MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The file is identified as malicious by ML classifiers and ClamAV, with a high-confidence heuristic indicating an advance-fee scam lure. The document body, though heavily obfuscated, contains references to 'continuation sheet fillable' and appears to be generated by wkhtmltopdf, suggesting it's a crafted lure. The embedded URL points to a suspicious domain, likely part of the scam infrastructure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffking.ru/aws?utm_term=da+3161+continuation+sheet+fillable
- https://static.s123-cdn-static.com/uploads/4481528/normal_5ff5537ada560.pdf
- https://wevinavuligi.weebly.com/uploads/1/3/4/5/134505150/6537660.pdf
- https://cdn-cms.f-static.net/uploads/4504922/normal_5fdc02fd2e234.pdf
- https://static.s123-cdn-static.com/uploads/4450337/normal_5ff1048cd7d55.pdf
- https://static.s123-cdn-static.com/uploads/4379476/normal_5fca2a99337d6.pdf
- https://cdn-cms.f-static.net/uploads/4479435/normal_5fa6eff94fb04.pdf
- https://keregejuvuja.weebly.com/uploads/1/3/4/3/134345288/003d3c845f.pdf
- https://rugazodexozapef.weebly.com/uploads/1/3/4/4/134480570/1662355.pdf
- https://static.s123-cdn-static.com/uploads/4410415/normal_5ff4f20bc8e4f.pdf
- https://cdn-cms.f-static.net/uploads/4379483/normal_5fdb3db963e0f.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/1b36e25e-6ee8-4a06-878b-4356e7149077/call_and_sms_blocker_free_download.pdf
- https://uploads.strikinglycdn.com/files/0aa77947-e0cd-4198-a9b7-792708187ab8/fujajigovi.pdf
- https://uploads.strikinglycdn.com/files/34cbe1fa-97a4-4573-b27e-0dd6f93268be/84397512489.pdf
- https://s3.amazonaws.com/woxotopapozokev/free_website_templates_for_online_examination_system.pdf
- https://uploads.strikinglycdn.com/files/b4ef1ee4-5b81-4004-972e-4a0add7080fa/mubivewefu.pdf
- https://s3.amazonaws.com/jumedemimo/sagosagafutinivaref.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fa4c.bine2b3bd5ff353b96544aa18901bda45b49ec577fbab3e9e783ed6d708857b40f7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFA4C | 5384 bytes |
font_01_sfnt_off00010ca9.bine0b5ae96c73c343ca680fa7ecf0f78e2b6c902f49570564aa427d4825205f00f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10CA9 | 11436 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.