MALICIOUS
88
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF contains embedded JavaScript and heuristics indicate a potential exploit related to CCITTFaxDecode and TIFF/XFA, suggesting it aims to leverage a known PDF vulnerability. The embedded JavaScript streams are likely responsible for executing malicious code, potentially downloading further payloads. The ML classifier also flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 0.5224
Heuristics 5
-
CCITTFaxDecode + TIFF/XFA exploit prep — LibTIFF CVE-family indicator high PDF_CCITT_CVE_2010_0188_RELATEDPDF uses /CCITTFaxDecode together with TIFF/XFA exploit-preparation markers such as rawValue image-field assignment, TIFF data, or heap-spray JavaScript. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0075_000.js6eac5da4aa02d7db6a6b8fb0f76823278b47784dfdf0eb3b6f3909793c268051 |
pdf-javascript-stream | PDF /JS object 75 at offset 0x793 | 5161 bytes |
javascript_obj0076_001.jsa8935673576f3f35a84ab19ee443c7510a557c2be0bfe738d8965d336abf5882 |
pdf-javascript-stream | PDF /JS object 76 at offset 0xD57 | 279 bytes |
stream_014_off00007928.binf66ec6940937b3258a3be107a79c5f75e9f715e7d4b2c1453e5cd430710f7d7d |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x7928 | 7366 bytes |
icc_00_off0000b2f8.icc2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
pdf-icc-profile | PDF ICC profile at offset 0xB2F8 | 3144 bytes |
font_00_cff_off000046ea.bin57c4f6b733c0e0656f414e73a4082013d63b0a50cbb3fa09ecb103cbcb3c7e92 |
pdf-font-stream | PDF embedded font (cff) at offset 0x46EA | 6028 bytes |
font_01_cff_off00005cc6.bin26f9fcd086342d7c4130986cdb918fda450f92668a12d05af4151e10f7a9e6c1 |
pdf-font-stream | PDF embedded font (cff) at offset 0x5CC6 | 7538 bytes |
font_03_cff_off000093a9.bin7b391347bb8b9bcfe5f857a4021840f203177dbffbfe14b66b77bf9c564aab8a |
pdf-font-stream | PDF embedded font (cff) at offset 0x93A9 | 8690 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.41, consistent with packed or encrypted content.
|
|||
font_04_cff_off0001ff65.binf30924688f3e5569aa21fcbae4d7ae6301eeb5a17abb59203688050044aaba6b |
pdf-font-stream | PDF embedded font (cff) at offset 0x1FF65 | 233 bytes |
font_05_cff_off000269b7.bind8cfa9e722af0a6beb62980adecece7e424b81ce42101ff607bcff6231357206 |
pdf-font-stream | PDF embedded font (cff) at offset 0x269B7 | 5977 bytes |
font_08_cff_off0002e334.bin277e42098462266ee9f51170649eef9f5905cee40fd68da36154d2f8d9bef886 |
pdf-font-stream | PDF embedded font (cff) at offset 0x2E334 | 880 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.