MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file is identified as malicious by ML classifiers and ClamAV, specifically as a PDF phishing trojan. It contains an embedded URI pointing to a suspicious domain, likely intended to host a malicious payload or redirect the user to a phishing site. The document body, though heavily obfuscated, contains references to 'Pictoword' and 'wkhtmltopdf', suggesting a lure to trick users into clicking the malicious link.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafffe.ru/strik?utm_term=pictoword+level+67-+100 PDF link annotation
- https://cdn-cms.f-static.net/uploads/4374198/normal_5f9a52189e30c.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4374185/normal_5fc79793d7947.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4388413/normal_5f91fc0ea4d28.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/zuvovoxigumuz/blackberry_key2_dual_sim_manual.pdfIn PDF document text
- https://s3.amazonaws.com/serogajugomiji/27222687359.pdfIn PDF document text
- https://s3.amazonaws.com/kovezodepugov/mifipag.pdfIn PDF document text
- https://s3.amazonaws.com/muxegeza/kobulotajari.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e90a7f33-db4b-40e8-b4d9-74aa3dace304/bruce_lee_self_defense.pdfIn PDF document text
- https://s3.amazonaws.com/rogugagatuf/fufewovi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a0c6bf09-c6e5-4f3a-b0af-96ce8eb9e22b/nmc_horizon_report_2020.pdfIn PDF document text
- https://s3.amazonaws.com/gurowozenupifi/xakenozalal.pdfIn PDF document text
- https://s3.amazonaws.com/limewub/florence_al_shopping_guide.pdfIn PDF document text
- https://s3.amazonaws.com/kefefetafij/salutiniwomitiwesijap.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000b9dc.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB9DC | 5156 bytes |
SHA-256: 9bb6a1f0797a870ef26c5d55565fbdf4f19d4fd368228211482dfddcbb6949d1 |
|||
font_01_sfnt_off0000cba4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCBA4 | 9948 bytes |
SHA-256: f7dc943cf61cd8d59fc05d8e1e1d476872a5ce9f81dd3ad464ebfea0f2496a2e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.