SUSPICIOUS
56
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF file contains embedded objects and an XFA form, which are often used to deliver malicious content. The ML classifier flagged this PDF as malicious with a high probability. While the document body is unreadable, the presence of an embedded URL suggests an attempt to download a secondary payload, likely leading to exploitation.
Machine Learning
- Nyx PDF Classifier malicious score 0.7205
Heuristics 4
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.puremobile.com/help.asp In PDF document text
- http://ns.adobe.com/xdp/In PDF document text
- http://www.xfa.org/schema/xci/1.0/In PDF document text
- http://ns.adobe.com/xtd/In PDF document text
- http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
- http://ns.adobe.com/xfdf/In PDF document text
- http://www.xfa.org/schema/xfa-form/2.8/In PDF document text
🗂 Part of campaign:
neeviapdf.com
53 samples
Extracted artifacts 11
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0049.bin |
pdf-embedded-file | PDF EmbeddedFile object 49 at offset 0xD9C5 | 30237 bytes |
SHA-256: 16d95c34f08bc34c050ad18034f517fd79c12740094db075625d68a91b301391 |
|||
embedded_file_obj0047.bin |
pdf-embedded-file | PDF EmbeddedFile object 47 at offset 0x10C2A | 84 bytes |
SHA-256: d81baa73e490e4cb879e13927cacd1dd1be37524a37eac51603e15117c578777 |
|||
embedded_file_obj0048.bin |
pdf-embedded-file | PDF EmbeddedFile object 48 at offset 0x10CDC | 228 bytes |
SHA-256: 24c130f03a4cf51d470b536e94c1e58af67665739e200e0ce198ad41086243c0 |
|||
embedded_file_obj0050.bin |
pdf-embedded-file | PDF EmbeddedFile object 50 at offset 0x10DCD | 199 bytes |
SHA-256: c97e0522381d6196cc0695f35f4d065f15c9c86a9601a7f776c6afd3f4c6b460 |
|||
embedded_file_obj0051.bin |
pdf-embedded-file | PDF EmbeddedFile object 51 at offset 0x10EBE | 119 bytes |
SHA-256: 846dfecc0c93797cb6db4301f6af323fffd76ffdf8c053c439495412785138e7 |
|||
embedded_file_obj0052.bin |
pdf-embedded-file | PDF EmbeddedFile object 52 at offset 0x10F76 | 77 bytes |
SHA-256: e6c26a3478346d27e841ad49868ebf68bf4c6863b6750e8d60bda3c4c6f79876 |
|||
embedded_file_obj0053.bin |
pdf-embedded-file | PDF EmbeddedFile object 53 at offset 0x1101D | 56 bytes |
SHA-256: 92a3ce61d783e15932b5de127ce45a9b4c2f98f4da2453f65241573c1dda808a |
|||
stream_002_off00000c8e.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xC8E | 34056 bytes |
SHA-256: abad6f91eafdb0e083580077f31cb616896fd8ea7751010400f0df402685eed0 |
|||
font_01_sfnt_off00006aba.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6ABA | 7356 bytes |
SHA-256: 853c92a07711324fe349cc71a687d8f85e47694f55457cacbc57e35e64b5a104 |
|||
font_02_sfnt_off000080b8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x80B8 | 1800 bytes |
SHA-256: 5958bc363aa00a009e09e0666234f8a5d931a04cd1bbc68bb75ac0a5aa2ab9a0 |
|||
font_03_sfnt_off000086bf.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x86BF | 22620 bytes |
SHA-256: 18fb8921652f26d28c2d3a3c6297134031d170d198342dee17e22e4e1d735316 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.