MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF is heavily obfuscated and encrypted, containing embedded JavaScript intended to download and execute a second-stage payload. Heuristics indicate it's an exploit delivery mechanism, with ClamAV detecting it as Win.Exploit.Doublepulsar-7427328-0. The presence of an appended ZIP archive, though corrupt, suggests a multi-stage infection attempt.
Machine Learning
- Nyx PDF Classifier clean score 0.0002
Heuristics 8
-
ClamAV: Win.Exploit.Doublepulsar-7427328-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Exploit.Doublepulsar-7427328-0
-
Encrypted PDF carries /Js — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/Js). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
PDF with appended ZIP archive high POLYGLOT_PDF_ZIP_APPENDEDA ZIP local-file header was found AFTER the last %%EOF in this PDF — a polyglot pattern where the same bytes are a valid PDF for a PDF reader and a valid ZIP for an archive parser.
-
PDF paints image(s) but contains no text operators medium PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
-
Corrupt or invalid ZIP archive medium ARCHIVE_CORRUPTThe file appears to be a ZIP archive but could not be opened. It may be corrupt or deliberately malformed.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.playstation.co.kr������ In PDF document text
- http://www.playstation.co.kr)���In PDF document text
- http://www.playstation.co.krIn PDF document text
- http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comIn PDF document text
- http://www.iec.chIn PDF document text
Extracted artifacts 16
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_142_off000e092b.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xE092B | 132572 bytes |
SHA-256: 70b525836c7f2a4e24fe7345a461fe40ac8110b1b6f07777fe5a314b897b01ca |
|||
icc_00_off000c270a.icc |
pdf-icc-profile | PDF ICC profile at offset 0xC270A | 3144 bytes |
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
|||
font_00_cff_off000d7959.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xD7959 | 3726 bytes |
SHA-256: 4682e4c11ff1e93d7f0b294cbed4bbc8a32923d9cccacacfbd566162227a6430 |
|||
font_01_cff_off000d86b5.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xD86B5 | 915 bytes |
SHA-256: 3d62d78a209922936c14d8a2bfa79a2151c1f35a1894fddb63dec8a8b11b822c |
|||
font_02_cff_off000d8a75.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xD8A75 | 1083 bytes |
SHA-256: f3b6cecfd333476b678b5559f60a8fc502acdfdac4c494eb5f5c2f07dc848b48 |
|||
font_03_cff_off000d8eb5.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xD8EB5 | 494 bytes |
SHA-256: a0e50fafbfe3482fb827cdaddab7e23dccc4b63b6fe9843bd890fb11c62486b4 |
|||
font_04_cff_off000d91b5.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xD91B5 | 1268 bytes |
SHA-256: 2cdf5d3d35adc5601c01c9f00b5081e8d2bb089e3e0571c571cb026e62c5179c |
|||
