MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains an embedded URL that points to a suspicious domain, identified by heuristics as an external URI and flagged by ClamAV as a phishing trojan. The ML classifier also strongly indicated maliciousness. While no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to redirect the user to a malicious site, likely for phishing or to download a secondary payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffnew.ru/123?utm_term=encyclopedia+chess+combinations+pdf
- https://cdn-cms.f-static.net/uploads/4455405/normal_5fc35265175a0.pdf
- https://cdn-cms.f-static.net/uploads/4423431/normal_5fb2a386b5457.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/8d6249c7-8063-4e8a-9c87-67c15db573eb/vusetixovin.pdf
- https://s3.amazonaws.com/xumakomowi/whats_tracker_app_for_android.pdf
- https://uploads.strikinglycdn.com/files/cae06c4a-01ba-4521-8ca4-3ff6ffed09fe/ymca_ann_arbor_reopening.pdf
- https://static1.squarespace.com/static/5fc29ae41c8c7413143cd114/t/5fcc68b92fa8bc6bcde08886/1607231674723/dekevo.pdf
- https://s3.amazonaws.com/xonobijikivo/44903731647.pdf
- https://uploads.strikinglycdn.com/files/8f4b947f-4bb1-453e-99db-ded67980db2c/15936190555.pdf
- https://static1.squarespace.com/static/5fc10d7a9955c744b53c6b10/t/5fcc2c0e2fa8bc6bcdda0e6d/1607216143458/86525749531.pdf
- https://uploads.strikinglycdn.com/files/a715e433-1a9b-4c27-b3c1-7c56d56b6c70/zewatizasa.pdf
- https://s3.amazonaws.com/dinilederu/98365774908.pdf
- https://uploads.strikinglycdn.com/files/2922377b-5119-4155-8ddb-344900b904d7/viwalodedoxarilodike.pdf
- https://s3.amazonaws.com/mejifavo/chapter_10_accounting_answers.pdf
- https://static1.squarespace.com/static/5fc07dde27a199023ab34438/t/5fc2465418e72e5fdb227350/1606567509645/camp_chef_grill_box_2_burner.pdf
- https://uploads.strikinglycdn.com/files/4a20ff2c-8505-4f6c-814a-9e1fccfba288/michael_loftus_reviews.pdf
- https://static1.squarespace.com/static/5fc77b74849d1727bc12ab1a/t/5fca29fb414f5e352382cf7d/1607084539739/nupitu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c6a7.binb0a3bb28d6bed4370e649f8b1e4f0abbf1b7b28126042971d29de308b8201292 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC6A7 | 5496 bytes |
font_01_sfnt_off0000d93e.bin153552c2b9b1352735ee74f6f3160b75fccd534df775f339b65b22f6ab691a23 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD93E | 11592 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.