MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The PDF file contains embedded JavaScript that utilizes `eval()` and `unescape()` functions, indicating an attempt to obfuscate and execute malicious code. This script is likely responsible for downloading and executing a second-stage payload. The presence of numerous URLs related to online pharmacies suggests a phishing or scamming lure. The heuristics strongly indicate the presence of an embedded script payload designed to be executed.
Heuristics 6
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution
-
unescape() call high PDF_UNESCAPEunescape() found — often used to decode shellcode in PDF JS exploits
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://michaelbolten.com/online-pharmacy-effexor-top.html
- http://michaelbolten.com/aptos-ca-rite-aid-pharmacy-top.html
- http://michaelbolten.com/canada-pharmacies-restasis-eye-drops-top.html
- http://www.hollywoodbeachrealestate.org/percocet-online-pharmacy-top.html
- http://www.blissentertainment.com.au/online-pharmacy-ultram-top.html
- http://www.blissentertainment.com.au/Hoodia-Patch-Without-Prescription-top.html
- http://www.hollywoodbeachrealestate.org/rx-america-pharmacy-help-desk-top.html
- http://www.hollywoodbeachrealestate.org/order-valium-from-safe-online-pharmacy-top.html
- http://michaelbolten.com/pharmacy-sample-drugs-top.html
- http://www.hollywoodbeachrealestate.org/loestrin-fe-and-mail-order-pharmacy-top.html
- http://www.blissentertainment.com.au/usa-online-pharmacies-that-sell-viagra-top.html
- http://www.blissentertainment.com.au/%244-drugs-food-lion-pharmacy-list-top.html
- http://michaelbolten.com/Buy-tadalafil-top.html
- http://www.hollywoodbeachrealestate.org/pharmacy-tablet-identification-top.html
- http://www.blissentertainment.com.au/no-prescription-drug-pharmacys-online-top.html
- http://www.hollywoodbeachrealestate.org/Order-Crestor-top.html
- http://www.hollywoodbeachrealestate.org/find-pharmacy-health-questions-and-answers-top.html
- http://www.hollywoodbeachrealestate.org/understanding-health-insurance-pharmacy-tiers-top.html
- http://www.blissentertainment.com.au/Micardis-Online-top.html
- http://www.hollywoodbeachrealestate.org/u-s-medical-pharmacy-top.html
- http://www.blissentertainment.com.au/online-pharmacies-that-have-didrex-cheap-top.html
- http://michaelbolten.com/foreign-online-pharmacies-salazopyrin-top.html
- http://www.blissentertainment.com.au/Cheap-Keflex-top.html
- http://www.blissentertainment.com.au/american-pharmacies-that-carry-erfa-thyroid-top.html
- http://michaelbolten.com/Cephalexin-For-Less-top.html
- http://www.blissentertainment.com.au/Purchase-Combigan-top.html
- http://www.hollywoodbeachrealestate.org/why-can%27t-my-pharmacy-get-midrin-top.html
- http://michaelbolten.com/foreign-pharmacy-no-prescription-reviews-top.html
- http://www.blissentertainment.com.au/us-pharmacy-zyrtec-zoloft-rxpricebusterscom-top.html
- http://michaelbolten.com/usa-no-prescription-pharmacy-top.html
- http://www.hollywoodbeachrealestate.org/medical-pharmacy-willimantic-ct-top.html
- http://michaelbolten.com/Cheap-Exelon-top.html
- http://www.hollywoodbeachrealestate.org/all-med-pharmacy-top.html
- http://michaelbolten.com/aquazide-us-pharmacy-no-prescription-top.html
- http://michaelbolten.com/tri-mix-gel-compounding-pharmacy-top.html
- http://michaelbolten.com/progesterone-cream-pharmacy-wisconsin-price-top.html
- http://michaelbolten.com/Temovate-Cream-Without-Prescription-top.html
- http://www.blissentertainment.com.au/pharmacy-care-and-nutrition-top.html
- http://www.blissentertainment.com.au/fox-army-health-center-pharmacy-formulary-top.html
- http://www.hollywoodbeachrealestate.org/Lopid-Sale-top.html
- http://www.blissentertainment.com.au/online-pharmacy-diet-pills-top.html
- http://www.hollywoodbeachrealestate.org/foreign-pharmacies-ritalin-review-top.html
- http://michaelbolten.com/pharmacy-reversible-prescription-vials-top.html
- http://www.hollywoodbeachrealestate.org/no-prescription-german-pharmacy-prednisone-top.html
- http://michaelbolten.com/offshore-pharmacies-vicodin-es-top.html
- http://www.blissentertainment.com.au/phentermine-us-pharmacies-top.html
- http://www.blissentertainment.com.au/pharmacy-prescription-assistance-nevada-top.html
- http://michaelbolten.com/online-pharmacy-phendimetrazine-top.html
- http://michaelbolten.com/Purchase-Lozol-top.html
- http://www.hollywoodbeachrealestate.org/hormone-replacement-therapy-pharmacy-top.html
+30 more URL(s)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_002_off0000bc59.bina5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xBC59 | 264072 bytes |
embedded_pdf_script_0003d524.binf6eacb52f3e9e4a4ac0901ef526158a74de1331f3d8ae8937736deb2f3b660dd |
pdf-embedded-script | PDF decompressed stream script payload at offset 0x3D524 | 251378 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.