MALICIOUS
60
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains a direct link to a ZIP archive hosted on 'iisbeac.com.mx'. This heuristic firing indicates the document is designed to trick the user into downloading and executing a payload. No scripts were extracted from this sample, and the document body was unreadable.
Machine Learning
- Nyx PDF Classifier clean score 0.0009
Heuristics 2
-
PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINKPDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_cff_off00002eba.bind3ad97bf609b26ead64e8d078ddfe6c6a10db3dda582140caa1a2d1ef5057aca |
pdf-font-stream | PDF embedded font (cff) at offset 0x2EBA | 2830 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.