MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file is identified as malicious by ML classifiers and ClamAV, with a high risk score. It contains an embedded URL pointing to a suspicious domain, which is likely used to deliver a secondary payload or conduct phishing. The document body, though heavily obfuscated, suggests a lure related to educational content ('series parallel circuit worksheet'). No scripts were extracted, but the PDF structure and embedded URI heuristic indicate malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffnew.ru/aws?utm_term=series+parallel+circuit+worksheet%2523+1
- https://static.s123-cdn-static.com/uploads/4459165/normal_5fc682734554c.pdf
- https://static.s123-cdn-static.com/uploads/4469136/normal_5fcc3a015db5b.pdf
- https://cdn-cms.f-static.net/uploads/4427284/normal_5f989fb8a2a66.pdf
- https://cdn-cms.f-static.net/uploads/4372382/normal_5fa40dd05fb9d.pdf
- https://cdn-cms.f-static.net/uploads/4375885/normal_5fbe243c710fb.pdf
- https://cdn-cms.f-static.net/uploads/4372104/normal_5f925d9624a64.pdf
- https://cdn-cms.f-static.net/uploads/4403406/normal_5f98fe1d6aa69.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static1.squarespace.com/static/5fc178ab6b97992eb56010ae/t/5fc86e83b74dd54858d90b0a/1606971013118/lords_mobile_payment_methods.pdf
- https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbf5ade9d79364840856e8b/1606376159218/76756297800.pdf
- https://static1.squarespace.com/static/5fc2a60b1c8c7413143d24fc/t/5fc53992f8cdb769c68d51cf/1606760855698/zugafubomifugusafog.pdf
- https://static1.squarespace.com/static/5fc0c67840f1034a5ca82603/t/5fc6e480efc65c5b7a3352ac/1606870144393/tunnel_color_2.pdf
- https://static1.squarespace.com/static/5fc316c9a5bc066edfb3e2e2/t/5fc838826652ad59ec20d85e/1606957188020/knights_inn_traverse_city_traverse_city_mi.pdf
- https://s3.amazonaws.com/dujepav/13124596641.pdf
- https://s3.amazonaws.com/degagaziv/they_ask_you_answer_audiobook.pdf
- https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbe29e2f8cdb769c6ace9a4/1606298099315/child_labor_exploitation_solutions.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00013eee.binc76e5cb0b6434de21afa257876b246c2ec9654abfa4af507d8e96486d50349d2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13EEE | 5280 bytes |
font_01_sfnt_off000150ea.bine46a077a28786d0852ed4bd6dd41d09152dd4094c688982bc653b4ba7a886dc1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x150EA | 10796 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.