MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
T1140 Deobfuscate/Decode Files or Information
The PDF contains embedded JavaScript and is encrypted with an OpenAction, indicating an attempt to hide malicious code. The ML classifier strongly suggests maliciousness. The presence of an internal IP address as a URL suggests a potential command and control or download server within a local network. The high stream count and embedded font files point towards obfuscation techniques used to conceal the true nature of the PDF.
Machine Learning
- Nyx PDF Classifier malicious score 0.9802
Heuristics 7
-
Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
PDF paints image(s) but contains no text operators medium PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://192.168.192.168 In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/g/img/In PDF document text
- http://ns.adobe.com/xap/1.0/t/pg/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/Dimensions#In PDF document text
- http://ns.adobe.com/xap/1.0/g/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://www.iec.chIn PDF document text
Extracted artifacts 13
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_012_off0005ab06.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x5AB06 | 41150 bytes |
SHA-256: 1547e36dc78c7d40e9840f5144e42b0254b90b63550e2e96d37c0e597d655600 |
|||
icc_00_off0005649d.icc |
pdf-icc-profile | PDF ICC profile at offset 0x5649D | 3144 bytes |
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
|||
font_00_cff_off000857c6.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x857C6 | 7195 bytes |
SHA-256: 4629b14aa386c6f4577cd6c9cd11d150deb3fa52cd17c44ec9a8cd9c932fb289 |
|||
font_01_cff_off00086f75.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x86F75 | 8069 bytes |
SHA-256: 1820eac97238a9fcc9c8b42e8789d1461635b3872fdfdc6302168c7461821a60 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.41, consistent with packed or encrypted content.
|
|||
font_02_cff_off0093a573.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x93A573 | 6837 bytes |
SHA-256: cff5ddf8bb1d0724cbbb06059fca630ebb15ffb32eecafc84a732350025475c4 |
|||
font_03_cff_off0093bc26.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x93BC26 | 479 bytes |
SHA-256: 71b9ce7c90d4e742af3bdaec5759d798d782784efa94c9a453f9bab87bde4bdd |
|||
font_04_cff_off0093be5d.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x93BE5D | 10289 bytes |
SHA-256: f269b7fbd4e142378b61443fbea56949f9db3a2c87719720a7401a3a16cdc9e1 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
|
|||
font_05_cff_off0093e137.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x93E137 | 5909 bytes |
SHA-256: 2eb555cead63882bc093db1c3399cbf046c56331cb9b41f2d5acf72d87adc53e |
|||
font_06_cff_off0093f513.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x93F513 | 389 bytes |
SHA-256: 36a7af7074bf8005d7a726a7fa5b5d3364a06c50bda7f161f319fa59fb5f81e2 |
|||
font_07_cff_off009409f6.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x9409F6 | 3119 bytes |
SHA-256: db01e5e0e1b166efcfb41e24cc947bb84cda78c16891b9dabf6b861b9d6a80cd |
|||
font_08_cff_off00941590.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x941590 | 1394 bytes |
SHA-256: e40061ca4ff01908de0d4876d8a3aa18669111757d320ef394363cbdefade68e |
|||
font_09_cff_off00941af1.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x941AF1 | 1563 bytes |
SHA-256: 9e163ba3a21ba752f32c94a0d70ac05b62acec46c890cdc6fb5892199d57c396 |
|||
font_10_cff_off009420d5.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x9420D5 | 2367 bytes |
SHA-256: 4d55fe2ae8337978c2a8bbc91e748232386d0930b0ee101f518a0be0de187acf |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.