MALICIOUS
66
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains embedded JavaScript, indicated by the 'PDF_EMBEDDED_SCRIPT_PAYLOAD' heuristic. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic suggests the document's purpose is to prompt the user for a password, likely to decrypt a malicious archive. This points to a social engineering attack, possibly for phishing or malware distribution, using a common lure to bypass security controls.
Machine Learning
- Nyx PDF Classifier clean score 0.0488
Heuristics 5
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.ciudad.com.ar/ar/popunder/p_submit.asp?site=personales.ciudad.com.ar In PDF document text
- http://www.monotype.comhttp://www.monotype.com/html/type/license.htmlIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/iX/1.0/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlNOTIFICATIONIn PDF document text
- http://www.monotype.com/html/mtname/ms_timesnewroman.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlNOTIFICATIONIn PDF document text
Extracted artifacts 7
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_135_off000929dc.bin32c6685da7ef48ad635da96ead5e5e047c4b0ae588887ed12a57b79cf6949ac3 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x929DC | 51084 bytes |
embedded_pdf_script_000b1311.bin787d8e6981d0718de6a3fa0c40c5ceab7654af3d18be9eb0eec58b353eed6a8a |
pdf-embedded-script | PDF decompressed stream script payload at offset 0xB1311 | 725940 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
%PDF-1.5
%����
1 0 obj<</Length 2 0 R/Filter/FlateDecode>>stream
x��Xˊ�8 �7�?x � UI�d ��� 4� L ��@�� #�u=���w th��:u��C�ݹA ��4ԟ�?���t�����ʟ�������������߰���wo w ��a��~v� �ٽ��� ���� �9ܖ�m�%�XJ�{p�c �ƋŢˏ� �� 2 �-kd�"��>��� ��ÃHp1� �4� �l @ �@����� �P����� s�AP ے���-�� �
5�� ��W� EVr�ݎe� j��70��C����C
��Sw7 ٢��:�C�t;$?| q�cP@ KAL�o ) ��諲m,� � ,�*� c�� 6 X�1 ��� ��N ��@����D!51e Ʋ-�`MͶ�&?�=5;2+ß]2Sl5��ٴ�p�kA`_
��X ѳ���6����eSO�h�? p��W.����'xC)�'�X�Fŏo�� �����0�M
������L��0����"C �?_٠�� � Y}�C>K�R��� *�3 ,��V� / @ �H�" o`�U�G#ޣ�� Z�z�n�F�1 +��ʸ'�`��a� Bqw$~���� �^Q�"�����F�� �@'� ��l��� � d.�-�H @pn<"� &�q��^5'7U��۬�h* ��0gi>� �V +��r* �&�� �r`TZ���Zkec�Nzt��w2 GU��pZ�
�K���vA7� +��%z 5�-\ɏ�e�� i����b �g� � ���*)G� �����Z 3�j V{2�>����z� ���X��1��DB�> �.�� L 4�] �
����/G��n��L� �y��/��� �rR �S���x���λ�H- ����*j�ĥ��Z 6��k��\|��u �i��$��~4�9 Z��X _��<M��[�[=٨� 䴓O4�
��MF& �@fT� � �� � % ˵ EF��� �R��a� \.ƚ-(攪� � dr��ۦ1_��{�!�S�� ��sx, Z�G�хr0uO��� �QE �Q]� �ـ� �[ �s�V �J� @��X�\� �<� s�V> >� � gտ�/��11����lz��0�hD^�J H ���oS҇ߍ�J�e��`�x:h ��c��A����[Gن��� W�����:�S�
�6 e�* '�A����wb3Ѫ�3�� q�ֆ���}2 3=�⮌�&��f��9 tu��^� :A���`�H����&?W?�4� ��9�F�{ ޟw� Ă�}.�V{=L d?u��ĥ)� ��JF����<��uy5�� ��/-Ԓ u"� ~�wB�O�\?�m�z|p���8��U꿼�p�7�|�� 0:Ro̻�֊ �&�M C"��+TT�Y�v.��U�}��Z�����~�}����Rvv� ;��'
endstream
endobj
2 0 obj 1326
endobj
3 0 obj<</Length 4 0 R/Filter/FlateDecode>>stream
x��T�j�0 � � : ��J� B!v�{�� � z($� ����")
���ݙ�Y] �W��4
�6n}߾�� �뻫��>��� ��C �2e l�do�b8�� ����w�+ ��;��"�� �0l1 �BPm!�K� �~LpU�3U� a� `�@�1���5 ; �� ��;Qv �� �\�ę�� & �ӍlD��1{N$�ٸ��� e Ӑ��Q��q8 �F$cQl½��;�R1���Tzeyo*T�Q ��2La̺ �a ^薦!��)]4�e ZuL � GS�T
� 5Q�� і pa�8D� �d�>�w���J=� \���� ��+ �� ��~*j�*�" �E�� UӍҡ��
