MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF contains an embedded JavaScript payload, indicated by the 'PDF_EMBEDDED_SCRIPT_PAYLOAD' heuristic and the 'embedded_pdf_script_0000993b.bin' artifact. This script is likely responsible for downloading and executing a second-stage payload from a remote URL, as suggested by the 'SE_LOLBIN_RUN_COMMAND' heuristic referencing 'powershell.pdf' and a striking.ly URL. ClamAV detection further confirms its malicious nature, classifying it as 'Pdf.Phishing.Trojan'.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafficel.ru/aws?utm_term=android+studio+gitignore PDF link annotation
- https://cdn-cms.f-static.net/uploads/4474446/normal_5fae0dfbcd0e7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4499635/normal_5faeaa9b4f10d.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4383915/normal_5f8ddb244c0f6.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/134316c4-744e-47db-b480-ca08b31e3f7c/rijut.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c2a6494a-3631-4f72-9051-348999088be6/14759634592.pdfIn PDF document text
- https://s3.amazonaws.com/kudefem/solut.pdfIn PDF document text
- https://s3.amazonaws.com/zamuriza/telujarel.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b97b9f07-2951-40a0-acd3-0ea2e8151b86/37445710562.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fa7f126f-5c5a-4439-a9cb-d19fda2eb6fb/75530147078.pdfIn PDF document text
- https://s3.amazonaws.com/ganubifirigevi/cdf_to_discrete.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d6e27874-d7fb-43da-a221-8b7845566887/p2135_chevy_aveo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/85d08d73-af22-4f02-bccc-2e4dfccbe09a/96894067445.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/02fc7d37-4070-4e1d-b46b-633bea4ec941/kivinomozov.pdfIn PDF document text
- https://s3.amazonaws.com/voxazedisula/export_groups_powershell.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/02dc8edc-9ed4-4579-a4df-2aa9fe1cf05d/tidunukuk.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0a56e3ff-8109-4b6a-9d57-ab96749d6821/tujogozibenifukunapupil.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- https://uploads.strikinglycdn.com/files/02dc8In macro / runtime command snippet
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_pdf_script_0000993b.bin |
pdf-embedded-script | PDF decompressed stream script payload at offset 0x993B | 62407 bytes |
SHA-256: 79d2db5db9b467bc7df509a49b6ada8a7d0f06afcaffb359f25560f99f6ca5ea |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 shell/COM execution token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
%PDF-1.4
1 0 obj
<<
/Title (�� A n d r o i d s t u d i o g i t i g n o r e)
/Creator (�� w k h t m l t o p d f 0 . 1 2 . 5)
/Producer (�� Q t 4 . 8 . 7)
/CreationDate (D:20201118035357+02'00')
>>
endobj
3 0 obj
<<
/Type /ExtGState
/SA true
/SM 0.02
/ca 1.0
/CA 1.0
/AIS false
/SMask /None>>
endobj
4 0 obj
[/Pattern /DeviceRGB]
endobj
6 0 obj
<<
/Type /XObject
/Subtype /Image
/Width 625
/Height 155
/BitsPerComponent 8
/ColorSpace /DeviceRGB
/Length 7 0 R
/Filter /DCTDecode
>>
stream
���� JFIF K K �� C
�� C �� � q " ��
�� � } !1A Qa "q 2��� #B�� R��$3br�
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz���������������������������������������������������������������������������
�� � w !1 AQ aq "2� B���� #3R� br�
$4�%� &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz�������������������������������������������������������������������������� ? ���-�#�W�����١���� a�� �'��>� y�O�� ��1�� �P = w F;���� ���ޚ�p Ȥ�2�� _˜WJ�Y6��錑�ϭWC&��__�O���?�Qxt/:z � �`�_�ښ� |< & ��EĘ�r��]J*� l�T�@� �� d �����}p �gڂl��S��� �Y �Lډ�}�H ��{c�R��?
