MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains an embedded URL that redirects to a suspicious domain, disguised with search query parameters. This URL is likely intended to lead the user to a phishing or malware distribution site. The ML classifier and ClamAV detection strongly indicate malicious intent, consistent with a phishing lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9983
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafficel.ru/aws?utm_term=short+black+formal+dresses+australia PDF link annotation
- https://cdn-cms.f-static.net/uploads/4393041/normal_5fb7347015d56.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4417997/normal_5fba66701db87.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4447280/normal_5fc7e209acc9c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4470014/normal_5fd6e54652049.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4375515/normal_5f91e1dca016d.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/rovuweraja/one_step_at_a_time_sayings.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cfd9a5f9-3b4b-4ea5-a8b6-0ee8fa8a8ebd/vewuvufekukawonover.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d1fd3a28-1ab1-48f9-9354-39317a0c36b0/85966902359.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/643250ce-d363-4b3d-8db4-a13bd8a23cb8/dinatajofumusev.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/35b8d881-91bb-4aec-9fc0-b57bb6522202/3563985251.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d7040182-2eae-4802-a512-ef9d7e1a81a0/jadeburezababititi.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00023e2b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x23E2B | 5568 bytes |
SHA-256: 8a3cad0a26c396588df42d084cf15deef86bd1bbec91826ecfec71df9e4b3b31 |
|||
font_01_sfnt_off000250ec.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x250EC | 10532 bytes |
SHA-256: dd3c402a04d5973c6474493ee05245e1c5ff807a60f1eced785b4c98d2f3a03b |
|||
font_02_sfnt_off00027523.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x27523 | 16084 bytes |
SHA-256: 5f2334adde50bf49c252c123aa3e2795cb6edd9a74beaf110363d0b6a67115f7 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.