MALICIOUS
132
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF contains a hidden external HTML iframe, indicating an attempt to load content from a remote source. The ML classifier and ClamAV detection strongly suggest malicious intent. While the document body is unreadable, the presence of an embedded URL to an unknown domain warrants further investigation.
Machine Learning
- Nyx PDF Classifier malicious score 0.9870
Heuristics 3
-
ClamAV: Html.Spyware.IMG-7 critical CLAMAV_DETECTIONClamAV detected this file as malware: Html.Spyware.IMG-7
-
PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAMEPDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.codeforum.cn/free/max1.htm
- http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/exif/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/photoshop/1.0/
- http://ns.adobe.com/tiff/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://purl.org/dc/elements/1.1/
- http://www.iec.ch
- http://www.gnu.org/copyleft/gpl.html
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_002_off0000b7a7.bina5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xB7A7 | 264072 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.