MALICIOUS
94
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains heuristics indicating it is password-protected and uses a lure to obtain a password for an archive, a common tactic to evade gateway scanning. It also contains embedded files and external URIs, suggesting it may be part of a multi-stage attack. The presence of JPXDecode with active content points to potential exploitation of CVE-2018-4990 or related vulnerabilities.
Machine Learning
- Nyx PDF Classifier clean score 0.0389
Heuristics 6
-
JPXDecode + active content — JPEG2000 CVE-family indicator high PDF_JPX_CVE_2018_4990_RELATEDPDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.useplus.org/ldf/xmp/1.0/ In PDF document text
- http://cipa.jp/exif/1.0/In PDF document text
- http://www.agefotostock.com/In PDF document text
- http://www.aecosan.msssi.gob.es/AECOSAN/docs/documentos/nutricion/educanaos/documento_consenso.pdfIn PDF document text
- https://www.sospeix.org/caIn PDF document text
- https://www.celiacscatalunya.org/pdfs/guia-practica-la-celiaquia-a-l-escola.pdfIn PDF document text
- https://www.celiacscatalunya.org/pdfs/Cartellcuina.pngIn PDF document text
- https://www.celiacscatalunya.org/pdfs/Clas-Aliments_CAST_DIG.pdfIn PDF document text
- https://lactosa.org/In PDF document text
- https://www.celiacscatalunya.org/es/index.phpIn PDF document text
- https://www.aepnaa.org/In PDF document text
- https://adc.cat/es/In PDF document text
- https://somgentdeprofit.cat/taller-per-a-les-escoles/In PDF document text
- https://bit.ly/2zR8IwrIn PDF document text
- https://bit.ly/31bjicOIn PDF document text
- https://bit.ly/2YWqPJZIn PDF document text
- https://bit.ly/3hOTYzpIn PDF document text
- https://bit.ly/2Ni8lOPIn PDF document text
- https://bit.ly/2AXg4z6In PDF document text
- https://bit.ly/3hRhWKjIn PDF document text
- https://bit.ly/2BtCjwBIn PDF document text
- https://bit.ly/319yrvdIn PDF document text
- https://bit.ly/2NgmY59In PDF document text
- https://bit.ly/314z8pVIn PDF document text
- https://bit.ly/3fMCxNYIn PDF document text
- https://bit.ly/3fIwLNxIn PDF document text
- https://bit.ly/2YmCse7In PDF document text
- https://bit.ly/3dnXEVxIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
- http://ns.adobe.com/photoshop/1.0/In PDF document text
- http://www.iec.chIn PDF document text
- http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/In PDF document text
- http://xmp.gettyimages.com/gift/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- https://www.istockphoto.comIn PDF document text
- https://www.istockphoto.com/photo/license-gm1153436655-?utm_medium=organic&utm_source=google&utm_campaign=iptcurlIn PDF document text
- https://www.istockphoto.com/legal/license-agreement?utm_medium=organic&utm_source=google&utm_campaign=iptcurlIn PDF document text
- https://www.istockphoto.com/photo/license-gm895483578-?utm_medium=organic&utm_source=google&utm_campaign=iptcurlIn PDF document text
- https://www.istockphoto.com/photo/license-gm699827560-?utm_medium=organic&utm_source=google&utm_campaign=iptcurlIn PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/exif/1.0/aux/In PDF document text
- https://www.istockphoto.com/photo/license-gm666134752-?utm_medium=organic&utm_source=google&utm_campaign=iptcurlIn PDF document text
- http://ns.adobe.com/illustrator/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/t/pg/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/Dimensions#In PDF document text
+107 more URL(s)
Extracted artifacts 13
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
GUIA_ESCOLAR_2020_CASTELLA_23_11_20-acc3.pdf.accreport.html |
pdf-embedded-file | PDF EmbeddedFile object 6184 at offset 0x8EC826 | 9001 bytes |
SHA-256: d0c774ca33617f88f50a8bc22346eebab14855bb0539b788a7a274e45d4473c4 |
|||
icc_00_off00862185.icc |
pdf-icc-profile | PDF ICC profile at offset 0x862185 | 3144 bytes |
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
|||
font_00_cff_off00231ff7.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x231FF7 | 1968 bytes |
SHA-256: 0e626b715077bc05d6572d2d1c92e4577fba39a65d763a3e93ab91db62bb620e |
|||
font_01_cff_off00843aa2.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x843AA2 | 484 bytes |
SHA-256: e9966809c48862890f6854e7815bd164ff727d0a69d4434eb767d1b7218dd0dd |
|||
font_02_cff_off008458c8.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x8458C8 | 4130 bytes |
SHA-256: 41dfc539d2a6645845fb729a92bb95f56f5b256800769371596cc5a5a23eaa42 |
|||
font_03_cff_off008470fd.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x8470FD | 3252 bytes |
SHA-256: 3ce8110d1edb3092bbfe0ac460ae057b955e2e9bddd682fcbacf7f35020a0383 |
|||
font_04_cff_off0084890a.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x84890A | 3619 bytes |
SHA-256: b3060f48aca22871750e6aa749ccd27a734dc0c137a987d0da419778d15ad3fe |
|||
font_05_cff_off0084ce59.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x84CE59 | 1983 bytes |
SHA-256: 106764b2d578952b508d87f27613cdb7fdf3ca8b81dc9092e6b5663027d7b5d7 |
|||
font_06_cff_off008f1b31.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x8F1B31 | 7601 bytes |
SHA-256: b5ff068ad9469de3e21fe0c65ebcc68a1e2006a8ea502ddb54833ba4a512d1b7 |
|||
font_07_cff_off008f33c8.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x8F33C8 | 5149 bytes |
SHA-256: fbccfcfbe770ce079f453376a793f1a9792defe0585c5fc5a6a9053565c0d612 |
|||
font_08_cff_off008f45b0.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x8F45B0 | 6084 bytes |
SHA-256: 0df8846d3f017f2f3b26194b7648cfc54dc8f501d106ab61932f42ce516cb917 |
|||
font_09_cff_off008f56cc.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x8F56CC | 5739 bytes |
SHA-256: 7cb97c151240f21976e2bc035398b0e5a2fbaec2eec0351cf4e051a2e2b78bff |
|||
font_10_cff_off008f6c69.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x8F6C69 | 1083 bytes |
SHA-256: 379ab591c6f2b836a60602df109f5e9bef73e4a21170f14630bd0c5e36019096 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.