MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The file was identified as malicious by a ClamAV signature and an ML classifier, indicating a high likelihood of malicious intent. The presence of embedded URLs, despite some being marked as benign, suggests a potential phishing or credential harvesting attempt. The PDF structure and embedded artifacts are consistent with malware delivery mechanisms.
Machine Learning
- Nyx PDF Classifier malicious score 0.9906
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://feedproxy.google.com/~r/sq/ugae/~3/EjZ5HCEZs_A/square?utm_term=three+coins+are+tossed+once+find+the+probability+of+getting+exactly+two+tails
- https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f40c259c7c9f0ea9a12539/1626606629501/56905909592.pdf
- https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e8ccb4e5d4731e3e964d48/1625869492120/notes_on_a_harmonica_c.pdf
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e827d251cb2a526cff95f2/1625827282482/thelegend27_revamp_by_5vf.pdf
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f49b8f668793736d3f9add/1626643343320/23224256783.pdf
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f09ee02e6efd22d0313002/1626382048599/how_to_get_boots_shiny.pdf
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f49fe93a33e4096dea957d/1626644457374/citing_blacks_law_dictionary.pdf
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f1005f133357608f3a8760/1626407007454/3953429886.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f436c81ad9bf1c32bc51d6/1626617545057/74803861277.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f487eccba7b71501f336de/1626638316644/66463908382.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000cefa.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCEFA | 16792 bytes |
font_01_sfnt_off0000e70c.bina14beee4a704441a973a582d0ec2667f934cdfb67502142b0c8dd896d7c1aae2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE70C | 16740 bytes |
font_02_sfnt_off000112d8.bin998f89d1c37ab2d392baa42093302b149336a6e8a17d9def2c472edc30dc56bf |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x112D8 | 11304 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.