CLEAN
16
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF is encrypted and contains no readable text, relying on images and potentially invisible links to trick the user. Heuristics indicate it's an image-only lure with an AcroForm button that could trigger an action. The presence of embedded URLs, including suspicious ones like 'http://www.pc104.org/', suggests an attempt to redirect the user to a malicious site for further exploitation. The PDF structure and embedded content are consistent with a downloader or exploit delivery mechanism.
Machine Learning
- Nyx PDF Classifier clean score 0.0527
Heuristics 5
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTEDPDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.pc104.org/ In PDF document text
- http://anzeigen.automatisieren.orgIn PDF document text
- http://www.monotype.comMonotypeIn PDF document text
- http://www.siemens.com/In PDF document text
- http://www.siemens.de/In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ManifestItem#In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/g/img/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://www.npes.org/pdfx/ns/id/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
- http://ns.adobe.com/xmp/InDesign/privateIn PDF document text
- http://ns.adobe.com/pdfx/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/t/pg/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/Dimensions#In PDF document text
- http://ns.adobe.com/xap/1.0/g/In PDF document text
- http://ns.adobe.com/illustrator/1.0/In PDF document text
- http://www.iec.chIn PDF document text
- http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlIn PDF document text
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_033_off00039619.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x39619 | 17557 bytes |
SHA-256: 9424e3157f4bb1043e86a8bd89987d9f29a1f222bc21ad2c6048d66cc84d9942 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
343 of 493 identifiers look randomly generated (e.g. 'FqbDFUGpup5OCLwUdScNBbTGKEIB3PcnGkWqhcVZ'); 4 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
stream_037_off00050456.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x50456 | 16243 bytes |
SHA-256: 39dff670fd36baa4daca9ad4ee50771a0f8ae071c9f898f9e5f0eb6fcafa1f7f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
136 of 270 identifiers look randomly generated (e.g. 'sdRuFIZklt0jbi5c1jNW4gmlNh2r74q9Os9PtLBW') — consistent with name-mangling obfuscation.
|
|||
stream_041_off00066d7b.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x66D7B | 29426 bytes |
SHA-256: 7f22c065a4e9571021f055896c5ec5af322d9aa40184f63610bb430545a20f64 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
571 of 772 identifiers look randomly generated (e.g. 'GaG5hjuLeRZoZlEkckZDI6MOSsrLUEEHY4quV0cs'); 7 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
stream_042_off0006f082.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x6F082 | 8928 bytes |
SHA-256: a52939c26bc40060f4052671a033d5c74a69c12ab3fbf9064d5c38e602043a67 |
|||
stream_054_off0009d3b7.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x9D3B7 | 31160 bytes |
SHA-256: c5af4747e2f03d20dbef1ea96606a8729f97ea7b2d0ea1756f87e325b07a1140 |
|||
stream_111_off000e24d6.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xE24D6 | 16499 bytes |
SHA-256: 853cc2a1da64462e463d2bcac0abbcbbf1d5bc86302365e338f3b619b0895180 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
322 of 484 identifiers look randomly generated (e.g. 'obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PS'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
stream_125_off000e99a2.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xE99A2 | 11793 bytes |
SHA-256: 8812c7063f88f06446bfb6d71da48912433cd8912d810d2173d7948f83f82987 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
240 of 350 identifiers look randomly generated (e.g. 'obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PS'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
stream_127_off000ebb4d.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xEBB4D | 28063 bytes |
SHA-256: 9ad49362016069a0dea768299e1f6371db77ab3a5fa010796334b3864ef05627 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
328 of 488 identifiers look randomly generated (e.g. 'obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PS'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
stream_129_off000ee5c6.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xEE5C6 | 10473 bytes |
SHA-256: bf643491ae5e8cc29c8585a14edfa7617314b390086d081a52ac9d91b49c82e8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
199 of 295 identifiers look randomly generated (e.g. 'UTirsVeK6v8AnN5lsLvzJYiGBrq0vJIdHPptT0be'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
stream_131_off000f0055.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xF0055 | 34511 bytes |
SHA-256: e1f9a1b908d07ceafb5a3e08e30b3ed589490e15e5ed3ab130fb96af1596c7a8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
464 of 664 identifiers look randomly generated (e.g. 'obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PS'); 12 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
stream_149_off000f6183.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xF6183 | 14721 bytes |
SHA-256: 126ba3f6635a9e52ae902a6b4aa7368f2213fb7276df0586b8fcf8b0bf2f0b18 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
349 of 493 identifiers look randomly generated (e.g. 'obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PS'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
stream_164_off0014045e.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x14045E | 35738 bytes |
SHA-256: dd5e4439432d2ea3e7f1869c39a05a2dc4bdb47deb0cb79a68b7fdf2fe10bdae |
|||
icc_00_off000d6151.icc |
pdf-icc-profile | PDF ICC profile at offset 0xD6151 | 3144 bytes |
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
|||
font_00_cff_off000fd2ac.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xFD2AC | 7046 bytes |
SHA-256: 5090a458bd9c1cd2eb7ed5e9f5627352404b13d6708bc7dc35b2792b2be2e75d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.
