MALICIOUS
112
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF is encrypted and contains an OpenAction, indicating an attempt to hide malicious content. It also embeds a hidden external HTML iframe, likely directing the user to a malicious URL. The ML classifier strongly suggests maliciousness. The embedded URL and the URL found in the document body, www.build365.com, are suspicious and likely serve as the payload delivery mechanism.
Machine Learning
- Nyx PDF Classifier malicious score 0.9275
Heuristics 3
-
Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAMEPDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.ygdyxx.com/Inc/admin/haha.htm
- http://www.iec.ch
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
icc_00_off0000253f.icc2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
pdf-icc-profile | PDF ICC profile at offset 0x253F | 3144 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.