CLEAN
16
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
The PDF file is encrypted and contains no readable text, but heuristics indicate it is an image-only lure with invisible links. One embedded URL, http://anzeigen.automatisieren.org, was extracted. The presence of invisible links and an external URL suggests an attempt to redirect the user to a malicious site, likely for phishing or malware delivery.
Machine Learning
- Nyx PDF Classifier clean score 0.0408
Heuristics 5
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTEDPDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://anzeigen.automatisieren.org In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/g/img/In PDF document text
- http://ns.adobe.com/photoshop/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/pdfx/1.3/In PDF document text
- http://www.npes.org/pdfx/ns/id/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
- http://ns.adobe.com/xmp/InDesign/privateIn PDF document text
- http://ns.adobe.com/xap/1.0/sType/ManifestItem#In PDF document text
- http://ns.adobe.com/xap/1.0/t/pg/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/Dimensions#In PDF document text
- http://ns.adobe.com/xap/1.0/g/In PDF document text
- http://ns.adobe.com/illustrator/1.0/In PDF document text
- http://www.iec.chIn PDF document text
Extracted artifacts 31
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_042_off00068447.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x68447 | 14385 bytes |
SHA-256: 347fa4975374e30d085bb497e468c7dbd3cb041240f38b2a9ef5bb04fe0969ad |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
255 of 401 identifiers look randomly generated (e.g. 'lQQR4g4aCLYx55WE21kJSVjM9HK9QOO9OuGN70lj') — consistent with name-mangling obfuscation.
|
|||
stream_059_off0007ee00.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x7EE00 | 26163 bytes |
SHA-256: a575a65db9d3134e3c2862579ac5c91bd127bb1b46b397e1e7799789258e4502 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
347 of 528 identifiers look randomly generated (e.g. 'BUXD1CC4Mkbi0EAmPDVJTEX0OudjtsYbmDc6sOG4'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
stream_068_off000df681.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xDF681 | 29426 bytes |
SHA-256: 7f22c065a4e9571021f055896c5ec5af322d9aa40184f63610bb430545a20f64 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
571 of 772 identifiers look randomly generated (e.g. 'xV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxVjGt63f22'); 7 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
stream_070_off000ea8c4.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xEA8C4 | 8928 bytes |
SHA-256: a52939c26bc40060f4052671a033d5c74a69c12ab3fbf9064d5c38e602043a67 |
|||
stream_075_off000f8b1f.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xF8B1F | 182616 bytes |
SHA-256: 51759321d91aeec8ce5801e3386e5325b7699f298fea9933f420a1eee76aefe5 |
|||
stream_076_off001034a0.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1034A0 | 178022 bytes |
SHA-256: bbb3c4ec88ab5cb4c8262819064f8a7734d51e8508701eff14a230afdce3f7b7 |
|||
stream_141_off0012ce4b.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x12CE4B | 16499 bytes |
SHA-256: 853cc2a1da64462e463d2bcac0abbcbbf1d5bc86302365e338f3b619b0895180 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
322 of 484 identifiers look randomly generated (e.g. 'DBAMDAwMDAwQDA4PEA8ODBMTFBQTExwbGxscHx8f'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
icc_00_off0011d9f6.icc |
pdf-icc-profile | PDF ICC profile at offset 0x11D9F6 | 3144 bytes |
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
|||
font_00_cff_off00133798.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x133798 | 4612 bytes |
SHA-256: c135bd10aa763f1735fd865330705f3a2c152f2f1eb2fddfb0f8a9645a11e851 |
|||
font_01_cff_off001347e7.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1347E7 | 7224 bytes |
SHA-256: cd04c7f31a5ee861ee0f0381221d4a6ab1d373e83f490aa2663814869c851395 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.
|
|||
font_02_cff_off0013612d.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x13612D | 6076 bytes |
SHA-256: 5c14c402798c4de2449e030a5b3b1a323b209bfb47174b36cba058147b780739 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.42, consistent with packed or encrypted content.
