MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains embedded URLs, with one prominent URL pointing to a suspicious domain ('trafffe.ru'). The document body, though heavily obfuscated, contains text related to 'Kwanzaa songs sheet music', suggesting a lure. ClamAV detection and ML classification strongly indicate malicious intent, likely for phishing or distributing further malware.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafffe.ru/aws?utm_term=kwanzaa+songs+sheet+music
- https://cdn-cms.f-static.net/uploads/4378848/normal_5f8db3ab6c8f3.pdf
- https://cdn-cms.f-static.net/uploads/4411717/normal_5fb4d9f0a4631.pdf
- https://cdn-cms.f-static.net/uploads/4378608/normal_5fc14b00d74ed.pdf
- https://cdn-cms.f-static.net/uploads/4366625/normal_5f871c2d9ba09.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://s3.amazonaws.com/pozokimepe/48380788139.pdf
- https://uploads.strikinglycdn.com/files/ffe1a244-edf3-49a3-ad4b-8f8640d6fb79/female_chastity_belts.pdf
- https://uploads.strikinglycdn.com/files/e6824bc9-3ff9-4198-9d04-00c0983bb769/lara_croft_guardian_of_light_mod_apkdata.pdf
- https://uploads.strikinglycdn.com/files/47cddc0f-9d90-425d-8fff-7fa593b0b879/yahoo_messanger_with_voice.pdf
- https://uploads.strikinglycdn.com/files/17ead956-b97b-41be-a34a-fea1368f6391/cody_louque_so_long.pdf
- https://uploads.strikinglycdn.com/files/82ec02b8-0281-42e6-9a1c-e24bb1dd2b12/7235017890.pdf
- https://uploads.strikinglycdn.com/files/98bfacaf-2450-436b-bfc4-0ef1becd4f7b/harry_potter_horcrux.pdf
- https://uploads.strikinglycdn.com/files/bd2f8f0e-a8aa-4c00-94e6-829182418b12/vanuxizovosiluriju.pdf
- https://uploads.strikinglycdn.com/files/7082b7b8-72ef-4f88-8fe7-9507de5033ec/1st_2nd_3rd_4th_estates.pdf
- https://uploads.strikinglycdn.com/files/cdc030c0-c7c8-45fa-a722-54603ef6c0cf/66383343192.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ecd3.bin43a445a2f0004c5e9c1b0a44d572143cc3e855a47e6b93e8501e5b6a71c216e4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xECD3 | 5076 bytes |
font_01_sfnt_off0000fe14.binad3a60039ce64978fcef1124291bc14562bda29c5a665f3b5c90b7b7dadf1a9c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFE14 | 11404 bytes |
font_02_sfnt_off0001237f.bin05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1237F | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.