MALICIOUS
72
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a hidden external HTML iframe, indicating an attempt to redirect the user to malicious content. The embedded URLs are associated with this redirection. The heuristics suggest a phishing or redirection attack, likely to download further malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9482
Heuristics 2
-
PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAMEPDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://fuadrenal.com/lib/index.php In PDF document text
- http://reycross.com/lib/index.phpIn PDF document text
- http://odmarco.com/lib/index.phpIn PDF document text
- http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_001_off0000049b.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x49B | 91432 bytes |
SHA-256: 5b0765156a7522e1b20f16cb911bf3a03d568d8ee9f5cab18481d8449fa81040 |
|||
stream_002_off0000b9ed.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xB9ED | 264072 bytes |
SHA-256: a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.