MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by ClamAV and an ML classifier as malicious, with a high risk score. It contains an embedded URI pointing to 'trafffe.ru', which is likely a phishing or malware distribution site. The document body, though heavily obfuscated, contains text that appears to be a lure related to 'Hbo real sex'. No scripts were extracted, but the presence of an external URI and the malicious verdict strongly suggest a phishing or malware delivery attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafffe.ru/123?utm_term=hbo+real+sex PDF link annotation
- https://winomumamo.weebly.com/uploads/1/3/1/0/131070375/gizaxuwivarurevaf.pdfIn PDF document text
- https://lopinelu.weebly.com/uploads/1/3/4/3/134369173/7b48d6d64f71ef6.pdfIn PDF document text
- https://tolajugim.weebly.com/uploads/1/3/4/6/134647220/7594332.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4450907/normal_5fcb3ffa28c74.pdfIn PDF document text
- https://kerumeso.weebly.com/uploads/1/3/4/6/134641164/428acd67c1.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/2e90af31-6b37-45b2-93a7-43474f64edc6/the_fine_art_of_small_talk_debra_fine.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc2de6511f6a41984928cab/t/5fcb98546e74d26c6f01c1e8/1607178325524/35492351306.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a3874686-ecab-467d-a375-b7f1df92d8d0/kugizujasof.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc5386f3dfdd95b60f16c7a/t/5fca19fe9309303fb838589a/1607080448472/nasajepogumupogukofemul.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8b898867-0b3d-4be8-9e02-1f0d0f2e04f4/xixonowegure.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc06ef3116eb00e3c49974f/t/5fc1272bfa04221c7149127c/1606493995889/a_wall_of_fire_rising_theme.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d165.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD165 | 6892 bytes |
SHA-256: 602f3d6f091c24e24ba37f03bdeacd9e7c67e32e828a06abc16bdbcd26aedd41 |
|||
font_01_sfnt_off0000e895.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE895 | 4848 bytes |
SHA-256: 7d5feacef504cc48ec7b3994ba39d8d4d5caaac9206067eb5a98a18725255614 |
|||
font_02_sfnt_off0000f91d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF91D | 11340 bytes |
SHA-256: 1d18b263867f52fa925d146d524862c9d6afe20127ff455a0b3ea92d9db91867 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.