MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The embedded URLs suggest a phishing or malware distribution attempt, likely disguised as a benign document to trick the user into downloading a secondary payload. No scripts were extracted, limiting the analysis of specific execution behaviors.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.nestroots.com/wp-content/plugins/super-forms/uploads/php/files/i98pk2dgjbn6bf48mqq1l27j47/lidebagezoberi.pdf
- http://www.cascinasorigherio.it/wp-content/plugins/formcraft/file-upload/server/content/files/1608529dc8440a---64825346944.pdf
- https://lcd96.ru/wp-content/plugins/super-forms/uploads/php/files/b74a881771a7b6716938c08f5198cfde/lagezaboxexobobikalif.pdf
- https://afriqueitnews.com/wp-content/plugins/super-forms/uploads/php/files/9c57b99c8c3fa47dd3e65db799e4f31d/64764107099.pdf
- http://adveotec.com/img/file/85628340613.pdf
- http://www.melodypods.com/wp-content/plugins/formcraft/file-upload/server/content/files/160944d4143484---58517158338.pdf
- https://audit-advisers.com/userfiles/file/fumiv.pdf
- https://afd.me.uk/wp-content/plugins/super-forms/uploads/php/files/r1ckb3ij5369rn563auggcpnf4/39580011983.pdf
- http://www.jcca.co.in/wp-content/plugins/formcraft/file-upload/server/content/files/1606ce0ea20367---23450679459.pdf
- https://intelean.com/wp-content/plugins/formcraft/file-upload/server/content/files/160866b6673987---simokanexebegeda.pdf
- https://gift-edu.ru/wp-content/plugins/super-forms/uploads/php/files/0210be66fb31e7a8a177e52e28017168/xisaluw.pdf
- http://www.deadclan.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1607aa89692642---pidigozu.pdf
- https://www.formwork.co.uk/wp-content/plugins/super-forms/uploads/php/files/lacldf8nne3uakmkrct9518pkp/kivexererikuwefixipu.pdf
- https://www.aserspa.net/wp-content/plugins/super-forms/uploads/php/files/inh33j3vfegvlq88e38166ri3h/bubinar.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://feedproxy.google.com/~r/Uplcv/~3/fzgW7-mxBc0/uplcv?utm_term=gmod+android+playermodel
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e884.binf53dedddd51cf5ff80d00bbcbbfcc88c92ffd4d38e893748195f37ec19b2c805 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE884 | 5060 bytes |
font_01_sfnt_off0000f9ab.bin8c191ffabc21021ef3da6171650a96397749eaac52b7c4feee4a2ab0f5ce801e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF9AB | 12548 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.