MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.002 Spearphishing Attachment
T1204.002 Malicious File
The PDF contains an embedded script payload and a hidden HTML iframe, strongly suggesting malicious intent. The presence of embedded URLs pointing to external resources like http://www.ro521.com/test.htm and http://j5b.kr/bin/h.js indicates a likely download or redirection mechanism. The ML classifier also flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 0.7002
Heuristics 5
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAMEPDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.ro521.com/test.htm
- http://j5b.kr/bin/h.js
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
Extracted artifacts 9
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_024_off0003b6f6.bindebf2c129fa448ed84903101309db75b024f647d9e85b95aa10a50327af632be |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3B6F6 | 717408 bytes |
embedded_pdf_script_0003094d.bin1aae24c9896a147813ce2926f1c68e1e29dda981c70800fbface61173ec692ef |
pdf-embedded-script | PDF decompressed stream script payload at offset 0x3094D | 7351 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 shell/COM execution token(s).
|
|||
icc_00_off00001d7a.icc2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
pdf-icc-profile | PDF ICC profile at offset 0x1D7A | 3144 bytes |
font_00_sfnt_off000ed10e.bina55150b4d5a5ee2cb77826d21114da8195393b7a7dda000419f1c2b92a782cd2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xED10E | 27144 bytes |
font_01_sfnt_off000f1256.binc87b2dd299d0b26ea8a9a71800ffbf6aa68ce79322601fa9f11c395705bc7d87 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF1256 | 37332 bytes |
font_02_sfnt_off000f615f.bin9bb16cc9f713820d8c9f647ff05a2eb47139f7f5a8dfa0006ed16deabaab3abc |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF615F | 51120 bytes |
font_03_sfnt_off000fd5e2.bin82bf89ef6f82acd67cc9c3536a41cf7cc622f09c0205011864f4ddb81177e5ea |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFD5E2 | 21304 bytes |
font_04_sfnt_off000ffae6.bin3579ecf824c1410b40e3b7aa75efd3553d5b5d004ed83575b72df5dc42620c79 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFFAE6 | 21576 bytes |
font_05_sfnt_off001030b0.bine1c601e11bd4eb89f841ebd8e6895be38fbcf2228c251bfbe268ce651ef8a4a8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1030B0 | 15076 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.