SUSPICIOUS
48
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains embedded files and XFA forms, indicating it is likely a container for malicious content. The ML classifier flagged this PDF as malicious with a high probability. While no scripts were directly extracted, the presence of embedded files and URLs suggests an attempt to download and execute further payloads, aligning with spearphishing attachment tactics.
Machine Learning
- Nyx PDF Classifier malicious score 0.8032
Heuristics 3
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://neeviaPDF.com In PDF document text
- http://www.puremobile.com/help.aspIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xdp/In PDF document text
- http://www.xfa.org/schema/xci/1.0/In PDF document text
- http://ns.adobe.com/xtd/In PDF document text
- http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
- http://ns.adobe.com/xfdf/In PDF document text
- http://www.xfa.org/schema/xfa-form/2.8/In PDF document text
🗂 Part of campaign:
neeviapdf.com
53 samples
Extracted artifacts 11
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0049.bin |
pdf-embedded-file | PDF EmbeddedFile object 49 at offset 0xDE08 | 45381 bytes |
SHA-256: ee6928b91dca14395c37083156b26c4d8feda9dba3bf103b1e4f8534b5a25260 |
|||
embedded_file_obj0047.bin |
pdf-embedded-file | PDF EmbeddedFile object 47 at offset 0x11767 | 84 bytes |
SHA-256: d81baa73e490e4cb879e13927cacd1dd1be37524a37eac51603e15117c578777 |
|||
embedded_file_obj0048.bin |
pdf-embedded-file | PDF EmbeddedFile object 48 at offset 0x11819 | 228 bytes |
SHA-256: 24c130f03a4cf51d470b536e94c1e58af67665739e200e0ce198ad41086243c0 |
|||
embedded_file_obj0050.bin |
pdf-embedded-file | PDF EmbeddedFile object 50 at offset 0x1190A | 199 bytes |
SHA-256: c97e0522381d6196cc0695f35f4d065f15c9c86a9601a7f776c6afd3f4c6b460 |
|||
embedded_file_obj0051.bin |
pdf-embedded-file | PDF EmbeddedFile object 51 at offset 0x119FB | 119 bytes |
SHA-256: 846dfecc0c93797cb6db4301f6af323fffd76ffdf8c053c439495412785138e7 |
|||
embedded_file_obj0052.bin |
pdf-embedded-file | PDF EmbeddedFile object 52 at offset 0x11AB3 | 77 bytes |
SHA-256: e6c26a3478346d27e841ad49868ebf68bf4c6863b6750e8d60bda3c4c6f79876 |
|||
embedded_file_obj0053.bin |
pdf-embedded-file | PDF EmbeddedFile object 53 at offset 0x11B5A | 56 bytes |
SHA-256: 92a3ce61d783e15932b5de127ce45a9b4c2f98f4da2453f65241573c1dda808a |
|||
stream_000_off0000044f.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x44F | 34056 bytes |
SHA-256: abad6f91eafdb0e083580077f31cb616896fd8ea7751010400f0df402685eed0 |
|||
font_01_sfnt_off00006664.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6664 | 22620 bytes |
SHA-256: 18fb8921652f26d28c2d3a3c6297134031d170d198342dee17e22e4e1d735316 |
|||
font_02_sfnt_off0000aa48.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAA48 | 1800 bytes |
SHA-256: 5958bc363aa00a009e09e0666234f8a5d931a04cd1bbc68bb75ac0a5aa2ab9a0 |
|||
font_03_sfnt_off0000b13f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB13F | 7356 bytes |
SHA-256: 853c92a07711324fe349cc71a687d8f85e47694f55457cacbc57e35e64b5a104 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.