MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file is identified as malicious by ClamAV and an ML classifier, with heuristics indicating it's a phishing lure related to invoices or callbacks. The embedded URL, https://traffine.ru/strik?utm_term=sun+nuclear+1027+software+download, is the primary indicator of a malicious download attempt. While no scripts were explicitly extracted, the PDF structure and the nature of the lure suggest it may contain embedded JavaScript to facilitate the download.
Machine Learning
- Nyx PDF Classifier malicious score 0.9969
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffine.ru/strik?utm_term=sun+nuclear+1027+software+download
- https://rikurifijuse.weebly.com/uploads/1/3/4/6/134681474/bukukakokelomekux.pdf
- https://cdn-cms.f-static.net/uploads/4420934/normal_5fa8ae495bf6e.pdf
- https://jigupipugefelo.weebly.com/uploads/1/3/4/3/134387822/sakozow.pdf
- https://jadimakadafi.weebly.com/uploads/1/3/4/3/134378671/4796288.pdf
- https://zomomawiwupid.weebly.com/uploads/1/3/4/3/134385308/18807.pdf
- https://cdn-cms.f-static.net/uploads/4482215/normal_5fb3508191c2c.pdf
- https://cdn-cms.f-static.net/uploads/4366652/normal_5f8e960b69823.pdf
- https://cdn-cms.f-static.net/uploads/4418993/normal_5fb486f77cff4.pdf
- https://cdn-cms.f-static.net/uploads/4460255/normal_5fa87882cdb5f.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/eeabc043-4a71-4361-8ab7-37b00e73a2b9/maporajuvikudusugimexo.pdf
- https://uploads.strikinglycdn.com/files/ccb7e1b0-376b-4f62-ac6d-afcf6441052d/samurai_training_academy_dc.pdf
- https://uploads.strikinglycdn.com/files/fa2ea834-9ee6-4755-b2f1-c8d6a79803f6/27944721774.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0002bea4.bin4d2de0e3a21f9a60bbf9edf21d86116fbd53f8791620222c1aa3d9f2c67be409 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2BEA4 | 5616 bytes |
font_01_sfnt_off0002d1f2.binbabfd09a6f9e5ffde2f304f1415b52049e1808a0b4640763e908187f6fe1a0ad |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2D1F2 | 20276 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.