MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file is a PDF containing numerous embedded URLs, one of which is directly referenced by a heuristic. The ML classifier and ClamAV detection strongly indicate maliciousness. The document body, though heavily obfuscated, contains text that appears to be a lure related to photography, directing users to a suspicious URL.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://vilenefex.ru/strik?utm_term=the+negative+ansel+adams+photography+pdf
- https://cdn-cms.f-static.net/uploads/4421360/normal_5fd92d033741e.pdf
- https://static.s123-cdn-static.com/uploads/4422137/normal_5ff54a473613f.pdf
- http://itravelgr.com/bushmaster_xm15-e2s_riflekk1fa.pdf
- https://cdn-cms.f-static.net/uploads/4489844/normal_602b08eab2da6.pdf
- http://wogivodugakovek.mygamesonline.org/how_to_use_fixon_denture_adhesive_powder.pdf
- https://cdn-cms.f-static.net/uploads/4378164/normal_6058bf0511d6d.pdf
- http://bluebadgeform.com/left_behind_book_3_free_downloadxolth.pdf
- https://cdn-cms.f-static.net/uploads/4408483/normal_604af5477748e.pdf
- https://cdn.sqhk.co/moxibusas/eM7D5Ee/86181399771.pdf
- http://mebelrostov.ru/gedokikosonowov27qi.pdf
- http://lomilinixigal.mypressonline.com/yamaha_fascino_specifications.pdf
- https://cdn-cms.f-static.net/uploads/4446168/normal_5fd7cc3cb19ae.pdf
- https://cdn-cms.f-static.net/uploads/4419198/normal_6053314d2b0b2.pdf
- https://cdn-cms.f-static.net/uploads/4458616/normal_602b6df0e7beb.pdf
- http://wedasuf.getenjoyment.net/zifoluzovawidi.pdf
- https://cdn-cms.f-static.net/uploads/4424007/normal_6020f9fc61ed1.pdf
- https://cdn.sqhk.co/nedupugifuka/7aZilje/piffle_crossy_road.pdf
- http://vizilirudigub.getenjoyment.net/31934018635.pdf
- https://cdn-cms.f-static.net/uploads/4497079/normal_6009de4bb4d89.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/tabobujimo/classic_wow_priest_leveling_guide_holy.pdf
- https://s3.amazonaws.com/tutasujal/lakitonojijasaxavop.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e6b3.binc302756acaed215588d63b732fa5880779afa52a425add64ddfd0b099271645b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE6B3 | 5568 bytes |
font_01_sfnt_off0000f98a.bin30ed44280449fc02ba305f4bd5a183fbfecb86d7d4697b298c4f172459ccf1dd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF98A | 11104 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.