MALICIOUS
72
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file exhibits characteristics of a phishing lure, including being image-heavy with minimal text and containing an embedded JavaScript action. The presence of embedded files and JavaScript suggests an attempt to execute malicious code or redirect the user to a harmful site. The PDF_IMAGE_LURE heuristic specifically indicates a typical shape of a phishing lure where a screenshot hides a clickable button that launches or submits to an attacker URL.
Heuristics 7
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LUREPDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 46 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/
Extracted artifacts 9
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0001.binc06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb |
pdf-embedded-file | PDF EmbeddedFile object 1 at offset 0x1BD7 | 85 bytes |
embedded_file_obj0002.bin52f043a6fc7df55209bb983ed6c7d2cbf223d70807f647258f3320e58aef00a9 |
pdf-embedded-file | PDF EmbeddedFile object 2 at offset 0x1C89 | 1465 bytes |
embedded_file_obj0003.binaf16e0cb98e636cca488174851c84e433b9acda855828256025165579bf7f91e |
pdf-embedded-file | PDF EmbeddedFile object 3 at offset 0x1F44 | 973 bytes |
embedded_file_obj0004.bin25d743ae4c43415786d92862868b8a50a0d830dea6ed82626a2bf1370faf2509 |
pdf-embedded-file | PDF EmbeddedFile object 4 at offset 0x2193 | 11882 bytes |
embedded_file_obj0005.bin226eeacc5eecef2a05ca480f144ff6936594e20b5c7672e8f29f25c8bea65a56 |
pdf-embedded-file | PDF EmbeddedFile object 5 at offset 0x2640 | 2928 bytes |
embedded_file_obj0006.bin4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5 |
pdf-embedded-file | PDF EmbeddedFile object 6 at offset 0x29AD | 200 bytes |
embedded_file_obj0007.bin1e96d28fce4fbbc1f0f529e2266e0d503636f29111a4ea3cb8464bc9f6b5250a |
pdf-embedded-file | PDF EmbeddedFile object 7 at offset 0x2AA0 | 835 bytes |
embedded_file_obj0008.bin8f96f8652bbe352f96051db71b660e225a5fc0ae5963e496720bd7a5634fd5d2 |
pdf-embedded-file | PDF EmbeddedFile object 8 at offset 0x2C79 | 291 bytes |
stream_002_off000013b0.bin05be3559404a8717e68e6b5884bea90b066cd04a5d42d7ddf2487abda5869e78 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x13B0 | 2983 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.