|
|||
font_01_cff_off000feb78.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0xFEB78 | 6242 bytes |
SHA-256: a0768638fe8c0f8c645a670bf70b2806596da2b3ce6c5e50628158cc26b90850 |
|||
font_02_cff_off0010013d.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x10013D | 4603 bytes |
SHA-256: 1fb41b5c84f011c3c640236e793da9e48d7e273440359c5c5746916901641f81 |
|||
font_03_cff_off001011e0.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1011E0 | 2245 bytes |
SHA-256: 165cd5bc804d5c35921b3948ab0d55dd49a3a375db20ac630846de6514c2c14c |
|||
font_04_cff_off00101a83.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x101A83 | 5935 bytes |
SHA-256: a114e1e8916eeceb4432beb4533a2f75fdab70a30273194ea75f00fe47f97c07 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
|
|||
font_05_cff_off00102f92.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x102F92 | 10076 bytes |
SHA-256: 8959b1d95ce4cdd9931c8d20247b9d1585ed7125828b807d5e848a665480bbc3 |
|||
font_06_cff_off0010af8b.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x10AF8B | 4027 bytes |
SHA-256: 4c9950ef57d45e7416294b721643c2d77373b594fcca160a37e9ae354553673f |
|||
font_07_cff_off0010be31.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x10BE31 | 5926 bytes |
SHA-256: 4e2b0c49283d5df4b1b3865c6705617f774fdb5e04c11c14ec150c7f881903f7 |
|||
font_08_cff_off0010d316.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x10D316 | 2635 bytes |
SHA-256: 31380158bb070968e489e297db7dd2e06f65be8ec5d2847fc1825f3d6445b03f |
|||
font_09_cff_off0010dce7.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x10DCE7 | 6103 bytes |
SHA-256: 98d011ef71c3089d151d4064db8326c0a66cf613836f2b4e1b7bdbac6ddb054d |
|||
font_10_cff_off0010f0d3.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x10F0D3 | 1948 bytes |
SHA-256: 3e1393676563996e72e28a55e5185d12d9f9b0d42bf4b5d271fd1ef01a5dc6d7 |
|||
font_11_cff_off0010fc75.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x10FC75 | 1891 bytes |
SHA-256: 817b104e75a8764ed0d266b10a053959f5f3a7f822991515d3d5054ea6351e50 |
|||
font_12_cff_off00116fbd.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x116FBD | 2750 bytes |
SHA-256: 502bdaf207940c236dd040c8efb2ce6f50db4bdb6df0dd97d6fb9a0c0968b6a4 |
|||
font_13_cff_off00117aec.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x117AEC | 4405 bytes |
SHA-256: 1bcf458b6eb005b8d8c6afc72cf478d2dd8dcd6797563a173c7cf3ac5e911fa1 |
|||
font_14_cff_off00118ac6.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x118AC6 | 4988 bytes |
SHA-256: 6e58b906f1d33e30b1aa1353570f57b50f2eebf40fac5128d83c27853b6e7fe3 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
|
|||
font_15_cff_off00122d4e.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x122D4E | 1224 bytes |
SHA-256: 81f0fc9fe9026c36166a659f2e0acb9cf5bb28b3a69a2dce15ced857cf0c3a93 |
|||
font_16_cff_off0012321d.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x12321D | 4785 bytes |
SHA-256: 6678525312cf31e7356e42bd0dd8b0d274728676249a6c86d187318d44764f5f |
|||
font_17_cff_off0012738c.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x12738C | 1847 bytes |
SHA-256: 577b91f06ee059c838f8db8719e1d37e9e0bec5762854296b2aa103b27f76b04 |
|||
font_18_sfnt_off00127ec1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x127EC1 | 63412 bytes |
SHA-256: 8e12f46e16e318eeeb230e9c7fa3b7bf5e878d899324976fb35e88cbf8e1dd7a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.