MALICIOUS
114
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample was detected as a malicious PDF by ClamAV and a machine learning classifier. It contains an embedded URI pointing to a raw IP address, which is highly suspicious and likely serves as a download location for a secondary payload. The document body is heavily obfuscated, preventing a clear understanding of its specific lure, but the presence of external URIs and the malware detection strongly suggest a phishing or exploit delivery attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9774
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Clickable URI points to raw IP address medium PDF_URI_IP_LITERALPDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://3dreamstudios.com/wp-content/plugins/super-forms/uploads/php/files/4a6f3c0260350266c5c3630106a4bcc8/bufawopokabelararola.pdf
- https://www.zulilighting.com/wp-content/plugins/super-forms/uploads/php/files/fee056a191f152f878affd5b729620f2/giwukidapebugid.pdf
- https://funkydrop.shop/wp-content/plugins/super-forms/uploads/php/files/329a64e00ba4b8f01db7285b8fdee8e2/12213139943.pdf
- http://raunlarose.us/wp-content/plugins/formcraft/file-upload/server/content/files/1607ece8580182---62895713400.pdf
- https://3dreamstudios.com/wp-content/plugins/super-forms/uploads/php/files/b16e15dad9176f82068fb3e8350b5c7a/totebazubewopuginaru.pdf
- https://protechlighting.com/wp-content/plugins/super-forms/uploads/php/files/8cef2c4aa183fe8c01729ed0973878ed/delolelegotizoduku.pdf
- https://encouragingmath.com/wp-content/plugins/super-forms/uploads/php/files/9c4f33d63da06f9186e487966e4d611a/49615637668.pdf
- http://mognational.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072dd18809a7---99805112759.pdf
- https://encouragingmath.com/wp-content/plugins/super-forms/uploads/php/files/0a46132ffcd94a86e598d366790e092f/tasawujifoxefe.pdf
- http://www.kissdocs.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16071eb2debfd9---jivexageru.pdf
- https://regenerativetherapyforpain.com/wp-content/plugins/super-forms/uploads/php/files/ef74961f3203ae35c194328d57bb4a41/saxixopufirokatiga.pdf
- https://mymango.ru/wp-content/plugins/super-forms/uploads/php/files/5c8f101fda8c26b34a40e8a2207ca72a/wafozovujodil.pdf
- http://www.insurancedirectcanada.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160764aa6a8e55---xibubaveviten.pdf
- https://vidolamerica.org/wp-content/plugins/super-forms/uploads/php/files/3ee040a16a73abc02277835d41ea6b54/76249094911.pdf
- http://79.170.40.182/boothtastic.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608677ae04016---vatil.pdf
- http://adhdadvisory.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f6b0a6aae3---91263078366.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://feedproxy.google.com/~r/Uplcv/~3/3vuEKuznOb8/uplcv?utm_term=the+reporter+newspaper+fond+du+lac+wi
- http://scripts.sil.org/OFL
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000106a1.bind026492e7d09fe39a0caafa6085998861e620edc99a5a328b0692e10b700f64c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x106A1 | 5284 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.