!s#�r51˛�� ;WnXL#�& ̿ͅ ���|1� �g�� �M7 �mK<C B�H 3Y �� 9�r &;q$M�5 X��~����>U�P� {�컖 � �y�
endstream
endobj
4 0 obj 449
endobj
5 0 obj<</Length 6 0 R/Filter/FlateDecode>>stream
x��\͎� � 0��s�t�'R �}_`��@� r �����$�XR ��LO�Y4л�( �c�|U��'s��y��h]��&��ǿN����_����
? �������/���4��ӷ ��v�' O��}�ż���ӷ�|�bC���?�b��jn������T�=,� o \��� 3�P�͕�����u" y� �Z&Rg�>}˒�� v o�"l8Y7 k��y� ����P u�Gd��'������e���"' �
��nny��֙��3����E�H�p�Ӭ��� �c�u( �- ������� � Q �[�kDm�\'6�s�ĵ�3�� �� ��� ]�*bn��
p� [�}�O�����4 3f�4@ � 6���I�~ �ft��� @� D� c&�jj�o ��
q� a% y>Z!� G I�� n�?7- �� �2 ��`s;#ln �Ŝ��w -���� .м�=̊Q�0s 6n E�:���� L " wu\����l`��b�`5QV2s8ײ8� ��wy� H5�� ��o He�Ľ]�+�F��y�� ������,�]��|�{ �O 0�C�TAWԶ �!�3S��$�3 ���hT/�Щ������� �(缟�� 3 � �ǂ ��: � ?�2Tbh@·�=�� � ���ࣁ��`g�ch c� �{�ܵ % �q�G ^��"�����& 4*&� �`|��H� Y 2����O � �4QƐBޠ�'ӏ��Y�����V��خ B��-
� {�g<\��r�W1 ��*�! ��BIS} ���� ��%#�tϒq�OK`��fd�t+�0 ����!S�6i �
�ݓ�jh�"���֧x G e+��;I�Q�B �B] >r�c�[��! �+'� ��`��g �� !Yʛ�: �������)� � �[��; }\�P�$y�D0�k(��浜GNU��C����� 5��t��� >ʽ� <�����Z�0� [+����'S��e y� @�uY�w��I8��b_%� C={� �S a �;S�l�� � e~��Ԏ���$�d )��@:eW~c��#�� �.2���8�v� d �ʘ �@>1� ^+�� � �J��� @рA�|��5�6���� D�������ۘE��zg#
�G�H�3w�U[>�k N� 8I��t8i�$L�{��p ( �<E��_ H@{f�?�6�+����`�! FI���{?�F�L��}E� &/���G���d�ׂda�� щ �!+Α��6�KHB �D0�Z����Y`��B�a�fZ\���J�? d$�2f�k��f4�X��7ˠ �K�ut ȑ
*��/,�O aG�$��p��� /�V���1 � x q�^ B: "e (Қ #'���X�;Bb�vd�� S� Z� �� /��H<T�Qx 2 Ms�y:&*�,� ��1 ��I ���s�) K- !� ��m 2b c1"ɑ � y� L &� CC
D��]ކ ���ՒB M=�S7y�������f �HK�$�i0$L7cH ���� "�� �X�����d�� ��� ���?s �"��ȊT� !�|� ��$?�H!P` �%��ԧ�7�qµ��4����(_�ra �
Wp a6�L�ͽ�� �� �^� ��3)�K姛�� �yɵԵif �Pն��� Y�� / #
Q�Y �i�\�k2���v��� �� � ;�%�=��|��y�*�����KI�is ����&�,C� e�# KZ�� � J" Κ� ? �au��C�����? �BE�ַt}�g�~��I�� �\I@; ��� ?��n� �5�V�5@� G ! gMh� Zv� � ���� B�aJq�+ȵk��rJ � W(9 �0��ׄ~
�� j�
h� Gd� ɹӝ ����o�y�Ea�6�� N�n� �3$��<s(!��5�p �a�qq �&iS� �(z�ѯi9 � ���s N�߂� ���<!h�^� 3�7M!�c�r�h u�� H��, B�j��u�� �� �DP���}*EC �a�wT��#�� �2�& 4? �HzO*s�зڣx���v ��?�u!a:�W�
x�I m �<���(��Y��# ��cg�Xo��� �?��~�ك�� ��#TZ�~♑b ��8�$<G�gp)�� � �F��!A<i�.oG���E{�,�!XH ���Ɔ ��}�� s�
L �W ���`j� :��T3p�۵��P�붠 ʙN�{E鼪rS2���{ � 8*xZhm���s�^ tԤ�n��&sM� � 0Cs �:| n
HQ_��Ђ� �
MRX�� �&�
; úw��"�A�>� 0M�"�2� � E 5� .��iwm�<d̼[�� ��� ��� ����|եˡ�Q��XP�a
... (truncated)
|
|||
font_01_sfnt_off0009a542.bind083bccbe2c85ebd023abc445395eb332525d1637a49f2a4b0411a35a0dc2583 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9A542 | 38160 bytes |
font_02_sfnt_off000a0046.bin03133a8180424c6aaf7914cd779bfde1b6f7137a0870f902d5c974f2a1c42f7d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA0046 | 26504 bytes |
font_03_sfnt_off000a362a.binebc04094273ea3b2905e539635ea682d1be73a738a44ac0c24465d19ea96cb64 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA362A | 33004 bytes |
font_04_sfnt_off000a8001.bin72fb6a7fd4fced05a3f0649e848156c9b707edf0119a9b21ee9eba6de2c0b1ed |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA8001 | 30680 bytes |
font_05_sfnt_off000abf80.bin4e1e8f5013cf80ffffb8ef0eb489c5300ab29caa3f17a0b209bb95556a22932c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xABF80 | 1344 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.