SUSPICIOUS
52
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF document contains an embedded JavaScript stream and a URI pointing to a McAfee white paper, suggesting an attempt to exploit vulnerabilities or trick the user. The heuristic 'SE_CALLBACK_LURE' indicates the document prompts the user to call a phone number, a common tactic in tech-support scams and callback phishing. The document body is heavily obfuscated and contains no readable text, further supporting a malicious intent.
Machine Learning
- Nyx PDF Classifier clean score 0.0016
Heuristics 5
-
PDF paints image(s) but contains no text operators medium PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.myce.com/news/anonymous-calls-off-hadopi-attack-targets-hustler-35675/ In PDF document text
- http://www.mmtimes.com/2010/news/547/news54716.htmlIn PDF document text
- http://news.hostexploit.com/cybercrime-news/4686-russian-gang-used-customized-virus-bought-from-hacker-forum-on-atms.htmlIn PDF document text
- http://www.v3.co.uk/v3/news/2273647/fbi-botnet-spam-nikolaenkoIn PDF document text
- http://www.myce.com/news/anonymous-calls-off-hadopi-attack-targets-hustler-35675/)/S/URI/IsMapIn PDF document text
- http://www.mmtimes.com/2010/news/547/news54716.html)/S/URI/IsMapIn PDF document text
- http://news.hostexploit.com/cybercrime-news/4686-russian-gang-used-customized-virus-bought-from-hacker-forum-on-atms.html)/S/URI/IsMapIn PDF document text
- http://www.v3.co.uk/v3/news/2273647/fbi-botnet-spam-nikolaenko)/S/URI/IsMapIn PDF document text
- http://www.mcafee.com)/S/URI/IsMapIn PDF document text
- http://www.mcafee.com/us/resources/white-PDF link annotation
- http://www.adobe.com/support/security/advisories/apsa10-05.htmlIn PDF document text
- http://www.infosecurity-magazine.com/view/13056/anonymous-cyberprotest-group-stages-ddos-attack-on-spains-copyright-society/In PDF document text
- http://www.app.com/article/20101102/NEWS06/101102049/Cyber-group-hacks-recording-industry-group-s-site-in-response-to-LimeWire-shutdownIn PDF document text
- http://www.whec.com/article/stories/S1812949.shtml?cat=10077In PDF document text
- http://joongangdaily.joins.com/article/view.asp?aid=2927242In PDF document text
- http://www.nytimes.com/2010/10/27/business/27spam.htmlIn PDF document text
- http://garwarner.blogspot.com/2010/11/lin-mun-poo-hacker-of-federal-reserve.htmlIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/g/img/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
- http://ns.adobe.com/illustrator/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/t/pg/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/Dimensions#In PDF document text
- http://ns.adobe.com/xap/1.0/sType/Font#In PDF document text
- http://ns.adobe.com/xap/1.0/g/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://www.mcafee.com/us/resources/white-papers/wp-running-scared-fake-security-software.pdf)/S/URI/IsMapIn PDF document text
- http://www.adobe.com/support/security/advisories/apsa10-05.html)/S/URI/IsMapIn PDF document text
- http://www.infosecurity-magazine.com/view/13056/anonymous-cyberprotest-group-stages-ddos-attack-on-spains-copyright-society/)/S/URI/IsMapIn PDF document text
- http://www.whec.com/article/stories/S1812949.shtml?cat=10077)/S/URI/IsMapIn PDF document text
- http://joongangdaily.joins.com/article/view.asp?aid=2927242)/S/URI/IsMapIn PDF document text
- http://www.nytimes.com/2010/10/27/business/27spam.html)/S/URI/IsMapIn PDF document text
- http://garwarner.blogspot.com/2010/11/lin-mun-poo-hacker-of-federal-reserve.html)/S/URI/IsMapIn PDF document text
- http://ns.adobe.com/xap/1.0/sType/ManifestItem#In PDF document text
- http://ns.adobe.com/xmp/InDesign/privateIn PDF document text
- http://www.mcafee.com/us/resources/white-papers/wp-running-scared-fake-security-software.pdfPDF link annotation
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_003_off0000192a.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x192A | 557168 bytes |
SHA-256: 35f401731df11a4eba3502af632e51d68bc394bcb7d34632a331c1ba3f4a0bf6 |
|||
stream_007_off0006295b.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x6295B | 52520 bytes |
SHA-256: 77df0416c371edd0573750243928ac38c2c0abbb4b53c564373468b6df195818 |
|||
font_00_cff_off000613cf.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x613CF | 5749 bytes |
SHA-256: 278667db1301fa1d12a303e669bd7996369e79736683488a81ca40fba7786ff0 |
|||
font_01_cff_off0035b3dc.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x35B3DC | 3058 bytes |
SHA-256: fc86c765d36c38af104ff7491850233342284f2d69ddfb25ef14e656c73c75a9 |
|||
font_02_cff_off0041e8ff.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x41E8FF | 5265 bytes |
SHA-256: 4ef885aca6362b611e499711e1639099bb6e7b0b5af5ea0a3e8aa78f7fcdb69d |
|||
font_03_cff_off0041fa7b.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x41FA7B | 6085 bytes |
SHA-256: 766c79b104d3139ed259a4e6234d5f62088abef30b7e13f170d7d803a0fd15ee |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.