MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. The embedded URL `https://druttle.ru/123?utm_term=horde+leveling+guide+warmane` is suspicious and likely leads to a malicious payload or phishing page. The document body, though heavily obfuscated, contains references to 'Horde leveling guide warmane', suggesting a social engineering pretext.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://druttle.ru/123?utm_term=horde+leveling+guide+warmane
- https://cdn.sqhk.co/dogutadova/gJ3jiih/splashtop_can_t_login.pdf
- https://cdn.sqhk.co/wojidumezu/jWtiajc/77713072936.pdf
- https://cdn.sqhk.co/pofoxubo/heKhchc/ropuviridawejizef.pdf
- https://cdn.sqhk.co/novexido/xggghpA/14844189589.pdf
- http://vuxokiwi.22web.org/28758471344.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://mevonaku.rf.gd/autocad_2020_book_in_urdu_free_download.pdf
- https://uploads.strikinglycdn.com/files/76dd61dc-d4d1-40b4-ac8e-21cbb2f2561f/how_to_turn_on_a_water_boiler.pdf
- http://jufowepazo.rf.gd/208242124.pdf
- https://s3.amazonaws.com/piwupevivotixi/numb_linkin_park_piano_sheet_music_letters.pdf
- https://s3.amazonaws.com/lorugipopuxe/60621512157.pdf
- https://uploads.strikinglycdn.com/files/4e1d9435-ac62-4c0b-8e64-f75e1eeea17d/52812507149.pdf
- http://nejukiwipe.rf.gd/audre_lorde_essay.pdf
- https://uploads.strikinglycdn.com/files/7cb6b07a-0ca2-4970-8b4f-0d840f0423a0/27706647987.pdf
- http://tuzotulerijenej.rf.gd/accords_diminus_guitare.pdf
- http://ninufajo.epizy.com/whirlpool_quiet_partner_1_reset_codes.pdf
- https://uploads.strikinglycdn.com/files/ca813867-3d7f-4ffa-920d-8cd8f91757fc/price_of_small_generac_generator.pdf
- https://uploads.strikinglycdn.com/files/6cdf5f63-c40b-402d-a771-be0371dbf9cb/tom_clancys_rainbow_six_vegas_2_mods.pdf
- https://uploads.strikinglycdn.com/files/b938b5f2-3da8-4358-bc0a-7561c5ff5aae/sesukikibuxari.pdf
- https://uploads.strikinglycdn.com/files/a7df23a5-f842-43df-b95c-d0777decd27b/87784948469.pdf
- https://s3.amazonaws.com/sojaxub/what_does_ssa_1099_mean.pdf
- http://sekusasumoda.rf.gd/20391049914.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e5df.bin2e9487bf8f32e6ed10be74d3d9d5ed85f203888874c0b3ba26cab6c4b4f6bcce |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE5DF | 5080 bytes |
font_01_sfnt_off0000f724.binf3dc4a7922d78c414286e8af20d48e19ef93ef00015dcf572cebdb035f7e31f6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF724 | 10520 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.