MALICIOUS
232
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File Execution: Malicious File
T1204.001 Malicious File Execution: User Execution
T1059.003 Command and Scripting Interpreter: Windows Command Shell
T1059.001 Command and Scripting Interpreter: PowerShell
The PDF contains embedded JavaScript and PRC/3D content, suggesting a complex or obfuscated payload. High-severity heuristics indicate the document actively attempts to trick the user into executing commands via clipboard manipulation or by installing fake browser extensions. It also mentions password-protected archives, a common tactic to bypass initial security scans. The presence of a suspicious extracted artifact, stream_123_off00088794.bin, warrants further investigation.
Heuristics 8
-
PRC/3D content in PDF high PDF_PRC_3DPDF contains PRC 3D content. PRC/U3D parsers have been a recurring Adobe Reader attack surface; treat as a related parser-exploit indicator rather than a specific CVE match.
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMANDDocument contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 29
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_077_off0003f818.binec656c637074adc3fa0e15a481f48d4dc2f60b190443720fdfe462ed2b03d01d |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3F818 | 306318 bytes |
stream_123_off00088794.binf350b6cdff434887a8e7b3f30ac97e4c196e25ae340074263faad6b165ff45fb |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x88794 | 279068 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.41, consistent with packed or encrypted content.
|
|||
stream_145_off000b898a.bin617deb28f7123cc28f7dc0ace4b2d5aa616fd52a4483f5e0b68c80b2dd3bf365 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xB898A | 243111 bytes |
stream_147_off000dfbe0.bin5cbf0b1de00707c41038899256fce520fe9e48a26514b425fc0937df63434500 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xDFBE0 | 84779 bytes |
stream_148_off000e97f6.bin9fdf9b8c3e6ebc16075e88e2de35d15dce0a7abf44e8c709a7e77e70dd386e7c |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xE97F6 | 65905 bytes |
stream_154_off0013bfc1.bin5ebcc260548218f1e7b192cef6d8111b409c291bc5087f9190f5554b760acd40 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x13BFC1 | 179370 bytes |
font_00_cff_off009e3e40.bin183e364f8ec0eb87e6e4b4c243e4cce3b31dfcdc4d8f98c6e10ab920bf1fbf79 |
pdf-font-stream | PDF embedded font (cff) at offset 0x9E3E40 | 12476 bytes |
font_01_sfnt_off009e5f69.bin75fb4127894d186d6673b5fafabb2224d631dd46bfbc07259a497d52b92b8fd4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9E5F69 | 116804 bytes |
font_02_cff_off009e8963.bin6a5919fecc3ae0cb778ac0f04e81fe5678aa503110dd3d0b73bcd406069eb527 |
pdf-font-stream | PDF embedded font (cff) at offset 0x9E8963 | 262 bytes |
font_03_cff_off009e8ba4.bin421cc85e6eff13d3b75182829830c85428f71e082f0a9430a88dc83d498fe3e2 |
pdf-font-stream | PDF embedded font (cff) at offset 0x9E8BA4 | 926 bytes |
font_04_sfnt_off009e9049.binc627e64203d1693d58a77fa602c957876d131ded0dfb1d407a4aaebc88ab6957 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9E9049 | 39340 bytes |
font_05_sfnt_off009ed9fd.bine5de240311d531959f88ccede1de1d4a1375544fd7b8a54aa4eb891d2e8f0b35 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9ED9FD | 4584 bytes |
font_06_sfnt_off009ee219.bin23885bc1f38de2e6e02cb8f91fb90407304ab7a89005f5516f4cfaf1c6a4f613 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9EE219 | 11080 bytes |
font_07_sfnt_off009efd2c.bin0ed0ac325d238a4fa1961a97aaf23fe455e2d52fcb6820befa24299669f90a4d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9EFD2C | 2824 bytes |
font_08_cff_off009f01d9.binec977c241b825056648add2158f96580faddbc4d82f6db4f8faffc3a8702459b |
pdf-font-stream | PDF embedded font (cff) at offset 0x9F01D9 | 572 bytes |
font_09_sfnt_off009f04ad.binc9cc2101d425eb26e07836ff89914cbe8dc419b16794fd1907c7635f73544a1b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9F04AD | 5216 bytes |
font_10_sfnt_off009f0fea.bin227c394dbe4b85dba28ecd8014ff1e34e10679f6d40a8f6122266f6a9d7123d9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9F0FEA | 29056 bytes |
font_11_cff_off009f43f4.bina89a8bdb14155e0481ab359c07f16aea6010e8bdfd15dcf6dbd8eeaabc457f9c |
pdf-font-stream | PDF embedded font (cff) at offset 0x9F43F4 | 268 bytes |
font_12_sfnt_off009f4615.bin6e2219b9634594da8e164b46a4483fa0a0f49706c3b59ea83ddd127fa5c8e97c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9F4615 | 4604 bytes |
font_13_sfnt_off009f4eca.bin06277a5170521a5fe74990dd318a09de7ab9f1db44ccc4863a0c22e6555b1683 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9F4ECA | 26148 bytes |
font_14_sfnt_off009f7a3d.bin7ef0a92cafff75e579f31b70fad31576401047e15afc2163d7f7bb22b5f159c2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9F7A3D | 26348 bytes |
font_15_cff_off009fa36c.bincb9aead27bfa4ea7151ba18ea6bf50993e4fd39cf40be323f5c3849dcd364354 |
pdf-font-stream | PDF embedded font (cff) at offset 0x9FA36C | 3069 bytes |
font_16_sfnt_off009faf1a.bine2d9b76e68a4147c7cf8832241f3a3e07a36f68bce04ebf61939f7afd09e5035 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9FAF1A | 15160 bytes |
font_17_sfnt_off009fd745.bine05f4a667c29a2c8fb730435922670e37890cb66a642955f74f1ca74c2983024 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9FD745 | 31352 bytes |
font_18_sfnt_off00a01487.bin8fb0897b69abfa40f78ec1581c119e5dfc8b003a6946f17f97f7bcd044969216 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA01487 | 25060 bytes |
font_19_sfnt_off00a05c12.bin6768b3e78e1dc0a77b06bfdb9a5aa1e9463a743c6e7af121a55bfc0bbaf16dc1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA05C12 | 45928 bytes |
font_20_cff_off00a063cc.binf7f2e4c4b0cf2f51018da501f5f7dd795cac4037e44f1cbe057d32e11358a99f |
pdf-font-stream | PDF embedded font (cff) at offset 0xA063CC | 11491 bytes |
font_21_sfnt_off00a0861e.bin29e2498eb403a74f3bd54293a042f2ddaff8d880106db3b32f46f16a5ea74c0c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA0861E | 44368 bytes |
font_22_sfnt_off00a0dde5.bin09be0ac2a4471846d96c83f716514cc1f583cab5615f82626b5b576be42bea9f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA0DDE5 | 5032 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.