MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
The ML classifier strongly indicates this PDF is malicious. The document body contains generic text and what appears to be obfuscated or malformed data, suggesting an attempt to conceal malicious content or exploit. Without further script or URL indicators, the exact attack vector remains unclear, but the primary intent appears to be user interaction leading to exploitation.
Machine Learning
- Nyx PDF Classifier malicious score 0.9948
Heuristics 2
-
VBScript-style decimal byte array decodes to a PE payload critical PDF_VBS_DECIMAL_ARRAY_PE_PAYLOADPDF comment text contains a VB/VBScript-style decimal byte array, such as c(077),c(090), that decodes to a verified Windows PE executable. The rule is gated on a comment-line Array(c(...)) assignment and a valid MZ/PE header to keep false positives low.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
decimal_array_pdf_pe_00000229.exe |
embedded-pe | PDF raw comment decimal-array PE payload at offset 0x229 | 29797 bytes |
SHA-256: fd817ff2bcfc70616bbc41e9b25eb8017264b429fa593c2cdb08f9cf00b80e0d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
actual_type=PE; declared_or_context_type=PDF; filename=decimal_array_pdf_pe_00000229.exe; kind=embedded-pe Carved artifact entropy is 7.89, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.