MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that directs users to a suspicious domain, likely as part of a phishing or malware distribution scheme. No scripts were extracted, but the presence of an external URI and the ML/ClamAV detections strongly indicate malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafficel.ru/strik?utm_term=black+wall+street+book+pdf PDF link annotation
- https://cdn-cms.f-static.net/uploads/4465908/normal_5fa303b139f28.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4467285/normal_5fa33cbe64b23.pdfIn PDF document text
- https://wazemuguv.weebly.com/uploads/1/3/4/4/134489137/396151.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/7dd4544c-7e0f-4d7d-a6fb-4a61ecf9b50e/xabagajagop.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7075c591-810c-4386-b523-2c067f3c43be/64236084742.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/680ce34a-c3d0-46e5-92a2-c0247220dd35/93474960582.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c8f007c2-a940-48d5-8417-94734a190376/moxumegoranizizixap.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/67e5f86f-631b-4913-8f2c-4d9490806a89/vafimumijizakinuxagut.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/374936ad-a918-4370-bbbc-77fc44b74e7e/2018_911_gt3.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d557f0d0-a8f7-4ab3-afb8-433a1136d1de/caltrans_exam_study_guide.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c449.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC449 | 5492 bytes |
SHA-256: 8f0ce32465cf049766e69149c2d0c4c933f3d56c35f076414f86fd48f6fe2653 |
|||
font_01_sfnt_off0000d717.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD717 | 10692 bytes |
SHA-256: 0bde7d0f00be1168212e47f86f9a4df9aea8592d61d6b04f6609e8e4d28f6352 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.