MALICIOUS
72
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a hidden HTML iframe, which is a common technique for redirecting users to malicious sites. The embedded URLs point to external domains, suggesting a delivery mechanism for further malicious content. No scripts were extracted from this sample, limiting the ability to determine specific payload actions.
Machine Learning
- Nyx PDF Classifier malicious score 0.9482
Heuristics 2
-
PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAMEPDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://fuadrenal.com/lib/index.php In PDF document text
- http://reycross.com/lib/index.phpIn PDF document text
- http://odmarco.com/lib/index.phpIn PDF document text
- http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_001_off0000049b.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x49B | 91432 bytes |
SHA-256: 5b0765156a7522e1b20f16cb911bf3a03d568d8ee9f5cab18481d8449fa81040 |
|||
stream_002_off0000b9ed.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xB9ED | 264072 bytes |
SHA-256: a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.