MALICIOUS
74
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
The PDF contains an embedded script payload and an embedded file, which is a common technique for delivering malware. The embedded URL points to an executable file, indicating a likely attempt to trick the user into downloading and running a malicious payload. The document body text appears to be obfuscated script content rather than user-readable text.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 7
-
Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTHA PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
Embedded script payload in PDF stream info PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://info.seasovonejeaakkin.net/47n0d00xE3y0F9GS0NzVv0Ne1E0SGS60RhXv0NLzv0psBt0vQr50i9Go0hZEA0H2q90CUzf0InYt0S1Pr0tghV0lXxl00Py50nb1N12T810FbNz0yP180HBJc157QD0Quqv0oGlI0JGLa0Je1Q0k64K0gpIw0YfP404UUO14AjR0j2T70H2fN0rzh20cecU0tBKD0MEgb0gJXf0YSq90Maoe00LT70gGKZ05I0x0oxQn0oRxC07Z1v1785b0Ap3b11veH14WFK/vxUur12idz.exe?HHgiUyEk=XK5HP5K";OMtXnt= In PDF document text
- http://info.seasovonejeaakkin.net/47n0d00xE3y0F9GS0NzVv0Ne1E0SGS60RhXv0NLzv0psBt0vQr50i9Go0hZEA0H2q90CUzf0InYt0S1Pr0tghV0lXxl00Py50nb1N12T810FbNz0yP180HBJc157QD0Quqv0oGlI0JGLa0Je1Q0k64K0gpIw0YfP404UUO14AjR0j2T70H2fN0rzh20cecU0tBKD0MEgb0gJXf0YSq90Maoe00LT70gGKZ05I0x0oxQn0oRxC07Z1v1785b0Ap3b11veH14WFK/vxUur12idz.exe?HHgiUyEk=XK5HP5K"In PDF document text
- http://ns.adobe.com/xdp/In PDF document text
- http://www.xfa.org/schema/xci/1.0/In PDF document text
- http://www.xfa.org/schema/xfa-template/2.5/In PDF document text
- http://ns.adobe.com/xtd/In PDF document text
- http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
- http://ns.adobe.com/xfdf/In PDF document text
- http://www.xfa.org/schema/xfa-form/2.8/In PDF document text
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0008.bin |
pdf-embedded-file | PDF EmbeddedFile object 8 at offset 0xEB | 10017 bytes |
SHA-256: 670e35dce867c33b621bdca26c15e8ad27a531a24e28551b9a9023089a84c520 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.