MALICIOUS
132
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF contains a hidden HTML iframe, a common technique for redirecting users to malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent. While the specific document body content is unreadable, the presence of an embedded URL to an unknown domain suggests a potential redirection to a malicious site for further exploitation.
Machine Learning
- Nyx PDF Classifier malicious score 0.9870
Heuristics 3
-
ClamAV: Html.Spyware.IMG-7 critical CLAMAV_DETECTIONClamAV detected this file as malware: Html.Spyware.IMG-7
-
PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAMEPDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.codeforum.cn/free/max1.htm
- http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/exif/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/photoshop/1.0/
- http://ns.adobe.com/tiff/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://purl.org/dc/elements/1.1/
- http://www.iec.ch
- http://www.gnu.org/copyleft/gpl.html
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_002_off0000b7a1.bina5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xB7A1 | 264072 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.