��Y0W8+��9 �ܜ�I 2B �I�(�;I ?� �-� ˪ �d���#�=��E� dܗ���#�_�> �m�N9s�f�c=x���Қ� �4�Yt�K�Qq& ~�t���#�� � �}����U� #-�
� ���]��s/�Ö� �q'� �p ��� \�/�/ G1-�mP0X�K� �-���� �� �. S���۷�N� �o��� ���==})�"T���O��e�G��f@, �u/ˎ8��F1N �> YK dv�A�� { � ~Em�8�@ 㞸���G�"��UP = '� OΕ��������I��i�� �O& W�?ϽG?�
� i�� `O.:���;~'=+�� �� -���qӊV "�� � � �ZkG���G�ݜ�| ��8#OUg`�72�H#�7u��皗� ߆� �B� H �� ���t�A�.[$c�C� ��� �_�� �����Cw�P�*�z _�� S��� ��b�٤n�Rn�# ��~��> �w� Ü� s.s۫�>��1 31�'���sޔ T ��m �'�<����m> xr8�&���� ��� �])?�M�mU��7C��� 9'��: �t���e'� cd6ǧ��M9�$���#�Ӎ�z} ,�)= ���|�m> �y� IJT me72 pA�� L���QA�wá�)�Ƅ �L�|ރ�g���P�' oRG �o��� ;� pǠ�<����i�Iݦ���O��_ �6� �v�� ϔ =?��=>��~ xu *�� (^f� o� �=�k�Y ��IߎA� ���}8snbˎ #� �1�=�ًx�� ]Nh|&�
��C)��� ʢ_�� �@�K%�1���0q�9����]@}��B��� 8< � �9� �`AS� sǭ �-^���s+�k��u
���w`�I�x ��z�q����s�l��? �� � g ���u 5 ! ;H�� ?Oқ �щ$ � ���'���� �i|/m� ��i� xh 0� �~�)P:s�{��h <7*�t� ��28�7����u�� % �+ }�9 �?�sHU_np0ۗ�� 3�w��ך �h��� Ü��G����Ob�m�g�d��7N}}ML�
�<ۏ�tl� ���=�n;t��d�7�� 0 n� ��O���֘�c$�c � < ���� *,�)ԧ�O������w��b�nw� \J �;n���Q��? �HM4�L E�͌��랼���Q �b��#@ C� :{ ��S��X Ttl�_÷� J �I����7_� � <:۷X � #� n�8�,��x�� ��3 ���8 ]I� �7���\u��Θx�dm�R6�d� < � U6ef�!��s��x �zc ���BC���~z^� ����{�̤.� ]��f��G�\ ��څ�=��bϧ囩 6 �ǽu%�\��~�?�65( 3d��8>��4����� ���N]> �n%!t���["�S�c9ݜ�� �S��;��r L H ���� V��� ��
yP�� �_ ���j�U1���n��#*; �� ��� � ��� ��Aᶕ����q. ��
��>�ǭ9� xt����b ��c��� 9��n8,X�#�����*��y�pO��N�� ���� �M�u� Nc�3��(� N s���C�� ��+ ��;��cq �� n����]?�do��8 �OҚ�n��A�A g�� �8���nڜ��K2�I�hDSq&Gn>n��<������D��]�es4�럛���A%��� �� �I�s��r\H �o�!���Î��� O�T��� ��r�� ����1bv�.�<d�>q���N? �9,e�Kf.2T�)�?�.��]#�� )$ 3�i��p �pG�x'ޑI� 1˯� !;l V��t�~[����T| ��� 1���\g� �t� fUR�s�� N?�ZR�z��&FAR ϵ1�� ��1 ��
��l[
�wM&O u=���J~ xrx� �` f�$�뻞�y��O �Q O� �㞜�i�� >� �=q��?_�� d������W�ށ3��S9��e9��sI �� �@�v $#}�N�� �G�
t���R�� � Fs�?� Jb�in��U
�Q����n�w��w�� տ�����E�d
�|� �g���N oQC|&��2�l
9A��� � �׃�v�u ��O
A*2y�4|�� � 'i� Q��7'� Վh| ��FI� 20�� ��� o^iW������w�^JM*�� ����ںB�D{d+# �t� ��D��� $@��ݻ���\�╃���� ]o����� � 飕�~�(��<���*4�E᷑�z|���O.��� koA�N �=O�8�ˁ�� � \ �F?zN7*��}��c OoJ ���O���9�� ûH:a ^�|�8� �b��9� ��� �8�l� ;��L �!K O c� ����V1�*H�F� ����)�� ��� s�o�� ;G�`b~�}�\�����)&�;�W ���G'ϔ�䜟�'���+��S<A�n^s��p}=}�C�!��d C� $ ��� ���4f��֩��� �8�i���!�7 +d y�zd�'�� �C xUa��>&$���� Z�7� ]�H'� �~���� �VM�EF� x$ sۡ�tYl797}� � ����� ɀ� ͌ �� ����}��A�C��uQ��m ���p �ֺo88RX�^Nr1� ��֟�K��~s� �0A�?�G�Ҿ���r��9 #�=2� ˜���L{��� ��a�>0@ b�P@ {�x��x� `��� v z��� ��b !��Q� Nz���+ Jͣ� �="m� |� �\�=2�Oʣ_�� LgNS�y�S� ��OJ��]X�� �< ���C4O�(�p� �}: ǥ sj�j� �� |:� ��~�7 �s�� �𧟃� h�� ��/ ���5�ܐ�� ��H<�����}( I� ܠ�[rr a�� _�>��%&�ܿ���f�A�#��qQ�ϟ/����\T�� ��d��n����>�7��ں-���� 6��
HӜ ��gi '>���� j,�� I;-���
�
... (truncated)
|
|||
font_00_sfnt_off0000b4f0.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB4F0 | 4740 bytes |
SHA-256: 8101d8176d515edae26f51fc065d5fd51d67565c6a65459116b79dd0de8c7e24 |
|||
font_01_sfnt_off0000c520.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC520 | 9964 bytes |
SHA-256: 80b5387f9a5e8eb51335053a258bedeaab02e060ace3bf312cd73ecbc2d01e33 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.