MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
The sample is a PDF file flagged by ClamAV as a phishing trojan. Heuristics indicate it contains an embedded URL and attempts to trick the user into executing commands via clipboard manipulation, a common technique for downloading and running further malicious content. While no scripts were directly extracted, the combination of the phishing lure and the embedded URL suggests a multi-stage attack.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafffi.ru/aws?utm_term=chat+application+project+report PDF link annotation
- https://kotevopokevunab.weebly.com/uploads/1/3/4/5/134590751/gaxon-xusaw-zoxebejojagoj.pdfIn PDF document text
- https://lexezidelaxo.weebly.com/uploads/1/3/4/6/134605078/6216870.pdfIn PDF document text
- https://rikisuluwujufa.weebly.com/uploads/1/3/1/4/131452938/fuzejanitip.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/6ae742c9-d351-485f-95b1-01349880d05e/fortnite_scrim_naw_discords.pdfIn PDF document text
- https://s3.amazonaws.com/kaxukok/modiramuzizagibiboruroko.pdfIn PDF document text
- https://s3.amazonaws.com/fajixe/xozuzabogijavera.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e7c28369-a5d7-4016-8e17-7527fceb15fc/realtek_digital_output_no_surround_sound.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3da893a3-629c-4521-8910-70a6ce68c359/47907231303.pdfIn PDF document text
- https://s3.amazonaws.com/xezujuxoz/amor_de_verdade_musica.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bc3dbeeb-f842-488e-a781-a9c7971e6bb8/malipo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2d824261-7cf4-4443-8932-c985fc140795/kiliferem.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e9c3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE9C3 | 4824 bytes |
SHA-256: 84d0cae19cd242c71fb864ae66a9add4659efbf34994a0357841bf283ae8fb75 |
|||
font_01_sfnt_off0000fa24.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFA24 | 11028 bytes |
SHA-256: d0d15f9b5ed45ef6e1946c3d3f4a269f7651af2775251efd83ccea16cc21114d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.