MALICIOUS
296
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF contains embedded JavaScript and heuristics indicate it attempts to trick the user into executing a PowerShell command. The document body and script metadata reference 'Powershell logon script gpo not running windows 10', suggesting a lure to execute malicious PowerShell code. The presence of multiple external URLs, some pointing to suspicious PDF files, further supports a malicious intent to download and execute further payloads.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 9
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jacksth.ru/strik?utm_term=powershell+logon+script+gpo+not+running+windows+10
- http://raisinshq.pro/easydslr_digital_photography_course_for_beginners2hp8s.pdf
- https://cdn.sqhk.co/sawijewabob/GPh7Oif/nixevavavaxewagededuzudos.pdf
- https://sisuwupuwadigif.weebly.com/uploads/1/3/1/4/131437471/135635.pdf
- http://subfamjtii.site/hp_envy_4500_black_ink_cartridge_problemzy4v1.pdf
- http://jakor.pro/gedogemixifevepu8ff2e.pdf
- https://cdn.sqhk.co/vigamodijek/NjhQUJv/annamayya_telugu_movie_songs.pdf
- https://cdn.sqhk.co/pukefoxer/ifhjQs9/ribato.pdf
- https://tipuzivi.weebly.com/uploads/1/3/0/9/130969377/251f998d779d.pdf
- http://maewallace.com/english_vocabulary_test_for_beginners_with_answers9fcp1.pdf
- https://wumigativagulam.weebly.com/uploads/1/3/1/6/131637174/e45b3a1fad1d0.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/regegozumekoza/update_chrome_apkpure.pdf
- https://s3.amazonaws.com/lolijexejomak/zenomarevu.pdf
- https://fa90eb46-aa9b-4fd1-a2e8-e903ec8e50a4.filesusr.com/ugd/575fb0_9f5ce6c59a834a38aff73d2decd2714e.pdf?index=true
- https://52a72965-a6d2-471e-b66a-59a59a4d663b.filesusr.com/ugd/e643da_fdf1dc2f56bf4ebb8127bd34d5b19181.pdf?index=true
- https://s3.amazonaws.com/sulasatevirexo/guess_the_80s_song_using_the_emoji_answers.pdf
- https://cccd2283-d272-450a-840b-6541230ebad2.filesusr.com/ugd/5de1df_040ba45bc42849559f7995410b52bf97.pdf?index=true
- https://s3.amazonaws.com/bisazabe/kaththi_teaser_theme_music_free.pdf
- https://s3.amazonaws.com/nijudow/66931175527.pdf
- https://s3.amazonaws.com/jiwisigetizoxif/litemenizol.pdf
- https://d8d078ea-10ec-4787-8e21-ef6e32b87a24.filesusr.com/ugd/8f6098_c962d8e6c1024329896665a9cdb83657.pdf?index=true
- https://s3.amazonaws.com/belopudevuzuza/98496993288.pdf
- https://s3.amazonaws.com/limewub/affretement_maritime.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_pdf_script_000139cf.bind5016a27877c0253892685466de8d4373d8f0ec63d2729d721acff512561b97e |
pdf-embedded-script | PDF raw stream script payload at offset 0x139CF | 1673 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 shell/COM execution token(s).
|
|||
font_00_sfnt_off0000f4e0.bin8b1e0dd92efd13591b7273d3acdce7e41d068c9783a42d8098db221218445d90 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF4E0 | 5412 bytes |
font_01_sfnt_off00010761.bin7c731197e9bf95e8de4a6aa1c1953b413b406f3580fe033f658acfb8e5aeb274 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10761 | 12288 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.