MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. The embedded URL and document body suggest a lure related to software serial numbers, likely intended to trick users into downloading a payload. The file's metadata indicates it was generated by wkhtmltopdf, a tool often used to create PDFs from web content, which can be abused for malicious purposes.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://laborke.ru/pbw?utm_term=paperport+14+serial+number
- https://static.s123-cdn-static.com/uploads/4417995/normal_60053c5d1c67e.pdf
- https://cdn-cms.f-static.net/uploads/4366040/normal_6044d4c5c8daf.pdf
- https://cdn-cms.f-static.net/uploads/4409118/normal_603f195be6fdd.pdf
- https://static.s123-cdn-static.com/uploads/4452161/normal_5fee6fca5d346.pdf
- https://cdn-cms.f-static.net/uploads/4383801/normal_60126dba2891a.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://ziduzobif.pbworks.com/w/file/fetch/144436407/dagikukegenoniju.pdf
- https://uploads.strikinglycdn.com/files/5d6d11b6-7b64-45b6-8e15-f336ae23cf4a/hunter_xcore_irrigation_controller_perth.pdf
- http://mifimoruzuwo.pbworks.com/f/k53_road_signs.pdf
- https://uploads.strikinglycdn.com/files/0b8143d3-bc98-4a42-a21d-12c34bcb317f/41491510537.pdf
- https://uploads.strikinglycdn.com/files/0b3527de-a918-46e5-ae4d-aa9c747f3a9e/12017535065.pdf
- http://nilanom.pbworks.com/f/donadorubinigije.pdf
- http://xedidovetaw.pbworks.com/w/file/fetch/144412518/54740183798.pdf
- http://foziwedugumu.pbworks.com/w/file/fetch/144432867/4022717107.pdf
- https://uploads.strikinglycdn.com/files/d36dcb7e-2cb2-4061-b060-622c0cd8408e/pemun.pdf
- https://uploads.strikinglycdn.com/files/b2ac2320-082c-4458-9866-b7f16894874f/can_a_jeep_grand_cherokee_pull_a_trailer.pdf
- https://uploads.strikinglycdn.com/files/11e4fe73-be86-4685-9d37-9997d0a4051e/sawezovesegatoko.pdf
- http://fosirodovo.pbworks.com/f/36_questions_to_fall_in_love_ted_talk.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000cfd7.bind644c66209c1e849b696f3148a60250bc6e25c1f8481dbb3b901c6383a39aaf5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCFD7 | 5244 bytes |
font_01_sfnt_off0000e197.bind4a9229199a9eaf22b8f68e77f5b3a1b848bdd2b586f51cd2695d258e209f43d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE197 | 10084 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.