SUSPICIOUS
50
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains embedded JavaScript, flagged by heuristics as potentially malicious. The ML classifier also strongly indicates maliciousness. While the document body contains German text related to direct debit and pricing, the presence of JavaScript suggests an attempt to execute malicious code. The specific intent of the JavaScript is unclear due to its small size and lack of clear obfuscation patterns, but it is likely intended to download and execute a second-stage payload or perform other malicious actions.
Machine Learning
- Nyx PDF Classifier malicious score 0.9983
Heuristics 4
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.iec.ch In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/iX/1.0/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0029_000.js |
pdf-javascript-stream | PDF /JS object 29 at offset 0x4C26 | 41 bytes |
SHA-256: 6aeb2fc8f6b0dba7b9d76914b437aa0140bcd183b4c2b0d2b66173e7a39a1974 |
|||
Preview scriptFirst 1,000 lines of the extracted script
AFNumber_Keystroke(2, 2, 0, 0, "", true); |
|||
javascript_obj0030_001.js |
pdf-javascript-stream | PDF /JS object 30 at offset 0x4C80 | 38 bytes |
SHA-256: dd4e86ff46931388298d522a0c25afc2a74df361f28fb6ad9f104ffc1f5056c1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
AFNumber_Format(2, 2, 0, 0, "", true); |
|||
icc_00_off0000076f.icc |
pdf-icc-profile | PDF ICC profile at offset 0x76F | 3144 bytes |
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
|||
font_00_cff_off00001b67.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1B67 | 5520 bytes |
SHA-256: af7b0a2e9a10832e74217262a85a234562c66e5dd2e2e62610e6c32990464209 |
|||
font_01_cff_off00002f4a.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x2F4A | 2934 bytes |
SHA-256: 3d44a04ffae1f01da956cfb6e32eb164036905e67818df7d5ea72227e873e85d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.