SUSPICIOUS
26
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file exhibits a high number of streams, suggesting obfuscation or a heap spray technique. It contains numerous embedded URIs, with the primary one being http://www.greekroman.ru/img/gallery/large/athene05.htm. While the document body is unreadable, the presence of these external links indicates a social engineering attempt to direct the user to potentially malicious or deceptive content. No scripts were extracted, limiting further analysis of direct payload execution.
Machine Learning
- Nyx PDF Classifier clean score 0.0013
Heuristics 4
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.greekroman.ru/img/gallery/large/athene05.htm PDF link annotation
- http://mify.org/dictionary/a1.shtml#������In PDF document text
- http://mify.org/dictionary/a2.shtml#��������������In PDF document text
- http://mify.org/dictionary/a2.shtml#��������In PDF document text
- http://mify.org/dictionary/a2.shtml#����������������In PDF document text
- http://mify.org/dictionary/a2.shtml#����������In PDF document text
- http://mify.org/dictionary/g.shtml#��������In PDF document text
- http://mify.org/dictionary/g.shtml#������������In PDF document text
- http://mify.org/dictionary/d.shtml#��������������In PDF document text
- http://mify.org/dictionary/z.shtml#��������In PDF document text
- http://mify.org/dictionary/k.shtml#������������In PDF document text
- http://mify.org/dictionary/n.shtml#��������In PDF document text
- http://mify.org/dictionary/p.shtml#����������������In PDF document text
- http://mify.org/dictionary/ee.shtml#��������In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
- http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn PDF document text
- http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In PDF document text
- http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In PDF document text
- http://www.microsoft.com/pkiops/docs/primarycps.htm0@In PDF document text
- https://www.microsoft.com/en-us/Typography/In PDF document text
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_019_off00005319.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x5319 | 585420 bytes |
SHA-256: 002b2a6f5026cfa67e330eb0457ae20b421f648e153575f50fa7e89b0ee5d5df |
|||
stream_049_off000322f4.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x322F4 | 102655 bytes |
SHA-256: f31a30779fc3d0bac2c0ca2967d4515b535e5db249efcb430ff44cdf3f253e50 |
|||
stream_081_off00055ffa.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x55FFA | 387360 bytes |
SHA-256: 8ac7849b14be0de59e11a6f8a8db6557c4807c085eda32c6d5b3ef0544701175 |
|||
stream_085_off0005e843.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x5E843 | 112796 bytes |
SHA-256: f8808ea50f74b488db5de6b24535124177867f8d5e33f857900aeae89b7e1646 |
|||
stream_087_off000621ac.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x621AC | 82175 bytes |
SHA-256: 38281a07ede3348fefb172980875a685521d28cc7a4b0747b5e848eadb0793ad |
|||
stream_121_off001b39d8.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1B39D8 | 92776 bytes |
SHA-256: 8fa24feda8c2cee5ebcb775bad07e6ce41710ffb0daaf1c5a7e36d639d83eb37 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.