font_05_cff_off000db1c3.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xDB1C3 | 850 bytes |
SHA-256: d7a30233b172765880c2640f21c21cf1a133f994562cf771b46d2edea6d85416 |
|||
font_06_cff_off000dba76.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xDBA76 | 920 bytes |
SHA-256: 61f448c912f86d6dab0644f1a5d829b88b5ac2b78bd112c041232b2ec17442f2 |
|||
font_07_cff_off000dbe2f.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xDBE2F | 330 bytes |
SHA-256: 1af72c10e34effa55b605204e1451a12b84108e48a770a1f56f63ccf2389bbd8 |
|||
font_08_sfnt_off000dbfcb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDBFCB | 22632 bytes |
SHA-256: f2d623f87de01620439c5ebfcfa5e5ebbc0e59c123e337fa00965e8770ad2a14 |
|||
font_09_cff_off000e04dd.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xE04DD | 496 bytes |
SHA-256: ff9981487472680ae3a720bb63ce9728a2aadc257e32f441f2e5be855458b3dd |
|||
font_10_cff_off000e0710.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xE0710 | 168 bytes |
SHA-256: 9a667881d63d6ff61f6e9fb19589c3627f6ac447ea38ba615a0ea56cb19e9c89 |
|||
font_12_cff_off001253b3.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1253B3 | 546 bytes |
SHA-256: 59382f605d22e8aaf1228ef49d2a9bf2d61ae1438f5a05c4bc990546cd0921f7 |
|||
font_13_cff_off0012561d.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x12561D | 204 bytes |
SHA-256: 83b2b77fd9a0f6fa3ccb846a7e74e39fad204515a135f8ff04e2d9843dedca38 |
|||
embedded_pdf_script_0016d4e0.bin |
pdf-embedded-script | PDF decompressed stream script payload at offset 0x16D4E0 | 6479567 bytes |
SHA-256: 1167188441cb005ea9b9ce9a4b50487ee2706e8b196c727936d60f0f84312213 |
|||
|
Detection
ClamAV:
Win.Exploit.Doublepulsar-7427328-0
Obfuscation or payload:
likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 32 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
%PDF-1.5
%����
985 0 obj <</Linearized 1/L 1213124/O 992/E 261534/N 56/T 1193360/H [ 1328 1960]>>
endobj
xref
985 50
0000000016 00000 n
0000003288 00000 n
0000003424 00000 n
0000001328 00000 n
0000003576 00000 n
0000003602 00000 n
0000003646 00000 n
0000003681 00000 n
0000004172 00000 n
0000004301 00000 n
0000004329 00000 n
0000004366 00000 n
0000007114 00000 n
0000010048 00000 n
0000010308 00000 n
0000010681 00000 n
0000010746 00000 n
0000011049 00000 n
0000011379 00000 n
0000011561 00000 n
0000011715 00000 n
0000011863 00000 n
0000012024 00000 n
0000012669 00000 n
0000012817 00000 n
0000015965 00000 n
0000016031 00000 n
0000018822 00000 n
0000021303 00000 n
0000023846 00000 n
0000026041 00000 n
0000028518 00000 n
0000029473 00000 n
0000032890 00000 n
0000033057 00000 n
0000033361 00000 n
0000033553 00000 n
0000061727 00000 n
0000062249 00000 n
0000062439 00000 n
0000200527 00000 n
0000200991 00000 n
0000201189 00000 n
0000255172 00000 n
0000257843 00000 n
0000258926 00000 n
0000259443 00000 n
0000260172 00000 n
0000260736 00000 n
0000261299 00000 n
trailer
