MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file is a PDF document that contains an embedded URL leading to a suspicious domain. ClamAV and ML classifiers flagged this file as malicious, specifically as a phishing trojan. The document body, though partially corrupted, suggests a lure related to 'dragon ball z androide 18' to entice users to click the malicious link.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafficel.ru/aws?utm_term=fotos+de+dragon+ball+z+androide+18 PDF link annotation
- https://cdn-cms.f-static.net/uploads/4454163/normal_5fb68487e3dd5.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4403415/normal_5f90f1d9ef041.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4379471/normal_5fc8d14b41d33.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/b018dc94-2c49-4858-acba-648ab52c8303/87072475039.pdfIn PDF document text
- https://s3.amazonaws.com/wolina/gorigipasasurak.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d6be88e5-c757-4713-8322-31d6820289c1/tewidaputorumupupapagevi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1939f59b-105b-48c6-8af8-823062f74534/50191288574.pdfIn PDF document text
- https://s3.amazonaws.com/foneniz/words_with_aoi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fe52c099-ec01-478d-9794-9edc10571447/9137860625.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc19ff392c50b1a1e7ca808/t/5fc60b6d3485235c8695f6ff/1606814581179/53671524305.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc1c697bda9c57a97c4683c/t/5fc78da34f9413233b2503cf/1606913444306/horror_movie_trivia_questions_and_answers_printable.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c0d1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC0D1 | 3540 bytes |
SHA-256: 89859cea2c4dd5a60d91c242ae75bd2c6edea97abc3e7feb910ec8be36784639 |
|||
font_01_sfnt_off0000cd64.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCD64 | 5384 bytes |
SHA-256: 7892f1422f4bf3bf71f07ec9b33a2dab8406b928788e075be7513bba1c9b6003 |
|||
font_02_sfnt_off0000dfc5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDFC5 | 10468 bytes |
SHA-256: d74819cb7ae096e60b27cba609c55140abb9055e7ebd26099627855231151545 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.