MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains an embedded URL that advertises a hack for a mobile game, likely as a lure for users to download a malicious payload. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan. While no scripts were directly extracted, the PDF structure and embedded URI are indicative of a phishing campaign.
Machine Learning
- Nyx PDF Classifier malicious score 0.9986
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafftec.ru/strik?utm_term=download+head+soccer+hack+ios+no+jailbreak PDF link annotation
- https://static.s123-cdn-static.com/uploads/4407781/normal_5fe18afec3549.pdfIn PDF document text
- https://zalawevovupat.weebly.com/uploads/1/3/0/9/130969727/6506817.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4448347/normal_5fbf19c8e7954.pdfIn PDF document text
- https://xifobosakup.weebly.com/uploads/1/3/2/8/132815359/9129687.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4490917/normal_5fae2816e5284.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4416787/normal_5fb00a86f2529.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/jeromopelurab/kefevefedesig.pdfIn PDF document text
- https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbd1f17f4403c7016359f97/1606229784308/tao_of_badass.pdfIn PDF document text
- https://static1.squarespace.com/static/5fe04b055b7bc96605619f00/t/5fe074aba478394ebcd37a9d/1608545452534/wolf_fursuit_template.pdfIn PDF document text
- https://static1.squarespace.com/static/5fdd55bb6394b41d64250a19/t/5fdda16a463d3b6c6f234837/1608360299429/36195505276.pdfIn PDF document text
- https://s3.amazonaws.com/posufij/lexevawupo.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001ffc4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1FFC4 | 3016 bytes |
SHA-256: 8fe238d4efa118d1e805f072976fe3c461391de55fefcb4facfc8f71fb735506 |
|||
font_01_sfnt_off00020a7f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x20A7F | 5396 bytes |
SHA-256: beedee6ef0e90a38f60e15df29cd23a04b41a493856a94b6a9fc3ed854f763ea |
|||
font_02_sfnt_off00021ce8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x21CE8 | 12812 bytes |
SHA-256: c89a376477da2de6f6e901d4cbe253f7dfd848a8c1cd5405bb730eb875e50ed1 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.