MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file is identified as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The embedded URL points to a suspicious domain, suggesting it is used to deliver a payload or conduct phishing. Although no scripts were explicitly extracted, the PDF structure and the presence of external URIs are common in phishing and malware delivery campaigns.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffset.ru/123?utm_term=thee+midniters+land+of+a+thousand+dances
- https://static.s123-cdn-static.com/uploads/4443602/normal_5fc4bbe58a7b5.pdf
- https://cdn-cms.f-static.net/uploads/4370051/normal_5f9fdef8bea1c.pdf
- https://cdn-cms.f-static.net/uploads/4419642/normal_5fa048dbc6a76.pdf
- https://cdn-cms.f-static.net/uploads/4481699/normal_5fb61bc245c1c.pdf
- https://static.s123-cdn-static.com/uploads/4402503/normal_5fcf2d871b722.pdf
- https://cdn-cms.f-static.net/uploads/4422909/normal_5f9c4f31ba3f0.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static1.squarespace.com/static/5fc5d94b0b6b03258f574640/t/5fc602d518e72e5fdba5e79c/1606812374225/velveeta_broccoli_cheese_soup_with_carrots.pdf
- https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbf64cd4e98326c02088fd0/1606378701722/82470595129.pdf
- https://static1.squarespace.com/static/5fc0055e5687f52b6b7c450a/t/5fc12091e6d49a06bbba1e06/1606492305808/levufonefujug.pdf
- https://static1.squarespace.com/static/5fc10ac260f2895dc1e8a19d/t/5fc23bb52dd96f5918389e46/1606564790150/nudujiwofojejunude.pdf
- https://s3.amazonaws.com/tokafanawa/6380409731.pdf
- https://s3.amazonaws.com/mufukep/call_tapping_app_for_android.pdf
- https://static1.squarespace.com/static/5fc6f486791da6493f678260/t/5fcedac164290b1c3dc72d39/1607391956269/az_screen_recorder_no_root_apk.pdf
- https://static1.squarespace.com/static/5fc0eb79e5c7695ca99bb922/t/5fc0f61708845d0924aca977/1606481432568/should_this_dog_be_called_spot_answers.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000cc00.bin5ae030cd5cd8f270d0aad51e6a29118f269e3c01094a83ba097ec40f225564a9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCC00 | 5208 bytes |
font_01_sfnt_off0000dd86.bina4a8c16644cdbb1f720ee1bb26b828487f181e115b308bfffd40cc06d98dc184 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDD86 | 10916 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.