Malicious PDF — malware analysis report

Heuristics 7

• eval() call high PDF_EVAL
  eval() found — commonly used for obfuscated exploit execution
• Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
  PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
• Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
  One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
• JavaScript action low PDF_JAVASCRIPT
  PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
  The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://bonus.s7

  • http://schemas.xmlsoap.o��
  • http://lqotX-.dns-stu@H
  • http://luizsilva-001-site@
  • http://www.fyedit.cn/maindll/
  • http://certs.ox
  • https://apis.google
  • http://www.w3.org/2001/XMLScher�
  • http://www.w3.org/2003/05/�

Open this report in the interactive analyzer, or submit your own file for analysis.