|
|||
font_03_cff_off0013765b.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x13765B | 6313 bytes |
SHA-256: 9166ca938dbd04cbc4cd8eb71d1f80c87f507029599f65f2a89c1328c24a881f |
|||
font_04_cff_off00138c10.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x138C10 | 9926 bytes |
SHA-256: 2d4494be06b9330e583fb33f5881f2af54413511cf7dd6a3f5f150007a3a8df5 |
|||
font_05_cff_off0013ff96.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x13FF96 | 6037 bytes |
SHA-256: 5d99600207c9d06e1734b78c9a0cd90530f0793353bf2f22bb368f49ad4e00ff |
|||
font_06_cff_off0014287b.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x14287B | 3129 bytes |
SHA-256: cac52d7523a2d6f467d8c43444d817ecf9b84b5df1f7540d19868e3d3f122cd3 |
|||
font_07_cff_off0014375c.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x14375C | 2641 bytes |
SHA-256: 288f4c8303dfd5dc85ccf2ba77ae9eb2e74b37e7978626a8072af0862c3b15f0 |
|||
font_08_cff_off0014409c.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x14409C | 1007 bytes |
SHA-256: 97c912aa24ae80bea8faccf54059567914b7494b8b6eb1b0a313193928c4f960 |
|||
font_09_cff_off001444c5.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1444C5 | 2082 bytes |
SHA-256: ba460df4b623dad1bd10e0a274bc159b00f3b07e2882b6fa7d4d5fd1b14a94b5 |
|||
font_10_cff_off001452c2.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1452C2 | 1891 bytes |
SHA-256: c40f3f6968698bb045deab4d02f6c9690910dae1d13f8d9ac8e59347406130eb |
|||
font_11_cff_off001490bf.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1490BF | 1847 bytes |
SHA-256: a5701a518523d74bd2b349d076fdbccfff250bd5adcc4ddaf76f53c86fd4e5f8 |
|||
font_12_cff_off001497da.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1497DA | 4405 bytes |
SHA-256: 950585a120d98586e4121549b935f5c011c0a5db389d1d772654a9bd3e78b948 |
|||
font_13_cff_off0014a7b5.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x14A7B5 | 4988 bytes |
SHA-256: d0bd9ee476137f3217acb0845eb46ed686e82abea1df048015d4f08a0af799c8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
|
|||
font_14_cff_off0014bbc8.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x14BBC8 | 4548 bytes |
SHA-256: 2aad6546f406d93c1e270322c9ab0bb706188d3379f93ee1ce30cabfe1cc111b |
|||
font_15_cff_off0014cbad.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x14CBAD | 2952 bytes |
SHA-256: ab7976cd4ab59548b677ca7ba3bc72a149a994ad903d7959ca8f443434c09e5f |
|||
font_16_cff_off00154a6a.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x154A6A | 323 bytes |
SHA-256: 1962d86d95ef3e119c5505cd65c00640c591b23f87b8af0f117b4f9110490359 |
|||
font_17_cff_off00154d04.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x154D04 | 3507 bytes |
SHA-256: 7ba1732d8bd19efe3e134b45d44b951e59097ee9c0c6e10dc7faca60b53514ea |
|||
font_18_cff_off0015572e.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x15572E | 2110 bytes |
SHA-256: af13cca967769ecb2fee094d413269cb42e32453d3114aad51f1e06a4ce38157 |
|||
font_19_cff_off00155d45.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x155D45 | 4453 bytes |
SHA-256: 0ef27d392b298eea5e47629f9db7d24428f9eb44311df00c43c3da2731339a7f |
|||
font_20_cff_off00156ad5.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x156AD5 | 2078 bytes |
SHA-256: f23ddce6407dadf40c4054794ec3becd4debf035c1c22a8956d6b54d08dc5b6c |
|||
font_21_cff_off0015724d.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x15724D | 703 bytes |
SHA-256: 83a723b51629372ccfe9acc5ba1c7afc2759fa06b92ee18cfc2f8a6a5ccce926 |
|||
font_22_cff_off0015756c.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x15756C | 2717 bytes |
SHA-256: 6ce6a4854924bba1cbef2f4fef7d42df4d6d72eb1f755eaf5511da224633c9ef |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.