MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains an embedded URL that, while labeled as benign in the provided context, is part of a larger heuristic firing indicating a malicious PDF. The ML classifier and ClamAV detection strongly suggest malicious intent. The presence of duplicate objects in the PDF structure is a known obfuscation technique used by malware authors. Although no scripts were explicitly extracted, the overall heuristics and detection point towards a phishing or malware distribution attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.8885
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://feedproxy.google.com/~r/razvivatel/yapz/~3/UQ8tT55rDuk/square?utm_term=pacific+warship+mod+apk+unlimited+money
- https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ed35e33489b768f16e561c/1626158563395/consent_letter_for_research_interview.pdf
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ec9484f83a7f26ecd1fad2/1626117252587/lunitemavobuwomu.pdf
- https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60e91449854c1d3b34867f8c/1625887818122/buzile.pdf
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60e9658ac22c005c933ab297/1625908618853/39232655346.pdf
- https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e94100defa333328ab76e5/1625899264728/how_to_heal_upper_back_muscle_strain.pdf
- https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e8bde70c10021855970cf9/1625865703601/wojibolabulagaze.pdf
- https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e8647354aeb3784727f280/1625842803387/20050265909.pdf
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec93b4e0c99b3eb2d3df10/1626117045046/bank_bailout_cost_per_person.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000cd4d.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCD4D | 16792 bytes |
font_01_sfnt_off0000e564.bin95c69300fb669b26d2a8231a7102ef6952aca71cb2ca292d5de85a9fda291c74 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE564 | 11280 bytes |
font_02_sfnt_off0000ffc7.bin9d5144547e0b729630886a3ad3ce48e7da84b0115899dd9c2390406af6f0fecd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFFC7 | 16092 bytes |
font_03_sfnt_off00011508.bind4d5a87b741cb6afa9499e7b050a77007b6910d227fae41a918dc53419b00741 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11508 | 16476 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.