SUSPICIOUS
44
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains an embedded URL that points to a suspicious domain, likely intended to deceive the user into clicking it. The heuristic 'SE_LOLBIN_RUN_COMMAND' suggests the document text may contain command-like strings, further indicating a malicious intent to execute or prompt user interaction with system commands. No scripts were extracted, but the presence of the external URI and command-like text strongly suggests a phishing or credential harvesting attempt.
Machine Learning
- Nyx PDF Classifier clean score 0.0017
Heuristics 3
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://secure-restore-payments-frauds.com/signin-cmd-update-information-account-token-489213648641287hjkhd78261836146haksdg671423kjahdajshfa4156868714146585683423 PDF link annotation
- http://www.monotype.comMonotypeIn PDF document text
- http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00008595.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8595 | 13628 bytes |
SHA-256: f99bbaa67ba92ca88866f81edd1a2da065d10f7ae5277c25b64c59b435226cac |
|||
font_01_sfnt_off0000ac7e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAC7E | 11264 bytes |
SHA-256: 4d6d7a54fe3fc9c4eba086eb6660b7cf515d1eed2acecb414928f3534e5fba23 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.