MALICIOUS
104
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file was flagged by a machine learning classifier and ClamAV as malicious, indicating a high likelihood of malicious intent. The presence of a 'download button' heuristic and embedded URLs suggests a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains keywords related to 'hidden photos' and 'password', further supporting a phishing lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://cdn-cms.f-static.net/uploads/4377403/normal_6031e958d4a5a.pdf
- https://cdn-cms.f-static.net/uploads/4382780/normal_5fd2d948b577c.pdf
- https://cdn-cms.f-static.net/uploads/4383795/normal_6029a73ceab74.pdf
- https://static.s123-cdn-static.com/uploads/4391303/normal_5feea385aee9c.pdf
- https://static.s123-cdn-static.com/uploads/4369784/normal_6001846a57576.pdf
- https://cdn-cms.f-static.net/uploads/4387060/normal_6018be42db355.pdf
- https://static.s123-cdn-static-d.com/uploads/4368777/normal_60b430f0f0522.pdf
- https://cdn-cms.f-static.net/uploads/4391599/normal_5fd6109088fe8.pdf
- https://static.s123-cdn-static.com/uploads/4382770/normal_5ff78ba051dec.pdf
- https://cdn-cms.f-static.net/uploads/4485828/normal_60697683a5e90.pdf
- https://cdn-cms.f-static.net/uploads/4369343/normal_6055875f444ac.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://feedproxy.google.com/~r/wb/ENAH/~3/kMuynZNWtA0/wb?keyword=hidden%20photos%20ios%20password
- http://xifatarege.pbworks.com/f/the_iliad_latin_text.pdf
- http://bujolajoxek.pbworks.com/f/parotuzogogewof.pdf
- http://neruwuk.pbworks.com/f/printable_calendar_2021_may_through_august.pdf
- http://mevuteled.pbworks.com/f/are_boltune_headphones_good.pdf
- http://noxiwako.pbworks.com/w/file/fetch/144506160/daxijegepitidofulaxa.pdf
- http://rozeluf.pbworks.com/w/file/fetch/144555489/gta_vice_city_kurtlar_vadisi_indir_tamindir.pdf
- http://wijozuzapusa.pbworks.com/w/file/fetch/144439248/lewis_dot_structure_for_iodine_ion.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000deba.bin0608d2d9015fff343073bfea1fa0a6cbaaa3dd118c4317016576461eabd93709 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDEBA | 5068 bytes |
font_01_sfnt_off0000effc.bin6ff3951eedd7b449c1e9cdf80a0ee2d122f37b4441d1de018d7e29a611c6d217 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEFFC | 11092 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.