MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The ML classifier and ClamAV detection strongly indicate maliciousness. The heuristic 'SE_CLIPBOARD_COMMAND_LURE' suggests the document instructs the user to paste content into a command-line interface, a common tactic for executing malicious commands. The embedded URL points to a suspicious domain, likely serving as a download source for a secondary payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jacksth.ru/wix?keyword=step+2+mailbox+installation
- http://ultra0.space/repevobosaluxaxuj4dwbb.pdf
- https://cdn-cms.f-static.net/uploads/4457006/normal_6019730482cad.pdf
- http://ru-en.xyz/django_model_to_dict_templatesl7rz.pdf
- http://podeves.xyz/sky_force_game_2004urxr9.pdf
- https://static.s123-cdn-static.com/uploads/4459185/normal_5feb9269b63bb.pdf
- https://cdn-cms.f-static.net/uploads/4404515/normal_601095b21029e.pdf
- http://iblack.space/fancy_text_cool_font_generator_apke7yi4.pdf
- http://unosital.space/1487922480jzs0i.pdf
- http://latencfsrt.space/82440879672sljrn.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://milodip.epizy.com/29221352748.pdf
- http://bikufupok.rf.gd/diablo_2_rune_hunting_guide_1._13.pdf
- https://s3.amazonaws.com/mojivikapeti/platform_shoes_white_cheap.pdf
- http://sofidubanelen.epizy.com/67104138282.pdf
- https://s3.amazonaws.com/tidigudetefumof/wood_cad_cam_software_free.pdf
- http://xutakubu.epizy.com/16736951839.pdf
- https://s3.amazonaws.com/novifamigot/bossy_verbs_worksheet_ks2.pdf
- https://s3.amazonaws.com/lukepepe/adzan_merdu_bikin_nangis.pdf
- http://gowasofejav.rf.gd/22264252737.pdf
- https://s3.amazonaws.com/pevuwarobuvowa/free_guide_book_new_york_city.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000eaf1.bin7770534cccc0a95d175429fc73e5944a2d5d91db518e11751f340edb1acd644f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEAF1 | 5312 bytes |
font_01_sfnt_off0000fcf1.bineed1de62389cf8eacda44d6e7795e779d8f96ed866f589845f08324a525dc3ca |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFCF1 | 10276 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.