MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1553.005 Mark-of-the-Web Bypass
T1204.002 Malicious File
The PDF contains an embedded executable payload, indicated by the 'PDF_EMBEDDED_PE_PAYLOAD' heuristic. The 'SE_INVOICE_LURE' heuristic suggests the document's content is designed to trick the user into executing the payload. The embedded executable was detected by ClamAV as 'Win.Trojan.LuminosityLink-9636903-0'. The primary IOC is the embedded executable file itself.
Heuristics 4
-
Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOADPDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/2001/XMLSchema-instance
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_pdf_000036b2.exee232a701a26a2b66d4f657010be5c2be43b9902147461e989ff464111553cb0d |
embedded-pe | PDF decompressed stream PE payload at offset 0x36B2 | 1983958 bytes |
|
Detection
ClamAV:
Win.Trojan.LuminosityLink-9636903-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.