SUSPICIOUS
26
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.002 Spearphishing Attachment
The PDF file contains embedded JavaScript, which is a common technique for delivering malicious payloads. The presence of multiple external URIs, including one pointing to a Brazilian government domain (sei.mj.gov.br), suggests a phishing or credential harvesting attempt. The embedded JavaScript likely attempts to redirect the user to one of these URLs or download further malicious content. The high stream count also indicates potential obfuscation.
Machine Learning
- Nyx PDF Classifier clean score 0.1578
Heuristics 4
-
TrueType bitmap font + active content — CVE-2023-26369 related info PDF_CVE_2023_26369_RELATEDPDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://sei.autentica.mj.gov.br In PDF document text
- http://sei.consulta.mj.gov.br/In PDF document text
- http://sei.protocolo.mj.gov.brIn PDF document text
- https://www.portaltransparencia.gov.br/sancoes/ceisIn PDF document text
- https://www.portaltransparencia.gov.br/sancoes/cnep).[A1In PDF document text
- https://www.gov.br/compras/pt-brIn PDF document text
- https://www.gov.br/mj/pt-brIn PDF document text
- https://paineldeprecos.planejamento.gov.br/analise-servicosIn PDF document text
- http://paineldeprecos.pre.economia.gov.brIn PDF document text
- https://www.justica.gov.brIn PDF document text
- https://www.gov.br/compras/edital/200005-5-90005-2025In PDF document text
- http://www.in.gov.br/autenticidade.htmlIn PDF document text
- https://cnetmobile.estaleiro.serpro.gov.br/comprasnet-web/public/landingIn PDF document text
- https://pncp.gov.br/app/editais/00394494000136/2025/290In PDF document text
- https://portaldeservicos.gestao.gov.brIn PDF document text
- https://www.gov.br/mj/pt-br/acesso-a-informacao/licitacoes-e-contratIn PDF document text
- https://www.hubchannel.com.brIn PDF document text
- https://sei.mj.gov.br/sei/controlador.php?acao=documento_downloadIn PDF document text
- https://cnetmobile.estaleiro.serpro.gov.br/comprasnet-web/seguro/governo/selecao-fornecedores/item/1?identificador=20000505900052025&etapa=JPIn PDF document text
- https://www.gov.br/mj/pt-br/acesso-a-informacao/licitacoes-e-contratosv1/se/licitacoes/uasg-In PDF document text
- https://supersapiens.agu.gov.brIn PDF document text
- https://sapiens.agu.gov.brIn PDF document text
- https://sei.protocolo.mj.gov.brIn PDF document text
- http://sei.mj.gov.br/sei/controlador_externo.php?acao=documento_conferir&id_orgao_acesso_externo=0PDF link annotation
- https://sei.mj.gov.br/sei/modulos/pesquisa/md_pesq_processo_pesquisar.php?acao_externa=protocolo_pesquisar&acao_origem_externa=protocolo_pesquisar&id_orgao_acesso_externo=0In PDF document text
- http://www.planalto.gov.br/ccivil_03/_ato2019-2022/2021/lei/L14133.htmIn PDF document text
- http://www.gov.br/comprasIn PDF document text
- https://www.planalto.gov.br/ccivil_03/constituicao/constituicaocompilado.htmIn PDF document text
- http://www.planalto.gov.br/ccivil_03/_ato2019-2022/2021/lei/L14133.htm#art14In PDF document text
- https://www.portaltransparencia.gov.br/sancoes/cnepIn PDF document text
- https://www.gov.br/compras/pt-br/acesso-a-informacao/legislacao/instrucoes-normativas/instrucao-normativa-seges-me-no-73-de-30-de-setembro-de-2022#art29In PDF document text
- http://www.planalto.gov.br/ccivil_03/_ato2019-2022/2021/lei/L14133.htm#art62In PDF document text
- https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2016/decreto/d8660.htmIn PDF document text
- http://www.planalto.gov.br/ccivil_03/_ato2019-2022/2021/lei/L14133.htm#art63In PDF document text
