MALICIOUS
90
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
T1140 Deobfuscate/Decode Files or Information
This PDF document is flagged as malicious by an ML classifier and exhibits characteristics of malicious PDFs, including an encrypted structure with embedded JavaScript. The presence of embedded files and JavaScript streams suggests the document is designed to deliver and execute a hidden payload, likely a second-stage exploit or malware. The obfuscation techniques used indicate an attempt to evade static analysis.
Machine Learning
- Nyx PDF Classifier malicious score 0.9942
Heuristics 5
-
Encrypted PDF carries /jS — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/jS). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.monotype.comMonotype
- http://ocsp.verisign.com0
- http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/2.6/
- http://www.xfa.org/schema/xci/2.8/
- http://www.xfa.org/schema/xfa-template/2.6/
- http://www.w3.org/1999/xhtml
- http://www.xfa.org/schema/xfa-data/1.0/
- http://get.adobe.com/de/reader/
- http://www.xfa.org/schema/xfa-locale-set/2.7/
- http://www.xfa.org/schema/xfa-locale-set/2.6/
- http://ns.adobe.com/xtd/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xfa/promoted-desc/
- http://ns.adobe.com/xfdf/
- http://cgi.adobe.com/special/acrobat/update
- https://www.verisign.com/rpa
- http://ocsp.verisign.com/ocsp/status0
- https://www.verisign.com/rpa0
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
- http://www.microsoft.com/typography
- http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.html
- http://crl.verisign.com/tss-ca.crl0
- http://crl.verisign.com/ThawteTimestampingCA.crl0
- https://www.verisign.com/rpa01
- http://crl.verisign.com/pca3.crl0
- http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
- http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
- http://www.adobe.com/typehttp://www.adobe.com/type/legal.html
Extracted artifacts 14
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0031.binf212b90dd8d46fcfde4055c595ca334e51d9c315dcbea005dc86468bb12aa257 |
pdf-embedded-file | PDF EmbeddedFile object 31 at offset 0x1DD4 | 163 bytes |
embedded_file_obj0032.binc506e7de2dcb80802eeb8e3e7510be692104b112f6832675fa52ca5588fb5838 |
pdf-embedded-file | PDF EmbeddedFile object 32 at offset 0x1EC4 | 2352 bytes |
embedded_file_obj0033.bincbd7701691b8944da79057a977aef7a040784775a1c02beb0e8bc7a6370c454e |
pdf-embedded-file | PDF EmbeddedFile object 33 at offset 0x22CB | 60691 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
embedded_file_obj0034.bined21c449ec1f230da95997e24740e9ead7fb874c64926ff9a1130dcfe72d193a |
pdf-embedded-file | PDF EmbeddedFile object 34 at offset 0x7D9A | 2920 bytes |
embedded_file_obj0035.bin48eba206f21018909bc5308626d34dfcb669a58b2cfc1e73e2f00f83f5079f38 |
pdf-embedded-file | PDF EmbeddedFile object 35 at offset 0x8117 | 200 bytes |
embedded_file_obj0036.bin90938f9e3cdf6db2eeee31ed7c949f3b0952b799b670df73d2e56d31bfcc8d34 |
pdf-embedded-file | PDF EmbeddedFile object 36 at offset 0x820F | 121 bytes |
embedded_file_obj0037.bin79e4d0ec701dc6d55943165bc094ee646b98265be1ad438c35c2b96a4ab3bf73 |
pdf-embedded-file | PDF EmbeddedFile object 37 at offset 0x82CD | 1704 bytes |
embedded_file_obj0038.bin2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19 |
pdf-embedded-file | PDF EmbeddedFile object 38 at offset 0x85CE | 80 bytes |
stream_015_off00008996.js1b2ec98752b966f601d5223a750559cf13d562ac5e5c6d1fcc7217835b01f5fd |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x8996 | 902 bytes |
stream_016_off00008aee.jsf94e41f586bf3f20bc1deeac4bfbda388a61db43f25fbd6304ba73f5653368cf |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x8AEE | 1313 bytes |
stream_018_off000190a8.binb8e2518b116c26bab0e9f8c1672daf405dedad561157502b657e9005be2029aa |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x190A8 | 367087 bytes |
stream_019_off0004b8be.bin1e8564d3d89047875dccaa98279599de9d7ddf77240906041f1156ba8edf3315 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x4B8BE | 352198 bytes |
objstm_0004_00.bin03515b1892bea05fdacad4d7c9d281970c1659b6803f7b4891c8af4ddfbb2a11 |
pdf-objstm-decoded | PDF /ObjStm 4 0 obj (inflated) | 677 bytes |
font_00_sfnt_off00008dc1.binc29e5b1537bee8c88b3ffca56c5f24a45ec8da374cf9d4c0b4a78d04fc230949 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8DC1 | 95975 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.