MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains embedded JavaScript that triggers a SubmitForm action, which in turn attempts to navigate to a Google search URL. This suggests a social engineering attempt to direct the user to a specific search result, potentially as a prelude to further malicious activity. The embedded JavaScript and SubmitForm action are key indicators of this behavior.
Machine Learning
- Nyx PDF Classifier malicious score 0.8359
Heuristics 8
-
PDF embedded file could not be fully decoded medium PDF_EMBEDDED_FILE_UNDECODEDA declared PDF /EmbeddedFile stream uses filters that the scanner could not decode. The raw stream was carved for artifact triage because malformed or unsupported attachment filters can hide payload content from normal extraction.
-
SubmitForm action medium PDF_SUBMITFORMPDF has a /SubmitForm action — form data can be silently posted to an attacker-controlled URL (matched inside decoded stream)
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
External URI info PDF_URIPDF contains an external URL action
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.google.com/[5/7/2010 In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://www.google.com/search?q=Tchaikovsky&ct=tchaikovsky10-hp&oi=ddleReferenced by PDF JavaScript
- http://www.google.com/search)/FS/URLReferenced by PDF JavaScript
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
malware.bin |
pdf-embedded-file-undecodable | PDF EmbeddedFile object 107 at offset 0x10DEA; filter decode failed | 157957 bytes |
SHA-256: 00f4c88d126c86398279178cff240bea37a96b7539e5638762936107e4fc2a08 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
stream_000_off00000060.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x60 | 7109 bytes |
SHA-256: 59bd7d034efc9caeeff55702df9cb2e409eeb637c1926b388fcb99f3fde8855f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.