MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains an embedded URI pointing to a URL that is designed to trick users into downloading software. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan. The document body, though heavily obfuscated, contains references to 'Piriform ccleaner for iphone' and 'wkhtmltopdf', suggesting a lure for software downloads.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://seumenha.ru/wb?keyword=piriform%20ccleaner%20for%20iphone PDF link annotation
- http://xsafak.com/bakugan_battle_brawlers_ps3_gamelnb3z.pdfIn PDF document text
- http://mscredit.info/zilizatozoslzqm.pdfIn PDF document text
- https://cdn.sqhk.co/mepapogivoma/ihvs3Mb/best_random_video_chat_apps_for_android.pdfIn PDF document text
- http://tortomsk.ru/babybjorn_one_air_manualfd0lz.pdfIn PDF document text
- http://teaapple.space/idle_car_tycoon_money_clicker_adventure_mod_apkwbnwb.pdfIn PDF document text
- http://maturibcgj.space/981490797027cbi.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/dejolavubukugeb/free_illustrator_templates_brochure.pdfIn PDF document text
- https://s3.amazonaws.com/wexoteluwag/inter_tel_axxess_software.pdfIn PDF document text
- https://s3.amazonaws.com/nuxomigo/50227446069.pdfIn PDF document text
- https://s3.amazonaws.com/zusevamasor/avon_online_katalog_indir.pdfIn PDF document text
- https://s3.amazonaws.com/gusule/arya_movie_music_ringtone.pdfIn PDF document text
- https://s3.amazonaws.com/bajapovogam/dovawikupukenapiwawabe.pdfIn PDF document text
- https://s3.amazonaws.com/rizezobabub/15491168443.pdfIn PDF document text
- https://s3.amazonaws.com/taguxif/vezolijekeronuvabidodaza.pdfIn PDF document text
- https://s3.amazonaws.com/wixanarer/vedozajeg.pdfIn PDF document text
- https://s3.amazonaws.com/juzowilipi/crash_bandicoot_gba_rom.pdfIn PDF document text
- https://s3.amazonaws.com/lunojol/family_planning_ppt_templates.pdfIn PDF document text
- https://s3.amazonaws.com/muxegeza/xanagetenixuru.pdfIn PDF document text
- https://s3.amazonaws.com/lijopavexanuse/pemixamajuti.pdfIn PDF document text
- https://s3.amazonaws.com/jupevuxirapi/connecticut_dmv_form_h13b.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c207.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC207 | 5080 bytes |
SHA-256: 2c9680a742234ceb80005b4d9623c443000b4758a6bdf809b2cade5d58ab8aaf |
|||
font_01_sfnt_off0000d325.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD325 | 9612 bytes |
SHA-256: 7a6a2ae68da4a719695008c2274dff1bec08d11a6c1a9ee1c4eeea0a174d0e95 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.