MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
This PDF file contains embedded JavaScript, indicated by multiple heuristic firings related to PDF_JAVASCRIPT and PDF_JS. The presence of an embedded file (embedded_file_obj0446.bin) and the 'SE_CALLBACK_LURE' heuristic suggest a phishing or scam attempt. The JavaScript is likely responsible for executing the embedded file or fetching additional malicious content, aligning with common delivery techniques for malware.
Heuristics 8
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
-
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENTOptional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/g/img/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://ns.adobe.com/pdf/1.3/
Extracted artifacts 8
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0446.bin32c77dfa9c35a5fcd9182e8b0d86a1ae51753ba163adce8f138d8bff6e85edb7 |
pdf-embedded-file | PDF EmbeddedFile object 446 at offset 0x5ED31 | 14577 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 12 long base64-like blob(s).
|
|||
icc_00_off00000fe0.icc2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
pdf-icc-profile | PDF ICC profile at offset 0xFE0 | 3144 bytes |
font_00_sfnt_off00002534.bin8dcdd5990b6bf7b409ec9bbf34d180944e01789f219ae06e681259d4cc2808c1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2534 | 7328 bytes |
font_01_cff_off0002822d.bin86399657ee461feec64b28ece3a1b3d125edb2ead7ee9726ba2d0ad9d1af7899 |
pdf-font-stream | PDF embedded font (cff) at offset 0x2822D | 236 bytes |
font_02_sfnt_off000458f1.bin70b167dc69a0e277db890faa8c8a32b8110ed1e563f7b7fef0e8501ed1ecbd05 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x458F1 | 7068 bytes |
font_03_sfnt_off00046a1b.bind9c65497788fcc3005dc6a3f12e9fade46c1c1b31bad6ec5b2b72584472d7256 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x46A1B | 6096 bytes |
font_04_sfnt_off0004bb10.bindef60d5cac7cf4dc653dae1f41a8ee7b67a34a20fc439cd0b4403cc10072c174 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4BB10 | 29720 bytes |
font_05_sfnt_off00050590.bin97e74ea72e9ad32a2b4c1cea9d9e9708b27e99dd2a731615dad297c436fc6d1a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x50590 | 25240 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.