<</Size 1035/Prev 1193348/Root 987 0 R/Encrypt 986 0 R/Info 984 0 R/ID[<e9f08ec690f463a93e0984082e67f290><97dcbf36277c5141ae0d42b35e0527f2>]>>
startxref
0
%%EOF
988 0 obj<</Length 1868/Filter/FlateDecode/E 3501/L 3517/S 2928>>stream
O�!¿sye �A�AȪ��� ������� >�B���`� ���5K��$��O Y�L�c8��t%�Pg̈Yȥ�& S?l�'zT ��9��z����$ �����\�q>�b4� �B�]�} o�lĬr-�߄��HS�i��`��� 1 ?��j����ϕ3vm� �
�7��%�;���f� 7 ��� � G`�C���NK�e��l������x�J G���
y �� pI���g7 �: 94�~T0n<�ᵧ u}i."f2d4� ]A �=� gI 9 �: �� �O��y��'�hͥz{ W .ڈ�� � ���X[ �C���S��L1�� � w���ɣ�C�>b?a� 'L
� :��)Ja�%��� R��@�� � � ���ٔ:�K �C��J s�V Er� �x^:���
��;�ήK�o? r� �Gg�Q齖F���� F���Nj*�\*����X���6��~ ��Q�J# 4�NT� �|���J���X��S�2^ �;� A�XN�-Cj�� ī��� ��dq W-?[� 6 ��F�d� � l* ��%��#jW�e-�7a���
8쒮L� h< �L����{�#5�O�$z�8�xSI�[#�����CSҗ9��DK����_9s�Q'�t ��ڲ e;�b�� s ���d� � �tz����"�ˢ g%�����b �� B��f5�?� @ �9�������X���R � (; I� � ��U��F Z�"Dֳ�Y�/c^���{ �� m�c�� �U�^K������ �-G�#o�X�S�^�Z� u�����PJ]�H5�lI=r �6q+�� "���b��y�62)�����Oi7>�@C�3[Ч��c�} k�a S� �� k�P� ��^�;� a g�V���� "���N:�Ȫ�*� �Kg� � T);��]��uK �G�� ��1K�� E��f��r�� ߭:`����x� ��4o� �� !�H�y����`�� �,*O�� �t��� *T���N !��g���Qh^ � о���഻ �;��� h輻 ��R� |� Ay��!� 4 �S� M5_�j����e��q�2�` �|5|��g �� ��D�%� o����Y�j��*w��Q(���X ��T5�H^R�J{ ]���Y3�g� � � �_%��EpK� p ���à�)E�_wy�����>�xP�&P@-��9��zOu CP ����(�� �
�J�S�^� ��P$�S]� ��a��s?�hT6+"��K�4 �: �5(�� ��I�8H�X��!�� G��,��87�oN@' ���^yQa�` K#� ���s6 y�n �����q�h ��y��C�4�� �62���[�oq�-Q� yi�A� 0� Q� ӜV,=*���� ��F�7 ���� ��g�� o�*7 ��4vv%i�9 �/ "d�qyףD�;$G� DW� �� I]��\���� 6 �_Yυ� p� � �}� ". /B!W;��Rv҅S�DYn^��W ?t��P���"E�U����q�|���� � p�&M�*����(��1�W �F 0��~�qm73�d?j�̱f��0e�- h��f& |>?�-�١�WS3 ��H*������s5� �� �� � c3� ��W4V<Z� k�R�8��� ) N�G��, ����� �D�I��� �(L4yì��E`^��p �$q�;���hjF��w�f�� ����HT/�o+�+��9y&o�`�M�u \ؤ�g��ؠgX�z � � �C<�R 9/ B�SB���ǫJ�p� ���Z^�i���
c� ��b��� x�A% �P@���c���nl�������y,��p�G�4� w ���I����=��� ��U#)ҁoy�I�� �!�� = �A�;Զ�6MP ���k � Dw E1ҟfPt�8W�w<�b�� j�F� �u�R�w�� �ﭩ���B�� ��
endstream
endobj
986 0 obj<</R 3/Length 128/Filter/Standard/O(쉽�� �� ��$�ȱ��#�� �V� ��S֨�)/P -1340/U(:u Z, >^� Y )/V 2>>
endobj
987 0 obj<</Pages 973 0 R/Type/Catalog/PageMode/UseNone/Names 991 0 R/Threads 989 0 R/PageLabels 971 0 R/Metadata 980 0 R/FICL:Enfocus 981 0 R>>
endobj
989 0 obj[990 0 R]
endobj
990 0 obj<</F 6 0 R/I<</Title(�)>>>>
endobj
991 0 obj<</Dests 558 0 R>>
endobj
992 0 obj<</Annots[993 0 R]/Contents[996 0 R 997 0 R 1009 0 R 1011 0 R 1012 0 R 1013 0 R 1014 0 R 1015 0 R]/Type/Page/Parent 974 0 R/Rotate 0/MediaBox[0 0 595 419]/CropBox[0 0 595 419]/Resources<</ColorSpace<</CS0 995 0 R/CS1 994 0 R>>/Font<</T1_0 1002 0 R/T1_1 1003 0 R/C2_0 1004 0 R/C2_1 1005 0 R/C2_2 1008 0 R/T1_2 1007 0 R/T1_3 1006 0 R>>/ProcSet[/PDF/Text]/ExtGState<</GS0 1010 0 R/GS1 1000 0 R/GS2 1000 0 R/GS3 1010 0 R/GS4 1018 0 R/GS5 1000 0 R/GS6 1000 0 R/GS7 1010 0 R>>>>>>
endobj
993 0 obj<</
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.