MALICIOUS
64
Risk Score
Malware Insights
MITRE ATT&CK
T1566.003 Spearphishing Attachment
The PDF was identified as malicious due to heuristics indicating an advance-fee scam lure. The document's content, though heavily obfuscated and encrypted, aligns with typical advance-fee fraud schemes involving prizes or parcels. The high stream count and encryption suggest an attempt to evade static analysis.
Machine Learning
- Nyx PDF Classifier clean score 0.0201
Heuristics 4
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTEDPDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
-
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Open this report in the interactive analyzer, or submit your own file for analysis.