MALICIOUS
60
Risk Score
Machine Learning
- Nyx PDF Classifier clean score 0.0028
Heuristics 5
-
Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LUREDocument describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://cgi.adobe.com/special/acrobat/update Referenced by PDF JavaScript
Extracted artifacts 9
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_020_off00009b0f.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x9B0F | 902 bytes |
SHA-256: e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a |
|||
stream_021_off00009c6f.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x9C6F | 1363 bytes |
SHA-256: 529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f |
|||
objstm_0001_00.bin |
pdf-objstm-decoded | PDF /ObjStm 1 0 obj (inflated) | 27645 bytes |
SHA-256: d67f5aaed10d2e9ea5f7db32bf0c18defc0d764853df6edf868e31bd22675a79 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
font_00_cff_off00011c82.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x11C82 | 5675 bytes |
SHA-256: e66c939a81f8c9e7598f5e60c3e8da98458e028e8d780e52aa2c66ee561f0c9e |
|||
font_01_cff_off00012f97.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x12F97 | 711 bytes |
SHA-256: 3d33962dd4a6f22f01a79a59d7e354946f3449ee44f842901289bf69d34f7b68 |
|||
font_02_cff_off0001328e.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1328E | 2346 bytes |
SHA-256: 41a220c501cf7e8d1d0c247c4da7eaeba0b02d349cb41836f8e76fe05cd7dd84 |
|||
font_03_cff_off00013b38.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x13B38 | 4956 bytes |
SHA-256: ef9961b4010c7605363674aaacdfbee415bab66d697008cebbb1a9af57d8acfc |
|||
font_04_cff_off00014bd1.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x14BD1 | 2523 bytes |
SHA-256: fd3489fd63095cd02cf1fab683ff19c5c317fad0b9591682f1af7035af9475e2 |
|||
font_05_cff_off000154f3.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x154F3 | 4294 bytes |
SHA-256: 706d3ec8f1c57c6e741897a6d8d58fb9d49284507bc8fdad1320ec8f96eceb91 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.