CLEAN
24
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF document contains embedded URLs, with one pointing to 'aleqarz.net/admin/d/valid/secure/index.php', which is flagged as suspicious. Another heuristic indicates an external URI to the same domain. The document body, though partially obscured, contains references to these URLs and appears to be designed to trick the user into clicking them. No scripts were extracted, limiting further analysis of the payload.
Machine Learning
- Nyx PDF Classifier clean score 0.0003
Heuristics 3
-
Document signing service impersonation lure medium SE_DOCUSIGN_LUREDocument impersonates DocuSign, Adobe Sign, or a similar signing service in a signing-request context
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://aleqarz.net/admin/d/valid/secure/index.php PDF link annotation
- https://turbine.cf/secure/p/valid/secure/index.phpIn PDF document text
- https://www.google.com/In PDF document text
- https://ci4.googleusercontent.com/proxy/YrbDhpnGLeLblOOAneMjgFO6hajZWchA4yjGSKAJQBz8D3LVnopub61qQH1HefrXOnbgq-tDl9I5o_5o-Qwvhfa2z_VS8W4kXGBAY92HUNXsDlXyzHUTSA=s0-d-e1-ft#https://www.docusign.net/member/Images/email/docComplete-white.pngIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
- http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn PDF document text
- http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In PDF document text
- http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In PDF document text
- http://www.microsoft.com/pkiops/docs/primarycps.htm0@In PDF document text
- http://www.microsoft.com/TypographyIn PDF document text
- http://www.microsoft.com/typography/ctfontshttp://lucasfonts.comMicrosoftIn PDF document text
- http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004f01.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4F01 | 91176 bytes |
SHA-256: 8cf3136b6f3cb4b1d35462ebc3746aa837241973ef56595d51a6e2b89c5c3838 |
|||
font_01_sfnt_off0000eb82.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEB82 | 80784 bytes |
SHA-256: 828cd0032985b6cafdd34e9ec35b6b21c27721286ac945d48e8595f6e635b106 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.