MALICIOUS
132
Risk Score
Malware Insights
MITRE ATT&CK
T1059.003 Windows Command Shell
T1059.001 PowerShell
The PDF is encrypted and contains embedded files, suggesting it is a container for malicious content. A high-severity heuristic indicates the document explicitly lures the user to execute commands via the clipboard, likely to download and run further payloads. The document body is unreadable, but the heuristic is sufficient to infer the attack pattern.
Machine Learning
- Nyx PDF Classifier clean score 0.0085
Heuristics 5
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTEDPDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.iec.ch In PDF document text
Extracted artifacts 18
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
Email-Worm.Win32.ZippedFiles.a.zip |
pdf-embedded-file | PDF EmbeddedFile object 115 at offset 0x7196 | 112981 bytes |
SHA-256: 12a4c37d5e714d60c5dbc7329c611beacd5b3b1eab5bdd3399b6f045c48c8354 |
|||
|
Detection
ClamAV:
Win.Worm.Z-5
Obfuscation or payload:
likely
actual_type=ZIP; declared_or_context_type=PDF; filename=Email-Worm.Win32.ZippedFiles.a.zip; kind=pdf-embedded-file
|
|||
fmxutils.pas |
pdf-embedded-file | PDF EmbeddedFile object 116 at offset 0x22B28 | 4073 bytes |
SHA-256: cb3098601d535b46b69c9f4a06a6acef6514e5ea90a6eee402d544178240d201 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 shell/COM execution token(s).
|
|||
mainfrm.pas |
pdf-embedded-file | PDF EmbeddedFile object 117 at offset 0x2310A | 306 bytes |
SHA-256: 203519b6db8c4c9c21d822f200ca4b7d676441b8555ca50a81c9e8124a3506fd |
|||
mapiutils.pas |
pdf-embedded-file | PDF EmbeddedFile object 118 at offset 0x2323F | 10272 bytes |
SHA-256: f68694bf350fe318e8bd4bd2a364e403a3da538d75861ff916bc67c0df79700f |
|||
netscan.pas |
pdf-embedded-file | PDF EmbeddedFile object 119 at offset 0x23CE5 | 2095 bytes |
SHA-256: bc9274f2438a92e7ed30cdd89752cd13f7cd66c4a7d3020f8728c291d16ca89a |
|||
scandir.pas |
pdf-embedded-file | PDF EmbeddedFile object 120 at offset 0x24079 | 1394 bytes |
SHA-256: cd4b9bc2fe996739dae507c20d0cefb02005781a40f85f0e7bc2376106729819 |
|||
virusutil.pas |
pdf-embedded-file | PDF EmbeddedFile object 121 at offset 0x24304 | 1897 bytes |
SHA-256: f2a99572af4cc6146597c4f8cafda58464d00910b4fd8123ca757331a351741d |
|||
zipped_files.dpr |
pdf-embedded-file | PDF EmbeddedFile object 122 at offset 0x245C1 | 5351 bytes |
SHA-256: 28b103fdb051435039e1dde767ae40344625f35b07db0ff17344f596a6666d18 |
|||
icc_00_off00005796.icc |
pdf-icc-profile | PDF ICC profile at offset 0x5796 | 408 bytes |
SHA-256: 653b586c4707574ffcd648ba35494daed2c76ceafcf4c07d315ed961b1dc347f |
|||
icc_01_off000058bd.icc |
pdf-icc-profile | PDF ICC profile at offset 0x58BD | 3144 bytes |
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
|||
embedded_file_obj0115.bin |
pdf-embedded-file | PDF EmbeddedFile object 115 at offset 0x7286 | 112981 bytes |
SHA-256: 2c13566df194fb233115138cb0f958fcf8cb7cdd8508a55d3beb503bc16c5624 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
embedded_file_obj0116.bin |
pdf-embedded-file | PDF EmbeddedFile object 116 at offset 0x22C37 | 4073 bytes |
SHA-256: 5ece6e293ca40c6b2b78c78f1d775d0a4533bc24cf975b4b6b2f7776b3aba5da |
|||
embedded_file_obj0117.bin |
pdf-embedded-file | PDF EmbeddedFile object 117 at offset 0x23C7B | 306 bytes |
SHA-256: 22345a914e31d267d36ea49cb33f1c3dcd48239e2bd8f6fffa48a841a5b6c3a5 |
|||
embedded_file_obj0118.bin |
pdf-embedded-file | PDF EmbeddedFile object 118 at offset 0x23E0A | 10272 bytes |
SHA-256: 115c2733d80222fe01af847073faf839e376eebfaa383f7becf1be34738aafd2 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
embedded_file_obj0119.bin |
pdf-embedded-file | PDF EmbeddedFile object 119 at offset 0x26686 | 2095 bytes |
SHA-256: aa491c3242d7767ad645100f24afbdb909e9608d6362b96db15bb76c2f51e673 |
|||
embedded_file_obj0120.bin |
pdf-embedded-file | PDF EmbeddedFile object 120 at offset 0x26F11 | 1394 bytes |
SHA-256: 8f6ae8c918e23c5729adc0dbc93a40642ca4c3b09c1f211558549313304bd091 |
|||
embedded_file_obj0121.bin |
pdf-embedded-file | PDF EmbeddedFile object 121 at offset 0x274DF | 1897 bytes |
SHA-256: 70a79deb5c35084516bcd35edaee71d77e66cffe0028a19c39b1c2b4a83bd975 |
|||
embedded_file_obj0122.bin |
pdf-embedded-file | PDF EmbeddedFile object 122 at offset 0x27CA4 | 5351 bytes |
SHA-256: 62102944684a280024324c2186bd9c43f703163bd93aa6b778c09aeae007dd82 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.