- https://www.gov.br/compras/pt-br/acesso-a-informacao/legislacao/instrucoes-normativas/instrucao-normativa-no-3-de-26-de-abril-de-2018#art4In PDF document text
- https://www.gov.br/compras/pt-br/acesso-a-informacao/legislacao/instrucoes-normativas/instrucao-normativa-no-3-de-26-de-abril-de-2018In PDF document text
- https://www.gov.br/compras/pt-br/acesso-a-informacao/legislacao/instrucoes-normativas/instrucao-normativa-seges-me-no-73-de-30-de-setembro-de-2022In PDF document text
- https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2015/decreto/d8538.htm#art4In PDF document text
- http://www.planalto.gov.br/ccivil_03/_ato2019-2022/2021/lei/L14133.htm#art165In PDF document text
- https://www.planalto.gov.br/ccivil_03/_ato2019-2022/2020/decreto/D10543.htmIn PDF document text
- https://pncp.gov.br/In PDF document text
- https://pncp.gov.br/app/editaisIn PDF document text
- https://portaldeservicos.gestao.gov.br/In PDF document text
- https://www.enap.gov.br/pt/In PDF document text
- https://www.serpro.gov.br/In PDF document text
- https://www.hubchannel.com.br/In PDF document text
- https://www.gov.br/compras/pt-br/acesso-a-informacao/noticiasIn PDF document text
- https://www.gov.br/compras/pt-br/acesso-a-informacao/eventosIn PDF document text
- https://www.gov.br/compras/pt-br/acesso-a-informacao/legislacaoIn PDF document text
- https://www.gov.br/compras/pt-br/acesso-a-informacao/cursos-e-capacitacoesIn PDF document text
+29 more URL(s)
Extracted artifacts 12
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_200_off01c8af0b.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1C8AF0B | 423360 bytes |
SHA-256: 86c447153c86c06a8468368c32dece7270ce1392bef9f96f8620cd9b966b14ba |
|||
stream_202_off01cc34dc.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1CC34DC | 61592 bytes |
SHA-256: 20853e61b54905047597d7430d88f4bac4631f03af54352a5da2602e2a006bc8 |
|||
stream_208_off01ce0036.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1CE0036 | 26756 bytes |
SHA-256: 38a19bdc6471dad8f44edcecadc8a88f1e7251ab07732d76622166ce97d2dc32 |
|||
stream_211_off01ce5e32.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1CE5E32 | 23612 bytes |
SHA-256: 7038753b144960794919ab34c1ee778f1aa6b16f9caa53122711326767fa2384 |
|||
stream_214_off01ceb8ad.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1CEB8AD | 30932 bytes |
SHA-256: 8be8ed95589b6fec0a241a43b676b1e5bb0447d4e8bf4a180689cc11e8265c83 |
|||
icc_00_off01c46a3a.icc |
pdf-icc-profile | PDF ICC profile at offset 0x1C46A3A | 536 bytes |
SHA-256: d9f822e8083f2f4d1c91e887454be5f75e8c7144b2853408f361e3c4a7a6b36d |
|||
icc_01_off01c609c5.icc |
pdf-icc-profile | PDF ICC profile at offset 0x1C609C5 | 512 bytes |
SHA-256: a25bfb637b7d9f5bb20e5071757ba493a0ea755da9ad1c0613b9ac78efa78907 |
|||
font_00_sfnt_off01c884e5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1C884E5 | 29412 bytes |
SHA-256: 878d9cd09b5c024beb9a9b6e1aa105df3faf4d2fd93b7d4c03ba650552386c2e |
|||
font_02_sfnt_off01cb9c83.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1CB9C83 | 83276 bytes |
SHA-256: 2376a631ff9c3a3722362c985b64134b46a7efb23550df72462e2423f2bd8ca2 |
|||
font_04_cff_off01cc9525.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x1CC9525 | 535 bytes |
SHA-256: 30051ee81d1839965ab4094bfa857ca2073f5f328f678d86baeb611558e521ab |
|||
font_05_sfnt_off01cc975c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1CC975C | 46040 bytes |
SHA-256: a699c39b8e78c3203f0d6471880ae6a25a9372b13ddfd24caa442a491669bb8c |
|||
font_06_sfnt_off01cd027f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1CD027F | 35648 bytes |
SHA-256: fb70f3ac4e7301b81d8b66f5d11c0fcde392b3cc96a6268de226a5c4adc37aea |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.