MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.002 Spearphishing Attachment
The PDF contains multiple heuristics indicating malicious intent, including PDF_REPEATED_PAYLOAD_LINK_LURE and SE_ADVANCE_FEE_SCAM_LURE. The document body appears to be legitimate technical content, but the presence of invisible and repeated links suggests a deceptive tactic. The critical heuristic points to a payload link to 'http://media.pragprog.com/titles/es6tips/code/variables/const/const.js', which is likely the intended download target. The PDF also contains embedded JavaScript, though its specific actions are not detailed here.
Heuristics 6
-
Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LUREPDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://github.com/jsmapr1/simplifying-js
- http://thejoemorgan.com
- https://github.com/tc39/proposal-object-values-entries
- https://github.com/tc39/Array.prototype.includes/
- https://github.com/tc39/proposal-object-rest-spread
- https://github.com/facebook/react/pull/7232#issuecomment-231516712
- https://github.com/airbnb/javascript/issues/851
- https://flow.org
- https://mochajs.org
- http://2ality.com/2017/11/currying-in-js.html
- http://ryanmorr.com/understanding-scope-and-context-in-javascript/
- https://github.com/getify/You-Dont-Know-JS/blob/master/this%20%26%20object%20prototypes/ch4.md
- https://github.com/getify/You-Dont-Know-JS/blob/master/this%20%26%20object%20prototypes/ch2.md#explicit-binding
- https://github.com/typicode/json-server
- https://lodash.com/
- https://github.com/facebookincubator/create-react-app
- https://rollupjs.org/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://www.iec.ch
- https://pragprog.com
- http://pragprog.com/titles/es6tips/errata/add
- http://forums.pragprog.com/forums/es6tips
- https://pragprog.com/book/es6tips/simplifying-javascript
- https://twitter.com/joesmorgan
- http://media.pragprog.com/titles/es6tips/code/variables/const/const.js
- http://media.pragprog.com/titles/es6tips/code/variables/let/problem.js
- http://media.pragprog.com/titles/es6tips/code/variables/let/let.spec.js
- https://pragprog.com/titles/es6tips/source_code
- http://media.pragprog.com/titles/es6tips/code/variables/let/let.js
- http://media.pragprog.com/titles/es6tips/code/variables/let/const.js
- http://media.pragprog.com/titles/es6tips/code/variables/let/declaration.js
- http://media.pragprog.com/titles/es6tips/code/variables/scope/scope.html
- https://developer.mozilla.org/en-US/docs/Glossary/Hoisting
- http://media.pragprog.com/titles/es6tips/code/variables/scope/problem.js
- http://media.pragprog.com/titles/es6tips/code/variables/scope/curry.js
- http://media.pragprog.com/titles/es6tips/code/variables/scope/scope.js
- http://media.pragprog.com/titles/es6tips/code/variables/literals/problem.js
- http://media.pragprog.com/titles/es6tips/code/variables/literals/literals.js
- http://media.pragprog.com/titles/es6tips/code/arrays/arrays/arrays.js
- https://stackoverflow.com/questions/34955787/is-a-javascript-array-order-guaranteed
- https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Iterators_and_Generators#Built-in_iterables
- http://media.pragprog.com/titles/es6tips/code/arrays/includes/problem.js
- http://media.pragprog.com/titles/es6tips/code/arrays/includes/greater.js
- http://media.pragprog.com/titles/es6tips/code/arrays/includes/includes.js
- http://media.pragprog.com/titles/es6tips/code/arrays/spread/problem.js
- http://media.pragprog.com/titles/es6tips/code/arrays/spread/splice.js
- http://media.pragprog.com/titles/es6tips/code/arrays/spread/slice.js
+190 more URL(s)
Extracted artifacts 16
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_174_off000f07c8.js8cc1f3438165b95cdf5ad591865b0f06490b3eca1e41fed694bfd0b3e52d73c6 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xF07C8 | 5225 bytes |
icc_00_off0030127e.icc0fb37c4328cacebb547210723e15a9fe040ef5a17e5b496e993ca68db0126a88 |
pdf-icc-profile | PDF ICC profile at offset 0x30127E | 2008 bytes |
icc_01_off0030450f.icc2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
pdf-icc-profile | PDF ICC profile at offset 0x30450F | 3144 bytes |
font_00_cff_off00305a29.bin5941493b76ef78501b3489ae97e0be2afe734f556b40be7582aead28ed21b57c |
pdf-font-stream | PDF embedded font (cff) at offset 0x305A29 | 21063 bytes |
font_02_cff_off0030be85.bin03014473b7c091ecf7a33f5ff298fa92922e90ed3610b444b443d6a1a37eb9be |
pdf-font-stream | PDF embedded font (cff) at offset 0x30BE85 | 21831 bytes |
font_04_cff_off00311654.bin333f5980048d8d1367b097efaa7825b777968eb3eb8837c119b0930ae8f59d18 |
pdf-font-stream | PDF embedded font (cff) at offset 0x311654 | 19121 bytes |
font_05_sfnt_off00313e66.bin339c1a0c1a9d252b1df149be54dc367aeb4df045e0df5128121577ff1a4b2fe8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x313E66 | 180922 bytes |
font_06_sfnt_off00322b88.bin6c906174f3b31117665b4c2579d6d105f67e8e074d439185975e1896e4bcc905 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x322B88 | 138674 bytes |
font_07_sfnt_off0032f284.bincb6d9bdb741d62568a1dd17e20928f17ec75788438629282530fdf83f622a461 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x32F284 | 91706 bytes |
font_08_sfnt_off00339128.bin61bc40248b7d330a9cc52be159e89135132365eca20e593546f9f248a8247839 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x339128 | 68770 bytes |
font_09_sfnt_off00340278.binfb26259dfa79d677cc0646b0fa5d90f982bdc9ab96f8430aee58d0293e9e2772 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x340278 | 65914 bytes |
font_10_cff_off00347688.binbabb34dfa0ec9602f5a7acc6f1c8e7f1ab9033a5d64edcb4abc787fdcb2a9fca |
pdf-font-stream | PDF embedded font (cff) at offset 0x347688 | 53248 bytes |
font_11_cff_off0034c2fe.bin27eff174eac3079d72cea1dfda0da8ef72d89303acb5f9b75d7c2adb934886a7 |
pdf-font-stream | PDF embedded font (cff) at offset 0x34C2FE | 54095 bytes |
font_13_cff_off00356044.binc8ffe5a62d0bbeea1b896e868a066c6fce920c4fb300e2657d3bfc23e2869ed6 |
pdf-font-stream | PDF embedded font (cff) at offset 0x356044 | 55012 bytes |
font_15_cff_off0035fafe.binf79ebdede1bdfb8a7a6691e733fa93cf0dcf1ab05d8cc16c0061cb8d4cd3c5ef |
pdf-font-stream | PDF embedded font (cff) at offset 0x35FAFE | 61547 bytes |
font_16_cff_off003644f8.binbd0a60dbe466cb7d902421936750c1e734b3431852d4e73a82d488300a00b46f |
pdf-font-stream | PDF embedded font (cff) at offset 0x3644F8 | 28623 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.