile object 3 at offset 0x1AAC | 1466 bytes |
embedded_file_obj0005.binf47c3dc8c4eeb64abc2cc332be719add15af6ce6dfdcdb477c08a1aefdbe7477 |
pdf-embedded-file | PDF EmbeddedFile object 5 at offset 0x290F | 11740 bytes |
embedded_file_obj0006.bin226eeacc5eecef2a05ca480f144ff6936594e20b5c7672e8f29f25c8bea65a56 |
pdf-embedded-file | PDF EmbeddedFile object 6 at offset 0x2AD7 | 2928 bytes |
embedded_file_obj0007.bin4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5 |
pdf-embedded-file | PDF EmbeddedFile object 7 at offset 0x2E44 | 200 bytes |
embedded_file_obj0008.bind51b9fc28b592405fb598e711d1495e1421571073bc2e8542d55389768716c06 |
pdf-embedded-file | PDF EmbeddedFile object 8 at offset 0x2F37 | 835 bytes |
embedded_file_obj0009.bine65f1e07bc965092b3153e64a1e8777a909cc47a98c0e2a10d38c47def2e6652 |
pdf-embedded-file | PDF EmbeddedFile object 9 at offset 0x3110 | 291 bytes |
stream_002_off000003e1.jsf574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3E1 | 1532 bytes |
stream_007_off0000112a.bin8358d835225babc82acbcbbf2cb07512b8fb3772c5b46ff5956d2c6d02da8c39 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x112A | 3024 bytes |
embedded_pdf_00010737.exed150d638740582f1a139f3e166ac56ee41fdf567cca8a4e101336955c852eb70 |
embedded-pe | PDF raw stream PE payload at offset 0x10737 | 8200 bytes |
embedded_pdf_0001706d.exee26f9498eaa70964218aa08ffc9ed7c11dc41f83927c47373fd011eb7ea793bf |
embedded-pe | PDF decompressed stream PE payload at offset 0x1706D | 104771 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.40, consistent with packed or encrypted content.
|
|||
polyglot_child_pdf_off00017f4f.pdfcefaa2b04d071ed0fc7715de06fbf39b91da3d37812371e7f657cea656147a25 |
polyglot-child-pdf | Secondary PDF body inside pdf container at offset 0x17F4F | 199106 bytes |
polyglot_child_pdf_off00034fca.pdf16d45559e562459e38fa76b649cc905377c795132c9edd739dc6269dddee6322 |
polyglot-child-pdf | Secondary PDF body inside pdf container at offset 0x34FCA | 80199 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.