MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file is a PDF containing an embedded URL that points to a suspicious domain, traffking.ru. ClamAV and an ML classifier flagged this PDF as malicious, specifically as a phishing trojan. The document body, though heavily obfuscated, contains strings related to the URL, suggesting a lure to a malicious site.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffking.ru/123?utm_term=ancient+warfare+2+minecraft+siege
- https://cdn-cms.f-static.net/uploads/4366040/normal_5fb69fb520709.pdf
- https://cdn-cms.f-static.net/uploads/4482215/normal_5fb49ef94c869.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static1.squarespace.com/static/5fced1f15b099b259a748df4/t/5fd01f85c0a29916a560032a/1607475078037/86140683848.pdf
- https://static1.squarespace.com/static/5fc6a6afc6229360ecd4fc1b/t/5fcd2baf8a55f2188b81272b/1607281583732/zarudozulalul.pdf
- https://static1.squarespace.com/static/5fc6c827d32fb7060d0d779b/t/5fcbdb6633fb14715cc74128/1607195494952/xelukitelom.pdf
- https://s3.amazonaws.com/wovigebi/nofojijiwititi.pdf
- https://static1.squarespace.com/static/5fc0d4752bbd7406580625ec/t/5fc16058145a8629dce47cf0/1606508633571/vetafobapenuwimoti.pdf
- https://s3.amazonaws.com/jezobasit/animation_girl_wallpaper.pdf
- https://uploads.strikinglycdn.com/files/a47d16a3-a6f0-4662-8d62-cd732d410104/bugeperazetelopikudalofu.pdf
- https://static1.squarespace.com/static/5fc2a2022e34347c704f3ef4/t/5fd104a4fc3eb034b495b961/1607533733774/sneakers_inc_bham_ig.pdf
- https://static1.squarespace.com/static/5fc546b6a13a450bab114660/t/5fd06c7e5efba8153b23d4e7/1607494786255/52645019313.pdf
- https://static1.squarespace.com/static/5fc5608b68612547ed7bdbb0/t/5fd135d79deafa3d82cdc5f1/1607546329057/monster_jam_steel_titans_cheat_codes_switch.pdf
- https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbcf5518bc8713fe6fd0c38/1606219090829/janajoviwa.pdf
- https://static1.squarespace.com/static/5fbfceb2c14dfd36feeb11ef/t/5fc10094e18c5c478e1f74eb/1606484116713/vezudop.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d3d1.bin4dd5469978928d0d9baf11cc1c66b4c4c1a7002ec2141d820533859dc45bd376 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD3D1 | 5380 bytes |
font_01_sfnt_off0000e622.bin67080de91979f779e9c641006974903bd44f5568a832722af0e3498a0aff4132 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE622 | 10280 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.