MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'trafftec.ru', which is likely used to redirect the user to a phishing or malware-hosting site. The document body, though heavily obfuscated, contains text related to 'Michelin guide paris japanese', suggesting a lure to trick users into visiting the malicious URL.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafftec.ru/aws?utm_term=michelin+guide+paris+japanese PDF link annotation
- https://rugazodexozapef.weebly.com/uploads/1/3/4/4/134480570/7931315.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4459055/normal_5fa51a30430a7.pdfIn PDF document text
- https://nidiladidubupa.weebly.com/uploads/1/3/4/7/134753920/nanakezi.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4414679/normal_5f9cff4a57479.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4379726/normal_5f9b1f8642df9.pdfIn PDF document text
- https://fabuxitewuf.weebly.com/uploads/1/3/4/3/134349615/dc4d9f62.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/d99f4826-9bfe-4aa7-8046-99a8164d8775/39802388247.pdfIn PDF document text
- https://s3.amazonaws.com/ligole/35866051780.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/927f2341-b2bc-4e11-a8ae-f0ed1d4b21fb/dopejipadurijidudiru.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e37579a0-696a-4e9d-8b69-09e59209b44e/brinks_motion_security_light_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fd7a178e-39bb-4421-9f61-6d116ebaa54a/nogebajexaxitobimojo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2a20f7f4-af67-4dd1-b268-c3fb4eaf0773/gijivefipesixar.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1dcb8764-83ff-44f4-b36c-c59dc6310c56/nusemop.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000bc4e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBC4E | 5416 bytes |
SHA-256: 6dfb795ff3f9b594308c653a04c3b8f2673f08f9873dd8adfc0cbaf99e7d8d10 |
|||
font_01_sfnt_off0000cec3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCEC3 | 9996 bytes |
SHA-256: d7d52a96f62b36623802be7a48e9c322ab24ea08580a98adbc386998cda5598a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.