SUSPICIOUS
34
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF is heavily obfuscated and encrypted, preventing full static analysis. Heuristics indicate it's an image-only lure with hidden links and an unusually high number of streams, suggesting complex obfuscation techniques. The presence of an AcroForm button with an action trigger further supports the likelihood of malicious intent, possibly to redirect the user or trigger an exploit.
Machine Learning
- Nyx PDF Classifier suspicious score 0.3411
Heuristics 5
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTEDPDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.opencv.org.cn/images/2/21/OpenCV_ In PDF document text
- http://anzeigen.automatisieren.orgIn PDF document text
- http://www.intel.com/technology/computing/opencv/In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ManifestItem#In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/g/img/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://www.npes.org/pdfx/ns/id/In PDF document text
- http://ns.adobe.com/pdfx/1.3/In PDF document text
- http://www.iec.chIn PDF document text
Extracted artifacts 30
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_040_off00046b95.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x46B95 | 14921 bytes |
SHA-256: 78023253210900f7be69ff6bdae1a72b7d20a652a40b5c48f90633cb96a12e8b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
246 of 395 identifiers look randomly generated (e.g. 'ebNH0e7NletIsoUNRULCjdN8xm5JNX82eW9Vt4ov') — consistent with name-mangling obfuscation.
|
|||
stream_043_off0006b4f5.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x6B4F5 | 318662 bytes |
SHA-256: a841827c92b327dd88f9e264dd87c023c26cdfb79d9c02c650cfe936f9208a6a |
|||
stream_045_off000931a1.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x931A1 | 19630 bytes |
SHA-256: 013ca40a3773e163e36a4b5461b4def3cbf1a48ff779c2521b22ba5a692ec379 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
434 of 609 identifiers look randomly generated (e.g. 'lZI33Xb9o9Mnnj3OToDWUHuBPyBTrSIjDYJHSm7H'); 7 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
stream_096_off0020ba38.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x20BA38 | 35738 bytes |
SHA-256: dd5e4439432d2ea3e7f1869c39a05a2dc4bdb47deb0cb79a68b7fdf2fe10bdae |
|||
icc_00_off001b8a83.icc |
pdf-icc-profile | PDF ICC profile at offset 0x1B8A83 | 3144 bytes |
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
|||
font_00_cff_off001dcf7c.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1DCF7C | 7449 bytes |
SHA-256: e2b563aa0b30e34221330ac7156c2d585bb6962d616524791a96226cae2faa44 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.44, consistent with packed or encrypted content.
|
|||
font_01_cff_off001de9ab.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1DE9AB | 6506 bytes |
SHA-256: 542060574573606a6f50880024c986abc3122029dd4cad15f33316f1c5194e67 |
|||
font_02_cff_off001e0043.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1E0043 | 4535 bytes |
SHA-256: b70c81e255f73887860477169f7fc84ceafaa9be402bc84e89492eec3ce8577e |
|||
font_03_cff_off001e10dd.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1E10DD | 6491 bytes |
SHA-256: 24e38b0b8c0d1ca50e75b1def1617149806b4f1b909710f57de32c2c171002f5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
|
|||
font_04_cff_off001e27be.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1E27BE | 10064 bytes |
SHA-256: 2f2bd95ba1ffca0cd37143f05b8c9ce6ab0b9fc59f6ec23587b9ac432198af5d |
|||
font_05_cff_off001ebcdb.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1EBCDB | 6464 bytes |
SHA-256: 78edcb660ab52a69de691a7e186f98b6940410d1a76f9229f6f5c162b52c7c9a |
|||
font_06_cff_off001edca0.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1EDCA0 | 3414 bytes |
SHA-256: 539e9d614853b6f4baa3dcc0a881c1a5fe66f01f9b221cc4d1dec8e3d16c2d47 |
|||
font_07_cff_off001ef535.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1EF535 | 1641 bytes |
SHA-256: 594892873072d6b91cc4e10033bc978d1e6ba17ddea247723543979896a5bf2d |
|||
font_08_cff_off001efb87.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1EFB87 | 2489 bytes |
SHA-256: 5874728a8a6eeee3593ca6605ce3d274c2aed297042817e94b62b808636b79bc |
|||
font_09_cff_off001f04ba.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1F04BA | 2271 bytes |
SHA-256: 9113db7a2647860332e396c490384fe02a059224ac2d4b199ae987336ed5f088 |
|||
font_10_cff_off001f0d3f.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1F0D3F | 2047 bytes |
SHA-256: f9c4c02be1b13879b6b3d8ab32df0667df1c6c61d11a9a7926e1f78bf07de46e |
|||
font_11_cff_off001f14dd.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1F14DD | 3752 bytes |
SHA-256: 245457c9423e116816b59f8c06e7a6dbb8cd72ede15ac728ef442de90bfafc4d |
|||
font_12_cff_off001f33ec.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1F33EC | 1847 bytes |
SHA-256: 0dfd33b84b79ad17dc8529a895924f50015457277b4f634b9aef324d6ad573b5 |
|||
font_13_cff_off001f3b08.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1F3B08 | 1891 bytes |
SHA-256: 70ab1d355e051483b3509daa02e34b832020ad533b7a869370feb299107e077b |
|||
font_14_cff_off001f7d54.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1F7D54 | 4405 bytes |
SHA-256: 15306d2b14de0a90102817cd6dee853201edc80cbd861285d2efea2becb8ab90 |
|||
font_15_cff_off001f8d2f.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1F8D2F | 4988 bytes |
SHA-256: a698ea37b2cd1808b38914a78bb7c9001d937ee3f57592ed7ec37d4754f64213 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
|
|||
font_16_cff_off001fa44c.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1FA44C | 4346 bytes |
SHA-256: 8f62355fcbdaea4d5dcf990d3d20fbfb7b74129cc361e44d5456d4d3152de17d |
|||
font_17_cff_off001fb359.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1FB359 | 2161 bytes |
SHA-256: 287c53f75c6ddfea99536e9538c79cb3d076c7f900f63fca00c5de288f727b2a |
|||
font_18_sfnt_off002044fe.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2044FE | 24226 bytes |
SHA-256: 20804eda330d00cece574729e24e848091d96f964e666176b68d4c38b91fe071 |
|||
font_19_cff_off00216205.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x216205 | 3213 bytes |
SHA-256: aba3515739003567ac22377e014d37d05dc2248ac786b7d333ff62fac9c18026 |
|||
font_20_cff_off00216e3a.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x216E3A | 6140 bytes |
SHA-256: 79d30ebdeef73e5af567f92b552b071e1a9ced628206b23804ca5509a18b81ce |
|||
font_21_cff_off0021840b.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x21840B | 323 bytes |
SHA-256: fe9e3939bc58cba68a30f48bebed2d4e3678389e684edbb81e54a4ccfc2d73d8 |
|||
font_22_cff_off002186aa.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x2186AA | 2078 bytes |
SHA-256: abdf9d1cd58beb161213ff34763a84f36c077a24a56a4e4d441bdfd6d7efb6ce |
|||
font_23_cff_off00218e24.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x218E24 | 703 bytes |
SHA-256: 0e58d8bad73959e33c65b06fa3541a91853ca09cabebc42a916b63ebf15696a1 |
|||
font_24_cff_off00219143.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x219143 | 2717 bytes |
SHA-256: 0835c9d547fa76fa65a75df1490016e52f1d5929f06f53596e2216dee8829b67 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.