MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains JavaScript that utilizes an eval() call and a launch action, indicating an attempt to execute code. The document body and extracted URLs point to external websites, suggesting a lure to redirect the user. The presence of PDF_LAUNCH and PDF_ACTION_PARSER_EVASION heuristics further supports the malicious intent of directing users to external content, likely for phishing or malware delivery.
Heuristics 9
-
Launch action high PDF_LAUNCHPDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASIONPDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
External URI info PDF_URIPDF contains an external URL action
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.modersohn.de
- http://www.modersohn.de/ideen_edelstahl_index.html
- http://www.modersohn.de/befestigungstechnik_index.html
- http://www.modersohn.de/service_center_index.html
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0025_000.js3c51ec56f1d5f2fce7a9d54a512f619c5a138ccf5d6d5899809a5bdfb7ed3b16 |
pdf-javascript-stream | PDF /JS object 25 at offset 0x167C | 209 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
font_00_cff_off0001049d.bin3afbc5ca4f1d5c811168cdf94349a621bd6eb64c2335b5a4d67c93f4ec17ea5a |
pdf-font-stream | PDF embedded font (cff) at offset 0x1049D | 13612 bytes |
font_01_cff_off0001ca5c.bin45ead3a93cfad901340c4f0cf97f3174914c4e14627690bc7f7ef8d03c13bc85 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1CA5C | 3782 bytes |
font_02_cff_off0001dd31.bin370920169575a90aa9fae3b8374d0e88fd8e8b95fa0381b033ff8d32bfd146a1 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1DD31 | 1291 bytes |
font_03_cff_off0001e306.binc2b39af2afb0a5fa3eecb74a499b8e58a24d4c1dcb00e88c194b742b04f09aa8 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1E306 | 1878 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.