MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. The embedded URLs suggest the document is part of a phishing campaign, likely attempting to trick users into downloading further malicious content. No scripts were extracted, but the PDF structure and embedded URLs point towards a malicious intent to distribute malware or phish for credentials.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://xn--78-6kce7dfhb9dwb.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/2e91e33fb09013b8ae0101b579bd043a/14283463846.pdf
- https://www.sussexweddingservices.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1606cb6a402857---75898023392.pdf
- https://izharfoster.com/wp-content/plugins/formcraft/file-upload/server/content/files/16082fe56abb35---78204631935.pdf
- http://www.sunaryem.com.tr/wp-content/plugins/super-forms/uploads/php/files/tdd1uvb2utj9fqto7et4tuudg2/91500407018.pdf
- http://vdgairconditioning.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1606d51d49c198---98816535602.pdf
- https://www.traveltimevipp.com/wp-content/plugins/super-forms/uploads/php/files/8fa368a102c078b6cd648af4e2084ac1/41306194568.pdf
- https://www.goldenplanet.dk/wp-content/plugins/formcraft/file-upload/server/content/files/1607086a582ef7---xitukuxebomagolabat.pdf
- http://xn--80aafkqcanfpgnhbng3b5i9a.xn--p1ai/pict/file/15057988259.pdf
- https://noddy.nu/images/file/siberetilevi.pdf
- https://alkhairi.co.uk/wp-content/plugins/super-forms/uploads/php/files/2f0b4c637353d619f896020f355a7b53/54509350225.pdf
- http://alpha-th.com/userfiles/file/remozekamudenuzir.pdf
- https://alutat.com/data/file/wogamu.pdf
- https://apparel.allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/fe5b8c6de28b92bc6576e67e700847ab/xuwobeb.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://feedproxy.google.com/~r/Uplcv/~3/LPIa9PGmDLg/uplcv?utm_term=freepik+ppt+template
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000db30.bin6e2ef625a16ebbbbec2a2d3992c28ef537457b150fd8640152ac1cda6dd399f6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDB30 | 4808 bytes |
font_01_sfnt_off0000eb78.bin32faefcd2f3b9782b141fc601508ed356fcf66bf1c0db233a82ccc71ef9dea43 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEB78 | 11236 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.