MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file is identified as malicious by ML classifiers and ClamAV, with a specific detection name indicating it's a phishing trojan. The embedded URL points to a suspicious domain, likely serving as a lure for users searching for medical information. Although no scripts were explicitly extracted, the PDF structure and the presence of external URIs suggest an attempt to redirect the user to a malicious site, potentially for credential harvesting or further malware delivery.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafffe.ru/aws?utm_term=tratamiento+bacteriuria+asintomatica+embarazo+pdf PDF link annotation
- https://cdn-cms.f-static.net/uploads/4489247/normal_5fb77e9b1518d.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4375515/normal_5f91e64905d45.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4388406/normal_5f993e018afd5.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4385647/normal_5fa86ce43c64b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4412902/normal_5fa5ef7d0ce78.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/836ffd3b-c4a1-4b32-81c3-42430eef2c56/toxugopufarewevilezon.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/afa9a903-d830-4f69-a3b3-b30c3104059a/zabixevusewetipewozogu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e905c05a-2583-45c4-a59a-cfc6210f2354/sayoko_social_link.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d2eb6cd1-cd0c-4249-b3b5-9c382842000f/doordash_background_check.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/10df4534-161f-48cf-8d24-7a2d804f4567/87988061361.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/188ad15a-ed60-4697-ab86-2d739e86f2d3/sonic_heroes_gamecube_cheats.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d393.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD393 | 5408 bytes |
SHA-256: 28eac04113870ed0e1e3c9e165545c192ae40a96a685a351751f99d133b1bead |
|||
font_01_sfnt_off0000e5df.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE5DF | 11528 bytes |
SHA-256: 3fa6b5c570d7d9faa06dda96c33ff559e1eb0cb8426fe1f3cd2ea5afd465c89b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.