MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The file is a PDF that uses a social-engineering lure to trick the user into installing a browser extension or update, a common method for malware delivery. The ML classifier and ClamAV detection strongly indicate malicious intent. The embedded URL points to a suspicious domain, likely serving as a download or redirection point for a malicious payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffking.ru/aws?utm_term=adobe+pdf+xi+pro
- https://cdn-cms.f-static.net/uploads/4501659/normal_5fb876e3d8581.pdf
- https://cdn-cms.f-static.net/uploads/4426690/normal_5fa415537b4d7.pdf
- https://cdn-cms.f-static.net/uploads/4388420/normal_5fbb4ee5ad150.pdf
- https://cdn-cms.f-static.net/uploads/4369779/normal_5f87ec4039382.pdf
- https://cdn-cms.f-static.net/uploads/4412762/normal_5f936c0da49c2.pdf
- https://cdn-cms.f-static.net/uploads/4389616/normal_5fac554a9cbfc.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/5092c227-3f5f-40ac-a774-38616466607e/the_conjuring_2_free_download.pdf
- https://uploads.strikinglycdn.com/files/bddc6af2-c87b-4d71-970d-7b30bf0f147d/70838742555.pdf
- https://uploads.strikinglycdn.com/files/d86a3cbc-d766-46e7-9dad-79f4b91a8c58/walunet.pdf
- https://uploads.strikinglycdn.com/files/f08849da-94d8-48f1-b027-5861f7822d6e/xodijexibavowa.pdf
- https://uploads.strikinglycdn.com/files/c7e8ae29-fa03-4b33-a825-fd4b01ba0fa1/to_powerpoint_video.pdf
- https://s3.amazonaws.com/nokiva/boy_scout_uniform_type_b.pdf
- https://uploads.strikinglycdn.com/files/46edf10f-79fa-4cf9-bb09-aa587d3146c1/77105406786.pdf
- https://uploads.strikinglycdn.com/files/dc91952d-6389-48e2-82ec-279087092e08/gikovituxavodazis.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000110f4.bin78bcd370cc443e4876d49848ecdcb6a614a807d74294c44d0937f82d4de68d1a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x110F4 | 4812 bytes |
font_01_sfnt_off00012168.bin9d3d1ada60020e01f0aa9bdf487e508833a137ab5de9fc2ad5340a0bb1629300 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12168 | 11084 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.